How to check WordPress template for viruses. Malicious code

Theme Check Plugin Is An Easy Way to Test Your Theme and Make Sure It's Up to Spec with the Latest Theme Review Standards. With it, You can Run All The Same Automated Testing Tools on Your Theme That Wordpress.org Uses for theme Submissions.

The Tests Are Run Through A Simple Admin Menu and All Results Are Displayed AT Once. This Is Very Handy for theme Developers, Or Anybody Looking to make sure That Their Theme Supports The Latest Wordpress Theme Standards and Practices.

How to activate Trac formatting

Theme Review Team Use This Plugin While Reviewing Themes and Copy / Paste The Output Into Trac Tickets, The Trac System Has Its Own Markup Language.
To Enable Trac Formatting In Theme-Check You Need to Define A Couple of Variables in WP-config.php:
TC_PRE. And. TC_POST. Are USED AS A Ticket Header and Footer.
Examples:
Define ('TC_PRE', 'Theme Review: []
- Themes Should be Reviewed using "Define (\\ 'WP_DEBUG \\', TRUE);" IN WP-CONFIG.PHP []
- Themes SHOULD BE Reviewed using the Test Data from Theme Checklists (TC)
——
‘);

Define ("TC_POST", "Feel Free to Make Use of the Contact Details Below If You Have Any Questions, Comments, OR FEEDBACK: [] * * Leave A Comment On This Ticket [] * Send An Email to theme Review Email List [] * Use the # WordPress-Themes IRC Channel ON FREENDE. ");

If either Of these Two Vars Are Defined a New Trac Tickbox Will Appear Next To the Check IT! Button.

Frequently asked Questions

What's WITH THE VERSION NUMBERS?

The Version Number Is The Date of the Revision of the Guidelines Used to Create IT.

Why Does IT Flag Something AS Bad?

It's Not Flagging "Bad" Things, AS Such. Theme Check Is Designed to Be a Non-Perfect Way to Test for Compliance with Theme Review Guidelines. NOT ALL THEMES MUST ADHERE TO THESE GUIDELINES. The Purpose of themes Uploaded to the Central Wordpress.org Theme Repository Meet Themes of Will Work on A Wide Variety of Sites.

Many Sites Use Customized Themes, And That's Perfectly Okay. But Themes That Are Intended for Use On Many Different Kinds of Sites by The Public Need to Have A Certain Minimum Level of Capabilities, in Order to Ensure Proper Functioning in Many Different Environments. Theme Review Guidelines Are Created with That Goal in Mind.

This Theme Checker Is Not Perfect, And Never Will Be. IT Is Only A Tool to Help Theme Authors, Or Anybody ELSE WHO Wants to make their theme More Capable. All themes submitted to Wordpress.org Are hand-Reviewed by a Team of Experts. The Automated Theme Checker Is Meant to Be a Useful Tool Only, Not An Absolute System of Measurement.

This Plugin Does Not Decide The Guidelines Used. Any Issues with Particular Theme Review Guidelines Should Be Discussed on The Make Themes Site.

Reviews

This Is A Great Plugin for Everyone That Really Likes to Develop A Wordpress Theme and Make SuccessFully Tests for the Basic Wordpress Standards. The Errors Separated in "Required", "Warning", "Recommended" and "info". Also Provide The Basic Information of this Error and Makes You Understand Where The Problem is.

Participants and developers

"Topic Check" is an open source project. The following participants contributed to the development of the plugin:

Participants

Magazine Amendments

20190801.1

Fix Missing Nonce and Nonce Check ON ADMIN Page. Props Steven Stern for Reporting The Issue to the Pugins Team. Though This Is Technically A CSRF, There Is No Vulnerability Arising From It, As The Only Thing That Could Be Done with the Form Is to Scan a Theme.

20190208.1

Add New Styles for the Block Editor. See https://meta.trac.wordpress.org/ticket/3921

20160523.1

Fix for Theme-Names with Dashes inham
Comments Stripping Changes.
Many Changes by Theme Review Team and Others. See GitHub for Full Change List.

