PDA

View Full Version : 'Free' Wordpress Themes - Read Me!


Corrosive
01-13-2011, 01:51 PM
Very interesting article to explain to customers why 'free' website themes may be more than they seem; http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

DWcourse
01-13-2011, 04:22 PM
Another example of why free isn't always free.

DWcourse
01-13-2011, 04:25 PM
Just a side note. WordPress could take action against some of these site based upon the use of the term WordPress in their domain names. Unfortunately they haven't done that.

domedia
01-13-2011, 04:35 PM
True, but it's not like they're hiding the fact that they encode their links in there. One way of viewing that article is that it's using scare tactics to get people to pay for commercial templates.

DWcourse
01-13-2011, 04:50 PM
One way of viewing that article is that it's using scare tactics to get people to pay for commercial templates.

I didn't want to go there but it's more likely that they are trying to promote WordPress.org as the only legitimate site for WordPress themes. WordPress hasn't been particularly friendly to developers of commercial templates. (or for that matter for critics of WordPress practices (http://wpblogger.com/mullenweg-the-coward.php)).

domedia
01-13-2011, 05:00 PM
I just thought the whole article smelled a little..
It's not very well written and conclusions are really shady.

I don't make free wordpress templates, I don't know anyone that does and I'm not affiliated with wordpress creations in any way (apart from the few I make for clients). But I do understand that a free template might come with a price, and that price might be a sponsored link. And in order to make sure there's no freeloaders, they might want to encode that link.

So the author creates this hysteria about encoded links.
They can be used for malicious actions, but she fails to show even one example. It's like saying kitchens knifes are the biggest threat to families because you can use them to kill each other. Not very good analogy but you catch my drift ;-)

For all I know, it's absolutely possible that the majority of those encrypted codes in fact is malicious, but the article does a really poor job of proving it.

I guess if I would have written an article about this, I would have taken a completely different approach. 8)

Kudos to the author for putting the spotlight on this though. I'll make sure I scrutinize the template before I use a free one again.

DWcourse
01-13-2011, 06:24 PM
Actually, I don't disagree with the gist of the post. In most cases where you see stuff like encoded links the sites are offering themes which were created by someone else and modified to add the links. I recently read another article with indication of more malicious additions, I'll try to see if I can find it.

A few years back, I did offer some premium WP themes and I found people were willing to pay $50-$75 for a nice theme with a bit of support. Of course the bar is a bit higher now for what constitutes a "nice" theme.

Another issue is how much "free" really costs. Personally I find a bit of support helpful even with a prepackaged them.

Also people need to be aware that WordPress isn't low maintenance. They have a regular update about every 3 months and issue a lot of security updates on a more frequent basis. And there are no patches for old versions. If there's a security issue you have no choice but to update to the latest version and hope your themes, plug-ins and widgets are compatible.

And, in spite of what this might sound like, I really like WordPress and use it for a lot of projects/

Corrosive
01-13-2011, 06:42 PM
I think my view, on reading it a couple of times and based on what I learned in school, is divided.

Absolutely you should review the source of an article to determine any potential bias. Everyone has an ulterior motive whether they are aware they are doing it or not. You only have to look at some very reputable doctors publishing research saying that smoking isn't bad for you all the way into the early 90s simply because they were in the pay of the tobacco industry.

What I think the article does offer is a 'heads up' to what might be a potential problem with some free templates (and quite possibly even paid ones) when you don't know what you are looking at.

Absolutely nothing in life is actually free but there is risk and reward and that is how humans work. You know when you search for something on Google that you are having your preferences tracked...But you get your search result so the reward is worth the risk.

If you have the knowledge that there may be some surreptitious back links in your website, possibly pointing to something or somone you may not be entirely happy about or that you could potentially be handling and distributing malicious code then you make an informed decision. Is the risk (as stated) worth the reward of a 'free' layout? I think the article poses the question quite well.

Anyhoo, glad I posted it because we've not had a proper debate going here for ages! It's an actual forum post rather than a help desk post ;)

domedia
01-13-2011, 07:15 PM
She might be perfectly right, but I just can't get over the quality of the article. Just an example:
2nd site on Google and weíre getting more base64. I downloaded a few other themes which contained static links and no base64. I guess that this site is a bit hit and miss. However, with the previous site I could get it decoded and this, no go. A search on some forums for the pieces of code in the footer indicate that it may be encrypted code used for hacking :( I ainít techie enough to know and I suspect that most WordPress users arenít either. In that caseÖ.

My Suggestion
Avoid!

-base64 is not inheritable evil or bad. But it's the argument that is repeated over and over. "OMGZ - This site is using base64!#$%". It's a *long* time since I studied Logic, but this is false
A uses B. B can be used for Evil. Ergo A is doing something Evil.

