It speaks for the absolute web goodness that is WordPress that it gets targeted by the most evil the web has to offer. Of course, the idea of looking for free pre-packaged themes anywhere but wordpress.org's own curated theme directory is, to me, pure masochism.
posted by oneswellfoop at 11:47 PM on January 23, 2011 [8 favorites]

This site has a picture of a cat playing a guitar. I am easily pleased by things with cats on them.

this speaks to me on a level whose depth i cannot describe.
posted by secret about box at 11:47 PM on January 23, 2011 [8 favorites]

Eponysterical! I'm so, so sorry.
posted by bwg at 11:48 PM on January 23, 2011 [1 favorite]

It's a good thing I've taken to writing my one then.
posted by SansPoint at 11:52 PM on January 23, 2011

This has been running around in the WordPress community for a week and a half now - it got mentioned last Wednesday in the Seattle WordPress Meetup, and once I read it, I made a point to log into my own site - which uses a theme from the WordPress theme directory - just to look for some of the signs and make sure I wasn't sitting there with pants open, metaphorically speaking.

(trust me, metaphorical is best.)

Some of them are really nasty because they use known-good themes and modify them to create the malware-strewn ones. While even the bad ones are relatively minor - hidden generation of links, things like that - it's entirely possible worse could go in.

Back in November, a plugin for WordPress designed to help with Search Engine Optimization turned out to be pretty unpleasant malware.

Eventually, there will probably need to be a curated list of plugins that have been checked, or some kind of addition to the WordPress infrastructure to look for the usual vectors. (Or a security plugin, just to add to the whole loopy nature of things.)
posted by mephron at 12:13 AM on January 24, 2011

More broadly I think this is a burgeoning problem for Google that they need to address evermore urgently. It's not just wordpress themes, but almost any IT-related search is now polluted with cruft, spamfarms, linkbait, malware etc.

It dramatically affects the utility of search, and the evil taint has spread well beyond IT as well. When I was diagnosed with colitis six or so years ago, searches on colitis-related terms predominantly threw up support groups, medical references, etc. Just last week I was searching for something colitis-related for the first time since then and I was shocked - I shouldn't have been - by how pages of results had been completely co-opted by shyster cures, de-tox medical nonsense and expensive con chicanery.

It actually made me really sad, because anyone seeking more information now would be hard-pressed to find it from the internet.
posted by smoke at 12:15 AM on January 24, 2011 [35 favorites]

Smoke: this is the result of SEO gaming and why I expect there will be a tremendous revamp to the PageRank system in the near future. Their current system cannot put up with the combination of gaming and spew, and is falling apart. I know that Google advertises their ways of avoiding such things, but at this point I think they've hit the point where the entire algorithm needs to be reworked.

Which would equate to a rebuilding of the search engine at a deep level to accomodate the new methods, and I'm unsure that they're able to make that change as seamlessly as users would expect it to be, much less what their technical people would want. I suspect you can't just hotfix it in.
posted by mephron at 12:20 AM on January 24, 2011

It would have been nice to actually download and test some of the wordpress.org themes, just for consistency, rather than going "no need to test this, I'm just going to assume it's fine".
posted by primer_dimer at 12:29 AM on January 24, 2011 [1 favorite]

I'm a bit disappointed, really, that this post is full of people throwing around the term "SEO" in reference to this, when we should really start calling this shit out for what it is...malicious internet-wrecking spam put out by scam-artists and con men. SEO as a legitimate business practice is dead. It's never really been alive since Google's been on the scene - Google's algorithm aims to make sure the more relevant sites drift to the top of the results. If you have to do something to your site to make it more "relevant" than it deserves to be, then you aren't playing the game fairly.

So people who've been affected by this, who were drawn in by "SEO-optimized Wordpress Themes" probably deserve what they get. Their readers, of course, don't.
posted by Jimbob at 12:47 AM on January 24, 2011 [4 favorites]

SEO as a legitimate business practice is dead.

Indeed. I use it to weed out bad customers. Every now and then I get asked "how do I get high(er) in Google search results".

Good customers, the ones to keep, accept the explanation and the "just make good content" advice. Potentially bad ones go "but... but..." - a great sign that I'm better off without them.
posted by DreamerFi at 1:10 AM on January 24, 2011 [16 favorites]

I agree with what you say about SEO, Jimbob, but that's not what this is about. It's about searching for free Wordpress themes and getting "seo optimised" themes. That is, malicious internet-wrecking themes put out by scam-artists and con men.

Google isn't really the bad guy here. You search for free Wordpress themes and that's what you get. The fact that there's malicious javascript hidden within those themes isn't Google's fault.

