PDA

View Full Version : Why you should never search for free Wordpress themes in Google or anywhere else.



Harold Mansfield
01-11-2011, 05:59 PM
I just read this article and it gives some great insight on the dangers of searching out free themes, themes that are knock offs, themes with encrypted footer links and many other pitfalls that Wordpress users fall into trying to save a few bucks.

It's a must read if you are a Wordpress free theme user:
Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else - WordPress, Multisite and BuddyPress plugins, themes, news and help – WPMU.org (http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/)

billbenson
01-11-2011, 11:58 PM
When you look for a theme, what do you look for? It seems to me that by now you probably have templates for most configurations you want and know the css etc on those inside and out. If you see a theme you like, free or otherwise, why not just copy the color schemes or layout that you like and use the css and layout from the themes you already have.

I can see you looking for themes for layout ideas, but I would think that its easier to modify a family of themes you already have than keep looking for new ones. Am I missing something?

Harold Mansfield
01-12-2011, 01:02 AM
When you look for a theme, what do you look for? It seems to me that by now you probably have templates for most configurations you want and know the css etc on those inside and out. If you see a theme you like, free or otherwise, why not just copy the color schemes or layout that you like and use the css and layout from the themes you already have.

I can see you looking for themes for layout ideas, but I would think that its easier to modify a family of themes you already have than keep looking for new ones. Am I missing something?

Kinda. This article is about how Free Theme Sites are embedding malware and base64 code into the themes. I posted it just as a warning for some of the newer users of Wordpress to be careful about where they download themes.

AaronConway
01-12-2011, 09:15 AM
Good article.

KristineS
01-12-2011, 09:44 AM
Wow, I didn't know all that stuff. I've used free themes for some of my personal blogs. Never thought there might be anything scary in them.

jamesray50
01-12-2011, 10:07 AM
I never thought about it either. But when I was picking a theme for my blog I did pick one from Wordpress. My antivirus software won't let me download anything that it thinks is malicious. I wonder if it would apply to these themes.

Harold Mansfield
01-12-2011, 10:16 AM
I never thought about it either. But when I was picking a theme for my blog I did pick one from Wordpress. My antivirus software won't let me download anything that it thinks is malicious. I wonder if it would apply to these themes.

Since most themes are a package of files that are zipped, you very well could download something bad. Not all anti viruses are great at detecting bad things in zipped files. Having an anti-virus is good, but these aren't viruses and they aren't on your computer. They would be on your website.

All free theme aren't bad, but you have to really trust where you are getting them from. I have found hidden links on some my sites before after months of having them up and was pissed. For me, it's just not worth the chance. Besides there's not much out there for free that I haven't seen before or hasn't been around for years.

Spider
01-12-2011, 11:34 AM
Okay - here's a question that may benefit many of us, but I'll point it to you, Harold, because you raised the topic and you may have the answer -- but I'm not accusing you or doubting you of anything - okay?

So, you create WP websites for people - many of us here provide a service of some sort to strangers. Strangers to us, have us as strangers to them. That is, they don't know how trustworthy we are. You, Harold, are in the same position to a stranger/prospect as those malware producers. Your prospect doesn't know you so why should they trust you?

It's all very well to say, Don't deal with anyone you don't know and trust, but -at point of contact - the person you are saying this to also doesn't know and trust you. Effectively, you are saying, Don't deal with me, either!!!!

How do you convince your stranger/prospect that you are not like the people you are warning them about?

Harold Mansfield
01-12-2011, 12:01 PM
So, you create WP websites for people - many of us here provide a service of some sort to strangers. Strangers to us, have us as strangers to them. That is, they don't know how trustworthy we are. You, Harold, are in the same position to a stranger/prospect as those malware producers. Your prospect doesn't know you so why should they trust you?

It's all very well to say, Don't deal with anyone you don't know and trust, but -at point of contact - the person you are saying this to also doesn't know and trust you. Effectively, you are saying, Don't deal with me, either!!!!

How do you convince your stranger/prospect that you are not like the people you are warning them about?

I don't really think it's the same thing. I don't see how free downloads is comparable to building websites for people.

