{"id":1441,"date":"2022-10-20T10:26:35","date_gmt":"2022-10-20T10:26:35","guid":{"rendered":"https:\/\/cwatch.comodo.com\/blog\/?p=1441"},"modified":"2022-10-20T12:02:54","modified_gmt":"2022-10-20T12:02:54","slug":"infected-wordpress-themes-still-on-wordpress-org-part2","status":"publish","type":"post","link":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/","title":{"rendered":"INFECTED WORDPRESS THEMES STILL ON WORDPRESS.ORG PART2"},"content":{"rendered":"

Hidden advertising in functions.php and footer.php<\/strong><\/p>\n

Researched by<\/strong>: Goshko Stanislav<\/span><\/span><\/span><\/p>\n

If you noticed that your website has been displaying unauthorized text ads anywhere within its pages such as in the header sections or the area where your social icons are located then, unfortunately, your website has been hacked.<\/p>\n

These unauthorized ads may show up on any browser or may be specific to just one, such as Google Chrome. Many codes may even spread malware as they are usually hidden in JavaScript and iFrame codes.<\/p>\n

Hidden codes such as these can affect anyone who visits your website and may even install unwanted toolbars, trackers, or malware onto their computers.<\/p>\n

If Google notices your website is doing this then it will block and remove your website from its search results!<\/p>\n

In our research we found themes that cause your website to do something you didn\u00e2\u20ac\u2122t initially want it to do \u00e2\u20ac\u201c advertise and redirect end users back to someone else\u00e2\u20ac\u2122s website or even worse spread malware.<\/p>\n

The below list is just a small sample of the themes we have uncovered that are not at all what they seem to be and are full of hidden codes the developers don\u00e2\u20ac\u2122t want you to know about.<\/p>\n

\"Infected<\/p>\n

Throughout this CDN for WordPress<\/a> themes within the “functions.php” file, we discovered various lines of encrypted code. These codes are being used by hackers to hide the actual code from users.<\/p>\n

For example, we uncovered the following encoded PHP code:<\/p>\n

\"Infected<\/p>\n

Simply deleting encrypted codes may not be enough, considering it can have the ability to recover itself and spread elsewhere.<\/p>\n

Therefore, to determine what files have been affected we begin by decoding blocks of the PHP code and then we can begin to have a better understanding of what we are dealing with.<\/p>\n

Here it is decoded:<\/p>\n

\"Decoded<\/p>\n

After analyzing these two pieces of code it was clear that the code included hidden advertising. Making matters worse the links can redirect your web traffic to sites with worse effects such as spreading malware.<\/p>\n

So we wanted to dig further and see what other files we can find that have these “unauthorized advertising™ codes “our list of infected themes grew:<\/p>\n

\"Infected<\/p>\n

\nThe encoded PHP code in hxxps:\/\/themes.svn.wordpress.org\/tulipbud\/1.0\/footer.php revealed the following:<\/p>\n

\"The<\/p>\n

And after decoding the PHP code we get:<\/p>\n

\"After<\/p>\n

CONCLUSION<\/strong>
\nWordPress provides many theme choices ranging from free to paid.<\/p>\n

Although the free themes may come inclusive of display advertisements while the paid themes are less likely to have them, either version are susceptible to being hacked and displaying unwanted advertisement and redirecting your users to other sites.<\/p>\n

Our findings realized that the developers of these codes use a multilayered encryption technique making it extremely difficult to discover and remediate.<\/p>\n

Attempting to delete the code base64_decode may not be enough.<\/p>\n

So we recommend starting by:<\/p>\n

1. Backing up your website before any cleanup action is taken<\/p>\n

2. Scan your website to locate the infected files<\/p>\n

3. Remove all infected themes + files + plugins<\/p>\n

4. Install a default WordPress theme to identify whether the code is still present<\/p>\n

This is just a start in your remediation process, although it is very likely that there are some malicious files within your website root, wp-content or even between your WordPress files.<\/p>\n