The linked post is about how Wordpress themes are becoming a vector for the kind of scam artists you're talking about. Personally, I'm not surprised. "Free Wordpress themes" sounds like "javascript for people who don't know javascript". Not really a surprising vector for dodgy practice. And if you read the whole of TFA you'll see some of the stuff she identifies as dodgy is more "I couldn't figure out what this does, so it's probably suss" which is a good attitude for someone downloading javascript for their site to have, but not quite deserving of the hype.
posted by GeckoDundee at 1:11 AM on January 24, 2011 [1 favorite]

Google's been having a real tough time of keeping the cruft out lately, and I hope that mephron's right that a reset is due soon. They're at serious risk of losing their edge, here.
posted by mr_roboto at 1:11 AM on January 24, 2011 [3 favorites]

I'm ashamed to admit that I actually can't remember where I got the theme I'm using and the idea of starting with a clean one and trying to replicate in a responsible manner the effects of all the ad hoc bodgery I've put into the old one fills me with cold fear.
posted by Segundus at 1:20 AM on January 24, 2011 [2 favorites]

Much obfuscated code is simply an attempt to keep interpreted code proprietary. You can buy code obfuscating programs for just about any scripting language or bytecode compiled language, that advertise the benefits of keeping people from being able to steal your work.

That said, of course, only a fool would run obfuscated code from a random download. And if you cannot read code, all code is effectively obfuscated from you (even people who can read code occasionally get tricked by obfuscatory sleight of hand in seemingly unobfuscated code).
posted by idiopath at 1:26 AM on January 24, 2011 [1 favorite]

It's PHP, not JavaScript. PHP code can be quite hard to search for exploits, as this StackOverflow thread demonstrates. It looks like most of the examples given are nasty SEO tricks, but there could also be stuff in there for hacking into people's servers.
posted by iotic at 1:37 AM on January 24, 2011 [5 favorites]

mr_roboto: " They're at serious risk of losing their edge, here."

As long as there is no viable alternative - no, not really.
posted by brokkr at 1:38 AM on January 24, 2011

I ran into this last year when a "designer" my small web team was working with had to modify a theme she gave us. I always open EVERY php file in a theme and search for "base64" and "eval" because, well, I'm wiked smart and I was pirating software since the Vic-20.

We had an email off to this "designer" within an hour of getting her files. Still, never trust the web, check it by hand.
posted by Catblack at 1:39 AM on January 24, 2011 [5 favorites]

As long as there is no viable alternative - no, not really.

All links on the Google results page must be completely above-board. Anything less makes users more suspicious and more sparing with their clicks. This strikes at the very core of Google's business model.


The fact that there's malicious javascript hidden within those themes isn't Google's fault.

Although not responsible for the malicious code itself, Google is certainly responsible for linking to it in the search results. The search engine is supposed to discriminate against harmful code, spam, and other bad search results. That's what makes one search engine better than another.
posted by ryanrs at 2:00 AM on January 24, 2011 [3 favorites]

All links on the Google results page must be completely above-board.

But what about search neutrality?
posted by furiousxgeorge at 2:07 AM on January 24, 2011 [1 favorite]

If you want to check your WordPress site for potential exploits, there's always donncha's WordPress Exploit Scanner. It looks for signs of base64 encoding and a whole slew of other potentially nefarious things in the database and the source code of your site.

The primary problem I've had with it is that it returns too many false positives to be really helpful.

The problem with SEO scammers and spammers are the bogus backlinks they generate for a fee, with the aim of to trying to game the PageRank algorithm. Finding an automated solution to tactic seems to be a difficult proposition.
posted by syzygy at 2:09 AM on January 24, 2011 [3 favorites]

But what about search neutrality?

I don't know what that is, but if it results in sending users to malicious sites, then it is stupid and should be ignored.
posted by ryanrs at 2:26 AM on January 24, 2011

JimBob: If you have to do something to your site to make it more "relevant" than it deserves to be, then you aren't playing the game fairly.

While true, I think you're missing some important topics and aspects of what is involved in SEO. There are plenty of things you can do to make relevant content more valuable. This doesn't include buying bogus backlinks from spam web sites.

Rather, it's more about organization and good writing practices. The kind of 'SEO' that I consider valid is little more than applying good writing practices that should be taught in high school and university - Use a relevant title, organize your article into sections and choose descriptive headings for each section, make sure you use the correct terms and vocabulary related to your subject, write a concise abstract that indicates to the reader what your article is about, include footnotes (links) to authoritative references or external examples.