Malware and scripts in downloads from P2P, warez and other fee download sites is nothing new, but there seems to be an unnatural trust of all things Wordpress because the core software and many of the add ons are free.

When hiring anyone, there is always going to be a trust issue. That's why businesses spend so much time and money on building credibility and perception. That's pretty much the whole kit and caboodle.

Experienced Wordpress users know the possibilities of malware or hidden links in free themes, outside of the Wordpress repository. I have found many a suspect script or string of code in free themes in the past and I stopped using them a long time ago. Noobs don't, and that was my reason for posting the article.

I think it's 2 different arguments.

cbscreative
01-12-2011, 02:31 PM
Wow, I guess I can't claim to be surprised, but this definitely adds substance to the reasons why free can so often bite.

I've got some pretty nice security software on my computer that seems to be able to detect things like this. Every once in a while it will block a site entirely, but on a regular basis I get security alerts that tell me the malicious code (or a link) was blocked. This happens on blogs, company web sites, and especially on the DIY sites that were made using templates or themes.

Although I can't "see" any such code or link on the page because techniques like the article described were probably used, it tells me a lot of people are falling for this ploy, and their site is being used as a relay for whatever the programmer chooses to spread across the Internet. Since most AV wouldn't detect this, I can only imagine the impact it's having.

jamestl2
01-12-2011, 06:15 PM
I've always been suspicious of free things and have read about the exact same problems elsewhere as well, and the problem's all too real.

Unfortunately there's always going to be slimeball developers who try to embed hidden code in the theme without the users' knowledge of it being there. That goes for just about any aspect that's supposedly "free". And you should always be wary of who and where you're downloading from free.

The key is building trust with your audience and not screwing them over, even if it "benefits" you in any way.

Always remember that if a WP Theme is too good to be true, it probably is.

Harold Mansfield
01-12-2011, 06:21 PM
I know plenty of people over the years that have the attitude of "Why should I pay for , when I can download it for free online". Music, Movies, Software...anything. I used to tell them till I was blue in the face that that people don't just do that out of the goodness of their hearts. It's a trap. Most never believed me.

One friend of mine frequents free movie sites religiously. Too cheap to get a subscription ( of a whole $8) on someplace like Netflicks. In 3 years, he has had 3 hard drive failures on his laptop, or malicious viruses that took over or shut down his computer.

He still won't admit that there may be a connection and is still watching movies every night.

vangogh
01-12-2011, 11:33 PM
Just to add a few thoughts. You won't find this code in all free themes. I would guess most free themes are perfectly fine and safe. The code in the article is encrypted JavaScript and often it's there to include a link back to some site, maybe the developer or maybe someone who paid the developer. The encryption is used so the average person will be confused about how to change it.

More recently people have been putting in more malicious code, but again it's hardly all free themes. Some of the point is you won't see this stuff in commercial themes since it would kill the business pretty quick. Paying even $25 for something you can have greater trust in seems worth it to me.

Frederick I agree with Harold that downloading a free package of zipped files is very different than trying to decide if you should hire someone. Yes trust enters into both, but with the person you're hiring you do get to talk and ask questions before having to make a decision. There are other ways you can decide whether or not to trust someone. SteveB starts off new business relationships with a very small job, where if was to get ripped off it's not that big of a deal. he can easily chalk it up as a live and learn experience. Assuming that first job goes well he can up the trust and the next job. Seems like a pretty solid strategy to me.

Trust is a part of life. The moment you interact with another human being trust enters into the picture. I'd much sooner trust someone I can actually talk to and get to know that anonymous files filled with code downloaded over the internet.

craigb
01-13-2011, 06:04 AM
thanks for this article it really caught me off gaurd and opened my eyes.

AmyAllen
01-13-2011, 07:05 AM
You, Harold, are in the same position to a stranger/prospect as those malware producers. Your prospect doesn't know you so why should they trust you?

The main difference to me between hiring a stranger and downloading free code is motive. Web developers/ designers work to make money. If you are hiring someone to do your web work, they are looking to get paid and hopefully develop a long-term business relationship. Their motivation for doing the work seems pretty straight forward.