Having malware removal<\/a> experts investigate and remove the files is highly recommended to ensure a completely clean website.<\/p>\n

If your experience such an infection, please feel free to contact us at cWatch Web for a free consultation that will include a complete website scan as well as the removal of any found malware.<\/p>\n

 <\/p>\n\n\n\n\n\n
\n

\"Goshko<\/p>\n

Goshko Stanislav<\/strong><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Security analyst with deep knowledge of network security and<\/em><\/span><\/span><\/p>\n

reverse engineering.<\/em><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

At this moment working at COMODO, more<\/em><\/span><\/span><\/p>\n

information can be found at: <\/em><\/span><\/span>https:\/\/www.linkedin.com\/in\/stas-goshko-aa11bb130\/<\/u><\/em><\/span><\/span><\/span><\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"Enterprise<\/a><\/p>\n

Related Resource<\/strong><\/p>\n

Cheap CDN<\/strong><\/a><\/p>\n

Best CDN List<\/strong><\/a><\/p>\n

CDN<\/strong><\/a><\/p>\n

Pay as You Go CDN<\/strong><\/a><\/p>\n

Free CDN<\/strong><\/a><\/p>\n

Website Vulnerability Scanner<\/strong><\/a><\/p>\n

Website Malware Scanner<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Hidden advertising in functions.php and footer.php Researched by: Goshko Stanislav If you noticed that your website has been displaying unauthorized text ads anywhere within its pages such as in the header sections or the area where your social icons are located then, unfortunately, your website has been hacked. These unauthorized ads may show up on […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1441","post","type-post","status-publish","format-standard","hentry","category-website-security"],"yoast_head":"\nInfected WordPress Themes Still on Wordpress.org | Infected WordPress<\/title>\n<meta name=\"description\" content=\"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Infected WordPress Themes Still on Wordpress.org | Infected WordPress\" \/>\n<meta property=\"og:description\" content=\"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\" \/>\n<meta property=\"og:site_name\" content=\"cWatch Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-20T10:26:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-10-20T12:02:54+00:00\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seoindia\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/f5e0cc253518f05044fdaa05bc515e7d\"},\"headline\":\"INFECTED WORDPRESS THEMES STILL ON WORDPRESS.ORG PART2\",\"datePublished\":\"2022-10-20T10:26:35+00:00\",\"dateModified\":\"2022-10-20T12:02:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\"},\"wordCount\":663,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#organization\"},\"articleSection\":[\"Website Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\",\"url\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\",\"name\":\"Infected WordPress Themes Still on Wordpress.org | Infected WordPress\",\"isPartOf\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#website\"},\"datePublished\":\"2022-10-20T10:26:35+00:00\",\"dateModified\":\"2022-10-20T12:02:54+00:00\",\"description\":\"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!\",\"breadcrumb\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/cwatch.comodo.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"INFECTED WORDPRESS THEMES STILL ON WORDPRESS.ORG PART2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#website\",\"url\":\"https:\/\/cwatch.comodo.com\/blog\/\",\"name\":\"cWatch Blog\",\"description\":\"Just another WordPress site\",\"publisher\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/cwatch.comodo.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#organization\",\"name\":\"cWatch Blog\",\"url\":\"https:\/\/cwatch.comodo.