WordPress is now very popular due to it’s ease of use, and the increasing number of themes and plugins freely available for download by the user community.

I knew that allowing comments, or visitors to upload photos can present additional risks to your wordpress site. Yesterday, I read a post by Alistair Croll that presented another aspect of security issues with wordpress, that I even didn’t think about before. In his article, he wrote about a theme that was downloaded by wp-sphere and had a code pointing to another site.

WordPress in it’s core has very minimal coding. As opposed to other software packages that let you only change templetes, a wordpress theme or plugin designer will write php code in addition to html for the theme that you download.

Beware, when you download a theme, whether it’s from an original author or not, make sure the code doesn’t contain encoded strings, unless you check with the author his/her intent and what this string contains when decoded.

Here is were it can become dangerous. The theme can potentially have malicious code injected in your site or code that allows the author to get information from your site, that you don’t want to give away.

Just be causious when you download code for your wordpress site, check it out first. Or just ask me about it, I will be happy to check it out.

It seems that we sometimes just download stuff and when we first see it and like it.

Before you install any theme, I would recommend to:

  • After downloading any scripts, search in the text for any “decode” string.
  • Google it, check if anyone else has written about it: what they say?
  • Make sure you download from the author site, ask him/her if you have any questions before you use it.
  • Read other people’s comments, see what they comment about and any issues they bring up.

To read Alistair Croll’s post, click here.