Phosys web design

Phosys web design

The Pitfalls of a WordPress Template

In addition to our website design services we occasionally provide support and maintenance for existing sites. We see all sorts of different builds on a range of platforms, but today we’re talking about (free/premium) WordPress templates.

Struggling with a WordPress theme of your own?
We create bespoke websites (some of them on WordPress) – let us do the complicated bits for you!

Not to be confused with a custommade WordPress theme – WordPress templates can be bought or downloaded from all over the web. Trouble is, you just don’t know what’s in ’em.

Here’s the usual story: the client has been to a seminar on business marketing. The speaker, a popular and successful photographer, spends a portion of the talk extolling the virtues of setting up your own blog site. They’ll explain:

  1. You save money (a Premium theme can be as little as £50 to buy)
  2. It’s attractive and stylish
  3. It’s easy to set up yourself
  4. The blog will automatically improve your Google ranking

Their advice, whilst well-meaning, is partially misleading and mostly just wrong.

  1. A Premium theme may be cheap to buy, but it usually doesn’t include: sales and proofing for customers to view and shop for prints, hosting fees or a support contract for updates and assistance.
  2. It might look good, but it also looks identical to every other photography website with the same theme. In a crowded marketplace you need to establish and sell your brand – generate something unique to set you apart.
  3. If something does go wrong how easy is it to get help? Do you want to have to learn PHP, HTML, CSS and JavaScript just to fix your website?
  4. Having a blog won’t necessarily improve your Google position. Google doesn’t care if you have a blog or not – what matters is content. A website performs well in searches if it has the right content (and is well-made, popular, regularly updated, linked-to by popular sites… and so on). Blog sites are not always ‘Google friendly’ – in fact a number of the most popular templates are quite the opposite.

However – the biggest problem with a pre-made theme, and the reason why we’ve written this post, is viruses – hacks – exploits – malware & spyware.

The Dangers of Free Themes

Take extreme care when looking for a free WordPress theme on the web. This post reveals why:

Malicious software that performs a number of tasks, including: installing viruses, unwanted advertising, keylogging, security vulnerabilities and lots more.

In case you haven’t time to read it – nearly all top search results for ‘free WordPress themes’ give themes that contain viruses or ‘hacks’ built-in to the website. (A quick test of our own revealed that the first 7 out of 8 themes contained malware of some kind.)

We won’t name names, but there are a range of popular Premium templates (particularly popular with photographers) that we’re seeing more and more. These templates are complicated and loaded with features that a customer doesn’t want or need. Extra code, plugins and features means more methods for a hacker to exploit.

Hacked WordPress: A Case Study

When a theme gets hacked it can be difficult to find the vulnerability. A WordPress site with plugins and extra features uses a file system containing thousands of files.

We were recently asked to provide tech support for one such WordPress Premium theme. After much searching we found a perfectly innocently named file ‘nice_menus.php’ buried in an obscure system folder. Inside we found this:

It might not look like much – that’s deliberate. The sets of green letters are encrypted to keep their true job a secret. Somewhere else on this site another line of code activates and decodes this hack, triggering the malware.

Here’s what this same hack looks like when it’s been decoded:

We’ve highlighted the telling bit of code above. If it all looks like nonsense, again – this is deliberate. The hackers have hidden their code within a series of mathematical equations, and then encoded the actual virus script in ‘base64’ (a method of encrypting lines of code).

All this is to keep virus-scanners and anti-malware software from finding the hack. It’s also to keep amateur (and some professional) website designers from spotting it. This site had already been scanned and sent away to be cleaned by another agency, who missed this particular bug.

All of the above was found on a pre-made Premium WordPress theme (and a popular one at that). This code was not present in the theme when it was first purchased – it had been added after hackers found a vulnerability and uploaded it without the owners knowledge.

What do these theme hacks do?

Websites should be written in clean, semantic code with proper indentation, references and structure. The code above looks wrong to any designer or developer worth their salt. This hack was part of a coordinated attempt to take over a WordPress site. A line of encrypted code had been added to every text file on the site, meaning that the website had to be deleted and ‘rolled back’ to a previous backup.

The hack redirected visitors to a list of websites containing viruses/malware and all sorts of nasty surprises. The list itself was hidden in an innocuous looking ‘log’ folder right in the main directory of the website.


  1. The hack is uploaded through a vulnerability in the theme
  2. The hack is copied into every text file on the site
  3. A visitor to the site opens a page and the code is run
  4. The visitor is redirected to a malware site where a virus is installed onto their computer.

What happens to a hacked site?

You might not realise your site has been compromised. In the case above, the client discovered the hack when his customers began calling to tell him that his site was blocked in their browsers. This is the message that appeared:

Once you’ve been registered as an ‘attack page’ it takes time to get removed from Google’s watch list. It can also negatively impact your search ranking and damage your reputation with clients.

Should you use a free/Premium theme?

Popular themes are prone to viruses because hackers know that your website uses the same files and the same system. Once a vulnerability has been found, it’s not difficult to search for other users of the same theme so they can be exploited too.

The WordPress themes where these hacks were found were run by technically-competent website owners. The sites used complicated passwords that couldn’t easily be guessed, and they were protected by a number of security measures including plugins designed to prevent hacking.

The owners were let down by poorly-made, overcomplicated themes – and poor support from the theme developers. The hacks have resulted in lengthy down-time, costly repair bills, damage to reputation with customers and penalties to Google rankings.

What’s the moral of the story?

If you’re running a business then you need to use a professional designer or design agency to set up your web presence. It’s that simple.

It can be tempting to cut corners and ask a friend – or do it yourself – because it seems like it’ll be cheaper. Sadly we see this happen from time-to-time and in the long run most businesses end up spending more time and money trying to resolve the problems it causes.

Leave it to the professionals – a good agency will build your theme from scratch. They’ll close the security holes, they’ll sort the complicated bits and they’ll back everything up so you can be confident your web presence is safe and secure.

2 Responses

  1. Andy Crozier says:

    Great blog post, this same story happened to a close colleague of mine. He spent almost a year struggling with a beautiful looking theme that was full of holes and deeply regretted it after getting hacked up the wazoo 3 times resulting in Google blacklisting and 6 weeks of downtime. His web site angels completely rewrote his theme from the code line by line and tells me although it was a costly exercise, it was worth every penny.

  2. Eric Pearce says:

    Interesting post. Thanks for the information. The question then lends itself, to what to do next?
    I am just about to add a blog to my website and probably would have gone with some sort of premium theme from WordPress. Are you suggesting that all themes are unsafe? Would you be the ones to ask to build a blogging platform theme in our behalf that matches our website?
    I look forward to your answers… Eric