WordPress Support Forum And Themes

There has recently been a discussion on the WP-Forums mailing list concerning the following sticky thread. In a nutshell, there are two questions being considered. The first is whether decoding should be allowed on the forums. The second is whether this type of behaviour on the forum promotes the use of so called pirated themes. I say so called due to the fact that if the theme is licensed under the GPL, no pirating actually occurs.

Unfortunately, there are more bad places to download themes than good. Case in point, take a look at this screenshot from a Google search I performed looking for ‘Free WordPress Themes‘. The first two results are filled with base64 encrypted themes.

Poor SEO, or too many sites using themes with public facing links with encrypted code? Whatever the case may be, it’s evident that many users within the community are getting a hold of these themes and using them on their site, possibly not even knowing about the encrypted code within the footer.php or other files within the theme. In my opinion, I think that support of any kind for commercial themes should not be allowed on the WordPress.org support forum. Not only does it not make sense, but it’s a common courtesy to those companies that provide support as part of their value. While browsing through the Welcome Message that all new forum members should read upon signing up, I didn’t see any mention of commercial theme support. This would also make it very easy to just lock or delete threads concerning obfuscated code within commercial themes.

As for free themes that have been downloaded from the official theme repository and redistributed with the encrypted code or free themes in general, I’m not sure if decrypting those themes should continue on the forum or not. On one hand, it’s an opportunity to educate that user and explain why that code within a theme is bad news while on the other hand, it’s a never ending problem with no hard solution. I think education here is our best bet to fight against this with a detailed post on the WordPress.org blog but it’s not as if that will solve the problem, it will only make folks more aware.

There is no law saying you can’t place obfuscated code within a WordPress theme but it’s considered very bad mojo within the WordPress community. Obviously, these sorts of themes are not allowed within the theme repository but outside of the WordPress.org domain, it’s the wild wild west. It’s reached the point now where if a developer is releasing free themes, their best bet for trustworthy exposure is to have the theme on the WordPress theme repository. I suppose it’s a trade off. You can get a theme from the repository which doesn’t have the best variety and selection and know that it won’t have encrypted code or any other junk in it, or you can take your chances by finding a theme somewhere out on the net.

I’m interested in hearing what you folks have to say regarding the issue of themes, obfuscated code, and the WordPress support forum.

12 Comments


  1. I started the discussion on the forum mailing list because I found a copy of a repository theme that had base64 in it when I was helping on this topic: http://wordpress.org/support/topic/414732?replies=8 I did a quick Google search for the theme he was having a problem with and downloaded it. I soon realized that the bad site had only switched 2 letters in the theme name and added some spam links in functions.php

    This got me going through the decode sticky post and starting finding pirate themes from Woo, Studio Press, and Thesis which is not GPL.

    I agree that we shouldn’t be offering support for premium themes in the forums but we have an obligation to protect WordPress users. At the same time as Jane Wells stated, we should also not be promoting the use of pirated themes.

    Some of the pirate themes in question are not GPL and just as WordPress is firm on the GPL stance it should also respect other licenses by not helping users get around those licenses.

    My stance is that we should not be decoding themes for users but we have an obligation to warn them of possible harm and should be educating them on the ethics and dangers involved.

    Report


  2. You should NEVER allow the use of EVAL in any of your plugins or themes.

    Not only is it a huge security risk, it’s also a big performance hit.

    Report


  3. @_ck_ – No one has ever provided me a GOOD reason to use EVAL in a theme or plugin. Does a good reason exist?

    Report


  4. Most premium themes are already available on various websites as pirated versions, and they all are modified to include tons of hidden spam links in footer or header even (at the very least), but some I had a chance to examine (one of my clients got few of them and thought it would be good idea to use them) had many base64 and eval encoded content that (after decoding it) was adding iframes to other website and in one case sending current logged user info to an IP coded inside the malicious content.

    GPL is a freedom to distribute, but some things go too far away from simple distribution. Getting the premium theme easy way, pirated, to save few bucks will potentially open a door for all sorts of exploits that less experienced user will not be prepared to deal with, and he will be left with no support since he decided to save some money.

    I think that WP.org is scaning all uploaded themes for eval or base64 functions and don’t allow that to appear anywhere.

    Report


  5. @Jeffro

    I use plugins such as Exec-PHP on some of my sites so I can easily to execute PHP in the body of a post or page. Exec-PHP uses the Eval function. This plugin has been very useful in the past in order for me write PHP code directly in the post/page to ‘hook’ into 3rd party membership scripts and show content in the post depending on the user logged in status.

    I have also used a similar method to access api’s of web services direct from within posts/pages such as videos stored on a content server. This requires you to ‘talk’ to the video content server using PHP and their provided api’s to load in video play-lists. The only viable way I found of doing this (for me anyway) is to be able to execute PHP in the body of posts/pages using functions such as Eval (so I can load in post specific video content).

    As for Eval security/performance I am by no means an expert in the deeper workings of PHP but have sure found functions such as Eval useful. In the future I think a lot of the functionality of what I need to do could be parsed out to short code functions – but there may well always be a need to execute PHP code from within a post/page. I am not sure yet if there a situation where PHP in the body of a post/page could not be handled by using short codes (with attributes) instead.

    David

    Report


  6. “pirated themes” – that wording is not very useful and it’s not clear what this means. Sounds like FUD to me.

    Those sourcecodes under proprietary licenses that you can find somewhere are sort of a license-bomb for potential users. In the moment they mix it with wordpress code, they loose the right to use wordpress if it’s not GPL compatible.

    And most often these theme “creators” are not only careless about licensing but as well they don’t care about their users. So I would stay away from obfuscated themes at all cost in the first place. If you find a nice guy who can decompile it for you, well that’s nice. But users should be better educated about the problems these obfuscated themes bare in parallel.

    Report


  7. @Jeffro – My PHP Code widget uses eval.

    I can think of no sane reason to use eval in a theme.

    Report


  8. @hakre Perhaps ‘pirated themes’ should be called ‘hacked themes’ instead, if the theme is under GPL licence and has obfuscated code inserted.

    Report


  9. Yes, it is very strange that this thread is on the wordpress.org site offering help to decode themes. This is like saying that it is OK to use these spammy hacked themes.

    And also very strange that wordpress.org is not ranking #1 for “free wordpress themes”. Performed the search right now and it is ranked 3rd.

    Report


  10. Hi jeffro,

    Just posted my comment to your site and after posting noticed that I have 10 minutes to “Request Deletion” of my comment. Great feature. Had not seen this comment posting feature before. Guess it really comes in handy for those comments made in anger!

    Report


  11. Some of the themes in question are not GPL and fall in the same category as any other copyright infringed software “pirated”. WordPress is assisting users violate others copyrights by providing this service.

    Report


  12. I reckon that the issue is not whether it’s permitted to show some pieces of code in forums, as it is not a question of copyright. Copyright arises when a material portion of the work is used. Here we are discussing minute portions, which may fall under 17 USC 107, which is the fair use clause. Fair use is allowed use of a work, reproducing it or copying it, where the use is for criticism, education or review, which are the causes here.

    Moreover, if we examine the Israeli Copyright Act, then we understand that the exclusive rights in copyright are granted for the work or a substantial part thereof. Here we do not discuss substantial parts of the work.

    I think that this falls under self-study or educational purposes, and therefore fair.

    J.

    Report

Comments are closed.