If someone puts in hours of development work, and then just decides to give it away for free - you have to wonder what they're getting out of it.

vangogh
01-13-2011, 11:33 AM
Good point about the motivation. There are definitely reasons why a legitimate WordPress theme developer will give a way a theme. Usually it's to market themselves in some way. A good theme can attract a lot of links to it. Some people will by default have a credit link in the theme. The honest developers allow you to remove the signature. In fact many will add an option on the admin side so you can remove their credit without touching the code.

Unfortunately some want to make sure their link stays so they hide it inside the encryption. And now worse people are putting more malicious code in the encryption.

Still it's not everyone and if there is a free theme out there that you like you can usually download and use it. You have to do a little more research about the source of the free download. If you run a Google search for a free theme then you might need to be a little wary. If you start your search at the WordPress.org repository you should be safe. In between those two you may want to seek recommendations fro trusted sources.

Harold Mansfield
01-13-2011, 11:49 AM
A dead giveaway is knock off themes...themes that look just like a premium theme, or a free download of theme that is not free from the actual developer. Those are prime for malicious code because of the amount of people that have that "beat the system" mentality online.
Of course anything that you get from a warez download like Rapidshare is suspect anyway.

vangogh
01-13-2011, 12:48 PM
Yep. Personally I would sooner pay for a commercial theme that grab one of the free ones. It's not like the commercial themes are all that expensive. It's still going to be one of your smaller purchases in regards to running a website. Commercial themes will generally offer some level of support as well. Ideally I would go the custom route, but I know that can cost too much for some when starting out. Free themes are the fallback and they have other disadvantages too besides the potential for malicious code. Any free theme that looks good or offers a good amount of features is going to get downloaded and used again and again so you're site ends up looking like thousands or tens of thousands of others.

cbscreative
01-13-2011, 01:54 PM
If someone puts in hours of development work, and then just decides to give it away for free - you have to wonder what they're getting out of it.

That is an excellent consideration! Like vangogh said, the motivation could be for widespread exposure as a form of marketing, but it could also be malicious. Another possibility may not be to do harm specifically, but to gather information valuable enough to be sold (aka spyware). This is a less likely possibility with a WP theme, but a huge issue with other types of free downloads.

Eborg made an excellent point about knockoff themes. If you watch the video at the bottom of the article, it demonstrates exactly that. I'm sure the knockoffs are a direct violation of the terms of use, but these kinds of riff raff obviously don't care about that.

That's an sadly funny story about your friend with movie downloads, Harold. It never ceases to amaze me what people will do to save just a couple of dollars. Frugality can easily breed stupidity and loss of dignity (disclaimer: that's a general statement, not something directed specifically to your friend). I'm not against bargains or saving a buck, but there's no point in surrendering common sense for it.

vangogh
01-13-2011, 10:46 PM
The encrypted code is easy to spot if you're comfortable opening files. It's almost always located in footer.php and most of the time you can cut everything from the file and replace it with what's in footer.php in the default theme. Unfortunately there will be times when that completely breaks the theme. For myself and Harold it would only take a minute or two to fix, but there's no reason for the average WordPress user to know how.

And besides why would anyone want to support a theme that adds that garbage, especially when there are so many other themes out there.

Harold Mansfield
01-13-2011, 11:32 PM
For myself and Harold it would only take a minute or two to fix, but there's no reason for the average WordPress user to know how.


They have been really getting creative lately. I've seen some that look like they spent more on the encryption and where to hide it, than they did on the actual design of the theme. These days I don't even mess around with them anymore. When I run across a client or someone that needs help that has a theme with garbage in it, I just tell them to get rid of it. Especially themes that over use files...the ones that have 6 folders and 75 files, that could have done the same thing with half that.

It's like finding one ant or one roach. You have to assume that there are more somewhere.

vangogh
01-14-2011, 12:03 PM
They are getting more creative aren't they? Can't think of the last time I used a free theme anyway. I'd sooner just develop one myself. I actually find it easier and quicker to develop my own design or a design someone else gives to me than to tweak free themes. Even without the encryption, the code is often so awful it takes forever to figure out how to change something.