I could write the most relevant article ever for the topic "SEO, Free WordPress Themes and Scam Dangers," but if I upload it to http://example.com/index.php?id=1, display the entire article in a single paragraph tag, don't link out to authoritative sources and leave the title blank, it may never be found. It may be relevant and groundbreaking, but without taking the time to properly organize it (for humans as well as google) it may be completely ignored.
posted by syzygy at 2:55 AM on January 24, 2011 [9 favorites]

A useful page that also points to how far Google's results have fallen in recent months. However, it is written in an annoying, sensationalist style, and makes use of casual boldface.
posted by JHarris at 2:56 AM on January 24, 2011

I use it to weed out bad customers. --- That's a little extreme if you ask me, especially in an economy like this one. I have clients who aren't as net savvy as me or you, who receive spam that promises them the moon and the stars as far as SEO is concerned, and so they are naturally enticed. I also tell them that the best thing they can do is to produce good content. That said, there are some techniques that do still work, even with Google's strict algorithm. They aren't secrets, though -- good permalinks with content-rich urls; always using alt tags for images, that reflect the content of the page you put them on; stuff like that.
posted by crunchland at 2:58 AM on January 24, 2011 [1 favorite]

ryanrs: Although not responsible for the malicious code itself, Google is certainly responsible for linking to it in the search results.

The results don't lead to sites that are malicious. They lead to scripts that you can download that, were you to install them on your own web site, might cause your site to run some javascript that you don't know anything about.

Google is not it's referer's keeper.
posted by GeckoDundee at 3:00 AM on January 24, 2011 [2 favorites]

I wrote a quick chunk of Python you can point to your site to probe for common backdoors. Get it here - it might ask for your admin password so it can do its thing, but it'll log itself out when its finished, and doesn't store anything anywhere.
posted by obiwanwasabi at 3:55 AM on January 24, 2011 [7 favorites]

Google's aware how bad it's results are lately but we'll have to see how well they address it. It seems like a hard problem.
posted by octothorpe at 5:17 AM on January 24, 2011

If you have to do something to your site to make it more "relevant" than it deserves to be, then you aren't playing the game fairly.

Sort of. It's really a chicken/egg play. A legitimate site, even with properly-groomed code and text, can easily be buried by a horde of SEO-to-a-fare-thee-well scam sites in a Google search. So, the owner of the site jumps on the webmaster's back, insisting they do something to get them higher in the Google rankings. This tends to push the legitimate site toward black-hat SEO territory, because, frankly, Google's algorithms reward those practices, for the most part, despite Google's words to the contrary.
posted by Thorzdad at 5:19 AM on January 24, 2011 [5 favorites]

Why would you not just take the themes on Wordpress and modify them yourself? You learn something, you protect yourself from bad code, you get a theme of your very own. Everyone is happy.

Is it really that hard to do? I did it myself with the CSS style guide from w3.
posted by winna at 5:47 AM on January 24, 2011

Why would you not just take the themes on Wordpress and modify them yourself? You learn something, you protect yourself from bad code, you get a theme of your very own. Everyone is happy.

So every blogger should be a programmer now?

Is it really that hard to do?

Not if you know how. It's probably not hard for a mechanic to replace your break pads, that doesn't mean it's easy.

I did it myself with the CSS style guide from w3.

Wordpress themes are only partially about the visual style of the site. Themes can add functionality to a wordpress theme, registering their own functions and other features.

People select themes for these additional features.

I like wordpress a lot, despite its ugly, horrible, horrible internals, but I no longer think it's appropriate for use by general purpose web authors.

Tumblr's theming system is tag based, it's basically just HTML with some extra tags that the tumblr engine parses before sending to your browser. It's possible that it's exploitable, but nowhere near so much as wordpress, which simply executes included PHP files in every plugin and theme.

Shorter: Expecting people to magically become developers is not a solution to a security problem, Wordpress is part of the problem here, because the system is massively insecure.
posted by device55 at 5:57 AM on January 24, 2011 [3 favorites]

I once emailed an MIT professor in the Media Lab to point out that there were hundreds of links in his wordpress theme to online pharmacies. It goes to show that even proper programmers miss this too.

