When installing themes, it is important to know that certain free WordPress themes come ridden with malware, broken code or malicious links to third party sites. This is especially so, if the free WordPress theme is obtained outside the official WordPress repository. It becomes even scarier since most of these infected themes are offered in disguise of a special offer to the potential victims. While most of these infected WordPress themes may not contain harmful code but a backlink to a third-party site, some can contain encrypted code hidden inside theme files. Let’s look at how to detect malware and fix infected WordPress theme.
Detect Malware and Malicious in WordPress Themes
The first step in discovering hidden malware or malicious code in your WordPress theme is to check if the files contained in the theme are all required in WordPress theme. WordPress theme has some basic files required and may have additional files that are in folder called include, images and JS if any file has not been called in the functions.php file, it should be your first suspect. There are also a number of issues that can lead you to suspecting your theme or website has been infected with a malware:
White screen of death: When your site shows sudden white screen of death, you should suspect there is a possibility of malware infection or malicious code in your website.
Malware Warning: Warning from the malware site and it should be displayed on your site either blocking your site entirely or partially.
WordPress .htaccess hijack: Your .htaccess has been high jacked and the site keeps redirecting to sites that you don’t understands, at times the redirect is to Google search.
Popup ads and redirects: Several popup ads all over the site that keep redirecting to more popups when you click on close button.
If you have experienced these issues there is a high likelihood that your website has been infected and possibly your theme. I would like to narrow down to WordPress themes malware infection and injection of malicious code and how to get rid of it.
Reasons why WordPress theme is infected by Malware
When you are downloading and installing WordPress themes you should be very cautious not to download and install a WordPress theme from unknown sources, pirate websites or nulled themes websites. The danger of downloading and installing themes from these sites far outweigh the benefits of using such a theme.
I would recommend you to always install themes from WordPress repository whose authors are reputable.
Most infected themes that have malicious code or malware are always obtained outside WordPress repository or outside a reputable marketplace like Themeforest. These themes are infected since they are manipulated by hackers with the intention of stealing your data.
I cannot overemphasize the need to install only those WordPress themes whose authors you can trust. Most of theme hackers want to create a secret backlink to their site, get access to your blog, redirect your site to spam blogs, add advertisements banners to your site and worse bring your site down!
How to Detect Malicious Code in WordPress Themes
Scanning WordPress Themes before Installation
The first step when scanning for malware in WordPress themes is to scan the zip file before you can even install it in your WordPress site. When I download a WordPress theme and want to scan it for malware before install, I go to Virus Total which is very useful scanning tool. I upload and analyze the zip for any malware or malicious code:
I to use this site to scan for malware and malicious in WordPress theme since you can see a detailed report of a particular zip and see previous scan that have been carried on this file. This helps you to make an informed decision before you install WordPress theme.
Scanning Installed WordPress Themes
The fastest and easiest way to detect malware and malicious code in already installed WordPress themes is to use a plugin called TAC, theme authenticity checker. This plugin is priceless since it is able to scan your site and point out the location of malicious code making it easier for you to remove this code.
The first step to detecting malware and malicious code in your WordPress theme is to download and install this plugin Theme Authenticity Checker (TAC)
How to Scan a WordPress Theme for Malicious Code with TAC
After downloading and installing this plugin you should go to Dashboard > Appearance > TAC and will see list of WordPress themes with the warnings highlighted in red for those that contain malicious code if your theme is ok you see the message against the theme:
As you can see on the image above, on my localhost WordPress installation, I have three themes installed and the active theme is Evolve. You can see after the scan TAC has passed the themes since they don’t contain any malicious code or malware.
Testing for Malicious Code in WordPress Themes
I would illustrate by installing some malicious code in one of the installed WordPress themes and we see what happens when TAC scans again. I have added malicious encrypted code in the footer of Twentysixteen theme as shown below:
After adding this malicious code in this theme, I go back to TAC to check if it has been detected and look at the details for this malicious code:
As you can see from the scan, already we can see that this Twentysixteen theme has some encrypted code. This makes TAC a very effective plugin for detecting malicious code in WordPress themes.
For you to determine where the malicious code is located you need to click on the details button and look at the file and line of code that has this malicious code:
Since we have located the file and the line of code where the encrypted code is located, we can navigate to that file and clean up the file. After cleaning up the code, you can now test to see if the theme is clean:
After cleaning this theme we can now see that it is devoid of any malicious code or links.
Just as we have seen in this tutorial, WordPress themes can have injected malicious code that can harm or steal your information. It helps to stop and think about the source before you install that WordPress theme.
If you would like to have surefire way keeping malware and malicious code in WordPress themes, the first step is installing themes you can trust.
Secondly, you need to scan WordPress themes that you suspect might be infected with malware or malicious code.
I hope this article is an eye-opener to you. Please take time to share your experience with others by sharing this post.