Hacking WordPress Themes

If you’re not technically inclined, go ahead and skip this one… because it gets a little heavy.  I don’t pretend to be a computer guru.  But I know enough about php, html, and wordpress to be just competent enough to know when something is a little off.  So when I noticed that the new theme I’m tweaking for Tuxedo Alley contained a footer that was encoded in base64, I knew I had to roll up my sleeves and look closer.

If you’ve never played around with WordPress, basically it’s what is known as a CMS… or content management software.  It’s what allows me to write this blog without having to get down and dirty with html code.  Wordpress is by far my favorite CMS because it the most used CMS on the Internet.  I think the statistic is that roughly 10% of websites online use WordPress.  It’s open-source, free, and relatively easy to modify.  I’m confident that any website you could think about doing on the Internet could be done using WordPress as your CMS.  In fact, I’ll give you some free advice when it comes to hiring a web developer… if you are ever talking to a web designer and they try to talk you into using Drupal or Joomla for your website, fire them immediately and move on to someone else.

There are issues with WordPress, though… especially when it comes to using free wordpress templates.  A lot of the theme designers encode links on the bottom of their themes for SEO purposes.  That’s why a lot of the times when you visit a blog, you’ll see some weird links at the bottom.  For example… I’m currently playing around with TuxedoAlley.com, trying to set it up and using a free wordpress theme called Terbiumable by Padd Solutions.  It’s an elegant little theme and I really like how it’s coming along.  The only problem is that at the bottom there are four undesirable links to some pretty eclectic sites : top tattoo parlors, Canadian dog boarding, over 40 dating, and amputee dating.  That’s right… amputee dating.

So how this usually works is that the developer of a WordPress theme will go on some forums and sell sponsor links at the bottom of the theme.  Websites, like the amputee dating one, will pay for the links to be on the bottom of the theme because the more inbound links they are able to get to their website, the higher they will rank in Google and Bing searches.  And it works… the amputee dating site that linked on the bottom of my theme is on the first search page when you type in that term.  So is the dog boarding website for the term they are fighting for.  And so is the over 40 singles club website.

These themes are usually free to modify as you want.  So I decided it wouldn’t do to link out to these weird sites on my new tuxedo website.  Usually stripping these outgoing sponsor links just involves opening up the footer.php file in your WordPress editor, selecting a few <a href=””></a> links and hitting the delete key.  Sometimes, though, they get a little trickier.  I couldn’t find what was going on in the footer.php file and so I started looking at every single .php file included in the theme.  Once I got to a file called prelude.php, I saw that PADD Solutions got a little trickier than most of the theme developers.  When I opened the file, it looked like this :

If you’re thinking that this doesn’t look like php, you’re right. It’s actually base64 encoded. And to read exactly what’s going on here, first you have to copy the code after the $_F=__FILE__;$_X=’ and before the ;eval( and then run it through a Base64 decoder. There’s a good free one that I found at http://base64decode.org/.

But once I ran that through, it came out still looking kind of gibberishy… like this :

So I base64 decoded the eval statement and saw that the following string was what was being “eval”ed :
What this does is changes all of the 1s into As, 2s into Os, etc. So basically, the theme developers were FURTHER obfuscating this code by turning all of the letters into vowels.

So after a lot of decoding and then using the “find, replace” option on Notepad++, I finally get a look at what the developers were doing with this code. It looked like this :

So what’s going on here? I can speak PHP about as well as a two-year old can speak english… but following the code, it looks like the footer isn’t actually hardcoded into the theme at all. Instead, the theme connects to the theme designers website and pulls the sponsor links out, then posts them to the site. It also looks like the theme automatically checks to see if the theme has been updated, and if it has been, it looks like it updates it automatically. That’s actually pretty scary, because what that means is that PADD solutions could change my code in an instant and make it so that the website was doing all sorts of malicious things… sending spam emails or participating in a denial of service attack are just two things I can think of.

At the end, they have a snippet of code that checks to see if the sponsor links were spit out… if they weren’t, then a it calls for a “wp_die” function with the message “Something wrong.”

Quick and dirty solution to remove the links at the bottom of Terbiumable wordpress theme follow these steps :
First, load up your dashboard. Click on Appearance. Then click on Editor right under “Terbiumable options”.
Second, click on prelude.php on the right hand side. Select everything and hit delete. Then hit update file.
Third, click on footer.php on the right hand side. Count down to the 20th line. Delete that line.

So what’s the point of all this? Well, mainly that you need to be careful when using wordpress themes… particularly free wordpress themes. If the designer has base64 encoded strings in their theme files, it’s probably best to just walk away and use a different theme. This has really been a headache so far and I might have to take my own advice if I can’t figure out how to reverse engineer this and hack it up so I don’t have to link to amputee dating sites.

This is my site. If you want to start a flame war, go to 2+2.


  • 9 years ago

    Great post and nice decoding work. I don’t know if I would have figured out that letter replacement trick…

    Will check back again. I am trying to remove/repair an encrypted footer and looking around for information. The wp theme I have just has an encrypted footer, but it doesn’t seem to be base64, and so far my other attempts have not worked…

    But I liked your post. It was well written and interesting. A such. I thought I would leave a hello. Thanks!

  • George

    9 years ago

    I was having a problem with this as well and I was ready to punch a walrus. I had identified the problem and tried all sorts of workarounds, but in the end, and I can’t believe it, this was the method that worked for me.

    I’m not terribly well versed in php, so thank you for your legwork, and know that it’s much appreciated.

  • 9 years ago

    Hey Dutch whats up its Marty. register an account on my site and we can exchange PM’s . Would love to have you on radio. Also my new site is in WordPress and would love to hear more of your ideas

    Hope you are well.

  • 8 years ago

    You = my hero. Thanks!!!!

Leave a Reply