(I discovered his site, as someone had contacted me about my personal webpage getting very high ranking in the viagra 'search' arena as I had a .edu wiki that was heavily spammed. So I was hunting around ".edu + viagra" searches and spotted his.)
posted by a womble is an active kind of sloth at 5:59 AM on January 24, 2011

Themes can add functionality to a wordpress theme

Themes can add functionality to a wordpress site

derp.
posted by device55 at 6:00 AM on January 24, 2011

google question: Why can't we have a filter that identifies known spam farms and malware sites, and have them eliminated from our results?
Like with Ad Block, I subscribe to certain lists of sites that are curated, and those get blocked from my computer.
I'd like the same with google results. Instead of just getting angry after reading this article, let me subscribe to the guy's list of sketchy sites and those will be permanently wiped from my potential google results.
posted by Theta States at 6:41 AM on January 24, 2011 [4 favorites]

Google's aware how bad it's results are lately but we'll have to see how well they address it. It seems like a hard problem.

From the link: "The short answer is that according to the evaluation metrics that we’ve refined over more than a decade, Google’s search quality is better than it has ever been in terms of relevance, freshness and comprehensiveness."

If Google's aware of it then it's keeping that awareness close to its chest.

In general, though, I don't think this is limited to WordPress themes. Searching for free anything tends to turn up tons of scam sites, malware distributors, and the like. I sometimes have to add "-free" to my searches to make the results usable.
posted by jedicus at 6:50 AM on January 24, 2011 [1 favorite]

It speaks for the absolute web goodness that is WordPress that it gets targeted by the most evil the web has to offer.

Yeah, same thing happened to Windows.
posted by Brandon Blatcher at 6:55 AM on January 24, 2011

There's no such thing as a free lunch. That 'free' WordPress theme you're about to download and install - you're either going to need to spend time evaluating it to ensure that it's technically sound, or you're going to risk having your website hacked and your domain dropped out of Google's index.
posted by syzygy at 6:58 AM on January 24, 2011 [1 favorite]

It's too bad this article was written by someone who doesn't actually know anything about the javascript they're talking about.

I know, I know, I'm another techno-elitist who thinks all bloggers ought to be programmers but it's only because I am nostalgic for the days when they actually were
posted by ook at 7:19 AM on January 24, 2011

I've been playing with WP on a local server, and was not aware of the ins and outs of this issue. I'm glad I have not yet uploaded anything to an external server. Thanks for the post, and for the learned comments!
posted by not_that_epiphanius at 7:32 AM on January 24, 2011

Thanks for this timely post. I have a small client that is considering a WP site.
posted by Mister_A at 7:45 AM on January 24, 2011

There's no such thing as a free lunch. That 'free' WordPress theme you're about to download and install - you're either going to need to spend time evaluating it to ensure that it's technically sound, or you're going to risk having your website hacked and your domain dropped out of Google's index.

Yeah. Stupid victims. It's all their fault.

Wordpress isn't marketed as an IT managed platform for use in the enterprise, or marketed as a developer tool requiring a minimum of technical ability.

Wordpress markets itself to 'regular' people as easy to use and modify.

Except it's not.

Wordpress has become increasingly complex to use and administer and securing an installation of Wordpress takes more than just looking for junk in a theme or a plugin.
posted by device55 at 8:04 AM on January 24, 2011 [1 favorite]

DreamerFi: " Good customers, the ones to keep, accept the explanation and the "just make good content" advice"

Been there. I've got to the point of eye-bugging rage with some of mine. I want to say, "You run a tiny and unexceptional guest house in Grockleville, a major tourism centre with hundreds of places to stay including regional branches from a dozen well-known hotel chains. What the f*** do you fantasize I can do with Google to get a search on accommodation Grockleville to put you on the first page?"
posted by raygirvan at 8:40 AM on January 24, 2011 [3 favorites]

a womble is an active kind of sloth: "I once emailed an MIT professor in the Media Lab to point out that there were hundreds of links in his wordpress theme to online pharmacies. It goes to show that even proper programmers miss this too.

(I discovered his site, as someone had contacted me about my personal webpage getting very high ranking in the viagra 'search' arena as I had a .edu wiki that was heavily spammed. So I was hunting around ".edu + viagra" searches and spotted his.)"

Our campus runs a Nagios check that does a similar google query. It works great, except for a few medical blogs that actually posted about Viagra. After observing the system in action, I'm convinced the most effective thing Google can do to fight spam is educate journalism and design majors about website security. Seems like the vast majority of systems they deploy are hacked from day one, and if their staff can't get this right, they're likely not preparing their students either.
posted by pwnguin at 8:46 AM on January 24, 2011 [1 favorite]