-So other sites don't have base64.. wow. Again this is an argument for why the templates in question are bad. Again it fails in logic:
A is a good site. B is not A. Ergo B is a bad site.

-And then the fact that she's not a 'techie' . (Oh btw, isn't this the first red light before you write an article about something inherently technical?). The argument is that she is not a techie to find out if there is malicious code, so therefore it probably is. Logically false again:
I cannot determine if A is good or bad, ergo A is bad.

</rant>

Corrosive
01-13-2011, 07:20 PM
Excellent rant dude! I'd love to see some research from someone more technical to see what they have to say about it.

domedia
01-13-2011, 08:24 PM
It would be interesting to figure out appx how many ppl here are using Wordpress..

Corrosive
01-13-2011, 08:31 PM
It would be interesting to figure out appx how many ppl here are using Wordpress..

Poll set up. See what we get.

DWcourse
01-13-2011, 08:39 PM
Here's a link to the article I mentioned: http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/

Unfortunately he doesn't go into a lot of detail about the malware detected but he has run into

to (among other things) include a well-hidden PHP shell that would allow the hacker a backdoor to access the site on which the Theme is installed

And that was on a site redistributing a modified version of one of his own themes.

BTW, Chip is authoritative and very thorough and does his research before posting.

domedia
01-13-2011, 09:07 PM
Here's a link to the article I mentioned: http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/
Nice! So on this page I find a link to
http://ottopress.com/2010/anatomy-of-a-theme-malware (http://ottopress.com/2010/anatomy-of-a-theme-malware/)

And here's where the good stuff is :)
The author, Otto, dissects the code, makes reasonable conclusions and ends it all with:
In short, donít trust dodgy theme sites. Get your free themes from WordPress.org Extend-Themes (http://wordpress.org/extend/themes) instead.

This is the where the official Wordpress site makes available (gasp) free wordpress templates. ! :grin:

But hold on a second... back to the original article. The headline was:
"Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else"

Really? Never? And there was a whole article to support that fact?

ok, so I go to Google and search for "Free WordPress Themes".

#2 in the SERP is a link to the very page that Otto above recommended us to go and get free Wordpress themes.
The official Wordpress website..
At this point I give up lol.

Nothing further your Honor.
The Witness is yours.
Case closed.

domedia
01-13-2011, 09:09 PM
And btw Otto did find some really nasty stuff. Reminds me of something I went through with a clients zencart website. Code that will grant the hacker access enough to do almost anything they want to. Most likely use the server to send out spam.

Corrosive
01-14-2011, 06:52 AM
I agree the first (and in some cases the second) articles are a little sensationalist but that's part of the skill of article writing. If she'd called it 'Very occasionally you might download a hacked template from a free wordpress theme site watch out' then no one would read it. It has been the staple (certainly in the UK) of journalism for hundreds of years to sensationalise to attract readership.

As long as people take the article with a pinch of salt but understand that there can be this kind of issue then I don't see the harm. Journalism is just story telling after all. Don't tell me any of the TV news channels in the US (or anywhere else) are actually objective. I have seen Fox News!

I was interested to read it as I had never even considered that a template might be hacked. Didn't even cross my mind.

domedia
01-14-2011, 02:08 PM
I agree the first (and in some cases the second) articles are a little sensationalist but that's part of the skill of article writing. If she'd called it 'Very occasionally you might download a hacked template from a free wordpress theme site watch out' then no one would read it. It has been the staple (certainly in the UK) of journalism for hundreds of years to sensationalise to attract readership.
I just expect differently from 'technical' articles. The header you described above would be great, even saying 'often a free template will have malicious code in it' would be OK I think.

As long as people take the article with a pinch of salt but understand that there can be this kind of issue then I don't see the harm. Journalism is just story telling after all. Don't tell me any of the TV news channels in the US (or anywhere else) are actually objective. I have seen Fox News! Hey, unfair bringing FOX news into this ;-)

No harm per se I think, just not very well written

Chip Bennet mentioned http://www.themelab.com/ as a trusted free theme maker. Themelab themselves has an article talking about 'shady thememakers;.
http://www.themelab.com/2009/12/08/stop-downloading-wordpress-themes-from-shady-sites/
And in it they come with a full list of, in their book, trusted websites that provide free templates.

And there lies the difference. Otto, Bennet and themelab all wrote about the same issue, but came a different conclusion than the article we're talking about.

I was interested to read it as I had never even considered that a template might be hacked. Didn't even cross my mind. Yes, this whole thread might have saved me some major headache, much appreciated.

.

Corrosive
01-14-2011, 03:18 PM
Hey, unfair bringing FOX news into this ;-)



Yes, that was a low blow ;)