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/cwatch.comodo.com\/blog\/wp-content\/uploads\/2021\/09\/cwatch-logo.png\",\"contentUrl\":\"https:\/\/cwatch.comodo.com\/blog\/wp-content\/uploads\/2021\/09\/cwatch-logo.png\",\"width\":106,\"height\":52,\"caption\":\"cWatch Blog\"},\"image\":{\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/f5e0cc253518f05044fdaa05bc515e7d\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ae5269b75da58a8360d71d6c265856ddf66f1e49269dc25ed6170cf96323dab5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ae5269b75da58a8360d71d6c265856ddf66f1e49269dc25ed6170cf96323dab5?s=96&d=mm&r=g\",\"caption\":\"Admin\"},\"sameAs\":[\"https:\/\/x.com\/seoindia\"],\"url\":\"https:\/\/cwatch.comodo.com\/blog\/author\/seoindia\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Infected WordPress Themes Still on Wordpress.org | Infected WordPress","description":"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/","og_locale":"en_US","og_type":"article","og_title":"Infected WordPress Themes Still on Wordpress.org | Infected WordPress","og_description":"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!","og_url":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/","og_site_name":"cWatch Blog","article_published_time":"2022-10-20T10:26:35+00:00","article_modified_time":"2022-10-20T12:02:54+00:00","author":"Admin","twitter_card":"summary_large_image","twitter_creator":"@seoindia","twitter_misc":{"Written by":"Admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#article","isPartOf":{"@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/"},"author":{"name":"Admin","@id":"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/f5e0cc253518f05044fdaa05bc515e7d"},"headline":"INFECTED WORDPRESS THEMES STILL ON WORDPRESS.ORG PART2","datePublished":"2022-10-20T10:26:35+00:00","dateModified":"2022-10-20T12:02:54+00:00","mainEntityOfPage":{"@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/"},"wordCount":663,"commentCount":0,"publisher":{"@id":"https:\/\/cwatch.comodo.com\/blog\/#organization"},"articleSection":["Website Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/","url":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/","name":"Infected WordPress Themes Still on Wordpress.org | Infected WordPress","isPartOf":{"@id":"https:\/\/cwatch.comodo.com\/blog\/#website"},"datePublished":"2022-10-20T10:26:35+00:00","dateModified":"2022-10-20T12:02:54+00:00","description":"Infected Wordpress Themes set up at wordpress.org Apache Subversion( SVN). Try cWatch Website Security and Cyber Security Updates Now!","breadcrumb":{"@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/cwatch.comodo.com\/blog\/website-security\/infected-wordpress-themes-still-on-wordpress-org-part2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cwatch.comodo.com\/blog\/"},{"@type":"ListItem","position":2,"name":"INFECTED WORDPRESS THEMES STILL ON WORDPRESS.ORG PART2"}]},{"@type":"WebSite","@id":"https:\/\/cwatch.comodo.com\/blog\/#website","url":"https:\/\/cwatch.comodo.com\/blog\/","name":"cWatch Blog","description":"Just another WordPress site","publisher":{"@id":"https:\/\/cwatch.comodo.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cwatch.comodo.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cwatch.comodo.com\/blog\/#organization","name":"cWatch Blog","url":"https:\/\/cwatch.comodo.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/cwatch.comodo.com\/blog\/wp-content\/uploads\/2021\/09\/cwatch-logo.png","contentUrl":"https:\/\/cwatch.comodo.com\/blog\/wp-content\/uploads\/2021\/09\/cwatch-logo.png","width":106,"height":52,"caption":"cWatch Blog"},"image":{"@id":"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/f5e0cc253518f05044fdaa05bc515e7d","name":"Admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cwatch.comodo.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ae5269b75da58a8360d71d6c265856ddf66f1e49269dc25ed6170cf96323dab5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ae5269b75da58a8360d71d6c265856ddf66f1e49269dc25ed6170cf96323dab5?s=96&d=mm&r=g","caption":"Admin"},"sameAs":["https:\/\/x.com\/seoindia"],"url":"https:\/\/cwatch.comodo.com\/blog\/author\/seoindia\/"}]}},"_links":{"self":[{"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/1441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/comments?post=1441"}],"version-history":[{"count":6,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/1441\/revisions"}],"predecessor-version":[{"id":19352,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/posts\/1441\/revisions\/19352"}],"wp:attachment":[{"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/media?parent=1441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/categories?post=1441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cwatch.comodo.com\/blog\/wp-json\/wp\/v2\/tags?post=1441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}