SEO practices by legitimate sites are engaging in a classic game-theoretic arms race -- a situation in which two or more parties are competing to lead in some arena (weapons, knowledge, search results, whatever) and must continually upgrade or acquire more material to maintain their relative position. In the end, the rankings often end up the same (i.e., big businesses keep their top rankings) as they would be if the arms race had never taken place but it is an inefficient outcome since everyone has expended unnecessary resources to maintain their positions. However, it's an assurance problem to get everyone to agree not to engage in the arms race since the entry into the competition of a defector/SEO spammer means that everyone will have to reenter the race.
posted by proj at 8:57 AM on January 24, 2011

Yesterday my wife was trying to watch a video, but her version of VLC was out-of-date. VLC is open-source. I go to Sourceforge, click on download, select the windows version, and I'm taken to a normal-looking download page **with ads**. The ads were innocuous "links" to download VLC. Except… wasn't I already doing that? And naturally, the advertisement doesn't look anything like an ad. So if your download doesn't start right away, an impatient person might click on the image thinking that it will take them to their download. Out of curiosity (and because my download hadn't yet begun) I clicked the link and was taken here (WARNING: SCAM SITE).

How in the hell is anyone that doesn't have a background in social engineering supposed to know that this is trick?
A: You don't

Why would SourceForge offer advertisements on a download page?
A: Money

Doesn't anyone check the ads before they go live?
A: HA HA HA HA HA [deep breath] HA HA OMG STOP
posted by Civil_Disobedient at 9:12 AM on January 24, 2011 [6 favorites]

Google does have some malware filtering built in to search results, in part in cooperation with StopBadWare. I can't find complete docs for it, but here's some explanation . It seems to be aimed mostly at PC malware infections installed via security holes. Not so much PHP scripts people deliberately install.

The real problem is the malware folks can game Google so their bad sites float above the good ones. There is an honest competitor to Google, Bing, and despite the miasma of failure around Microsoft's onlnie efforts it's quite a good search engine. The free wordpress themes search on Bing looks pretty similar to the Google results cited in this article, so there may not be as much diversity as we'd like.
posted by Nelson at 9:16 AM on January 24, 2011

Once, a long time ago, I was asked to help figure out why a website failed to work with a particular footer section changed. Being curious how one would enforce such a constraint, I volunteered to look for a bit. Nothing obvious came in the place one might expect, so I knew it had to be obscured somehow. Eventually I found a base64 encoded segment that queried a database for a checksum initial value or something on every page. Newer versions of this app have switched to PKI or something I hear.

Anyways, after that episode I was wondering if there was a way to search files for that kind of hidden code. Obviously the WP Exploit Scanner does it, but I'm assuming they just grep for base64. So because I'm a huge CS nerd, just now I was wondering if anyone's given Hidden Markov Models a shot. The idea is that obfuscated code will have a different character frequency than normal PHP, HTML or Javascript. Turns out yes, someone has already researched my idea, in 2007 no less.
posted by pwnguin at 9:19 AM on January 24, 2011

device55: "Wordpress isn't marketed as an IT managed platform for use in the enterprise, or marketed as a developer tool requiring a minimum of technical ability. "

I wish that some folks took this to heart, sigh.
posted by NiteMayr at 9:54 AM on January 24, 2011

The results don't lead to sites that are malicious.

Yes they are. Those sites attempt to trick people into downloading wordpress themes that contain backdoors and other evil code. Sounds malicious to me!

As a Google user, I expect their search engine to give me everything I want and nothing I don't. Malware wordpress themes are obviously the latter.
posted by ryanrs at 10:55 AM on January 24, 2011

If Google's aware of it then it's keeping that awareness close to its chest.

I dunno; that Google Blog post does smell like it funneled through Marketing and Legal, but there is one sentence in it that has some teeth:

And we’re evaluating multiple changes that should help drive spam levels even lower, including one change that primarily affects sites that copy others’ content and sites with low levels of original content.

To me that suggests: they're about to move against scraped-content farms.
posted by We had a deal, Kyle at 11:16 AM on January 24, 2011

Amusingly: it got triple-posted on BoingBoing this morning, Rob fastest off the mark, Cory slowest.

Report: free blog themes usually aren't
Free WordPress themes are loaded with malware
Top WordPress themes on Google riddled with spamlinks and obfuscated code
posted by We had a deal, Kyle at 11:29 AM on January 24, 2011

I've been searching Google for free WordPress themes for years :( I had no idea it could contain crap like that. Then again I usually end up downloading themes from the pages of individual designers.

Maybe it wouldn't be a problem if WordPress made their Themes directory more usable and with more content! -_-
posted by The Biggest Dreamer at 12:44 PM on January 24, 2011

I guess this is why I paid good money for the Wordpress theme I purchased.
posted by localhuman at 7:06 PM on January 24, 2011