Do You feel Vulnerable?
I feel it is my duty to highlight some security vulnerabilities related to WordPress themes. When you upload a WordPress theme to your webserver you are uploading not just a benign template, but a PHP program which can contain code that performs pretty much anything.
This cheeky monkey has created his own theme download site and modified each of the themes to contain additional link(s) to his website. He hs even gone so far as to remove a link from one of my themes. Quite a few people in the WordPress community are getting offended over this kind of thing, but it is only a matter of time before something altogether worse hits WordPress bloggers.
The BlackHats are Coming!
As we said earlier PHP is a programming language, and a very powerful one (many web applications including WordPress are coded in PHP). WordPress users customize their blogs with themes downloaded from repositories such as the themeviewer and sites such as Themey.com and the cheeky monkey we mentioned earlier. Anyone (BlackHats and Spammers included) is free to upload themes to the themeviewer. As far as I am aware, the themeviewer does not make any checks into the security of the PHP code contained within the WordPress themes it presents for download. It therefore follows that if a malicious coder uploads a good looking theme to themeviewer his theme will be downloaded many hundreds of times by people like you and me – and he will gain access to our websites, servers and IP addresses to do pretty much anything he likes.
There are many things a BlackHat SEO, email spammer, or other malicious coder might wish to do using WordPress themes, here are a few examples:
- Use your domain, server and IP address to send bulk email. This will usually result in your host booting you off the server (if it is a shared server), your domain and IP address being blacklisted. Lots of hatemail.
- Use your server and IP address to spam other bloggers with comment and trackback spam promoting their latest PPC campaign (Pills, Porn and Casino). Result: Lots of hatemail. Possible problems with Akismet and other blacklisting services.
- Use your site to pass PageRank (PR) to their PPC site.
Obviously it isn’t practical to give a demonstration of the first two on the list, but for the final one I used my (limited) skills with PHP to modify a theme with a couple of lines of code.
Browsers such as Firefox and Internet Explorer and search engine spiders pass a piece of information called the ‘user-agent’ when requesting a web page from your blog. This means it is easy to tell the difference between a real user and a search engine spidering your page. How does this help a BlackHat I hear you ask? They use this information to show a different page to the search engine from the one they show to people.
Here is a screenshot of what the user would see:
And here is a screenshot of what Google would see:
If you want to follow this example yourself and you have firefox installed then download the user agent switcher and the user agent switcher list, then check out the example site with the user agent set first to default and then to googlebot. Get it? Pretty bad huh?
I’m not too sure on a solution to this problem. One that springs to mind is to have WordPress (or a plugin) check through all theme files for certain PHP commands and either block the use of a theme which contains those commands or highlight them to the user. This wouldn’t be difficult to do, but it may limit the functionallity of some themes and confuse users with little or no knowledge of PHP. I guess it is a job for someone with a stronger skill set than mine. I would love to hear the views of some other WordPress fans and users – are we open for attack or have I got it all wrong?
Don’t forget to digg/share this story if you agree that there is a potential problem here.