Posted on September 18, 2011 ยท Posted in CMS

This site is built on a WordPress theme and that actually worries me. I think the design is beautiful and I really think it captures what I would have wanted if I designed and built my own site but recently I’ve learned there is a hidden danger when purchasing WordPress themes.

Recently a site I was developing started redirecting me to malware whenever I tried to pull it up. At first I thought someone had compromised the site since I was working on public wireless. However I discovered that the problem was actually from a piece of code in the home page slider that allowed content to be pulled from other domains. The file timthumb.php had a huge vulnerability and thousands of sites were affected because timthumb.php has been used in hundreds of WordPress themes as a way to operate home page slideshows.

WordPress themes are often very similar in terms of their components. Layouts and colors will change but when it comes to basic effects like slideshows or other animations, they often use the same set of files to power them. The problem is that if someone finds a vulnerability in any of those files, they can easily compromise thousands of sites.

So the lesson here is that if you plan to use a theme, make sure you understand all of the components of its design and that the common use of the same set of files for animations / designs makes your site vulnerable to blanket attacks by hackers.