20151211.1

Full Sync With Github and All The Changes That Have Happened There.
Release for 4.4 Deprecated Functions.

20140929.1

Added New Checks and Updates From Frank Klein At Automattic. Thanks Frank!
Updated Deprecated Function Listings
Customizer Check: All Add_settings Must Use Sanitization Callbacks, For Security
Plugin Territory Checks: Themes Must Not Register Post Types or Taxonomies Or Add Shortcodes for Post Content
Widgets: Calls to Register_sidebar Must Be Called from the Widgets_init Action Hook
Title: Tags Must Exist And Not Have Anything In Them Other Than A Call To WP_TITLE ()
CDN: CHECKS FOR USE OF COMMON CDNS (RECOMMEDED ONLY)
Note: Changed Plugin and Author Uris Due to Old Uris Being Invalid. These May Change Again in The Future, The Uris to My Own Site Are Temporarily Only.

20131213.1

Corrected Errors Not Being Displayed by The Pass And Incorrectly Giving A "Pass" Result to Everything.

20131212.1

Updated for 3.8.
MOST Files Have Changed for Better I18n Support, So The Language Files Were Removed Temporarily Until Translation Can Be Redone.

20121211.1

Updated for 3.5
Remove PayPal Button.

20110805.1

Timthumb Checks Removed.
Screenshot Now Previewed in Results, with filesize and dimensions.

20110602.2

New File List Functions Hidden Folders Now Detectable.
Better Fopen Checks.
Timthumb Version Bump.

20110602.1

DOS / UNIX LINE Ending Style Checks Are Now A Requirement for Proper Theme Uploading.
Timthumb Version Bump.
SEVERAL FIXES REPORTED by Garyj
3.2 Deprecated Functions Added

20110412.1

Fix Regex's.
Added Check for Latest Footer Injection Hack.
Fix Tags Check To Use New Content Function Correctly
Sync of All Changes Made for WPORG UPLOADER THEME-CHECK.
Updated Checks POST 3.1. Added Screenshot Check to SVN.
Fix Links Check To Not Return A False Failure in Some Cases
rM One of the Checks That Causes Problems on WPORG UPLOADER (and Which Is Also Unnecessary)
Move Unneeded Functions Out of Checkbase Into Main.php.
MINOR FORMATING CHANGES ONLY (SPACING AND SUCH)
Add Check for WP_LINK_Pages () + Fix Eval () Check

20110219.2

Merged New UI Props Gua Bob
Last Tested Theme Is Always Pre-Selected in Themes List.
Fixed PHP Error in Admin_Menu.php

20110219.1

See Commit Log for Changes.

20110201.2

UI Bug Fixes Forum Post Props Mamaduka.
TextDomain Checks for Twentyten and No Domain.
Fix Div Not Closing Props Mamaduka.

20110201.1

i18n working
sR_RS DE_DE RO_RO LANGS PROPS DANIEL TARA AND EMIL UZELAC.
Child Theme Support Added, Checks Made Against Parent and Child At Runtime.
Trac Formatting Button Added for Reviewers.

20101228.3

Last Revision For 3.1 (Hopefully)
Chips Suggestion of Checking for Inclusion of SearchForm.php (not
Perfect Yet, Need More Examples to Look for).
add_Theme_page Is Required, All others Flagged and Displayed with Line
Numbers.
Mostly internationalized, Needs Translations Now.
Bug fixes.

20101228.2

Added Menu Checking.
Themeuri Authoururi Added to Results.
Lots of Small Fixes.
Started Translation.

20101228.1

Fix Embed_Defaults Filter Check and StyleSheet File Data Check.

20101226.1

Whole System Redesign to Allow Easier Synching with Wordpress.org Uploader. Many Other Additions / Subtractions / Changes as well.
Wordpress 3.1 Guidelines Added, To Help Theme Authors Ensure Compatibility for Upcoming Release.

20101110.7

Re-Added Malware.php Checks for Fopen and File_Get_Contents (INFO)
fixed A Couple Of Undefined Index Errors.

20101110.4_r2.

Fixed Warning: WRONG PARAMETER COUNT FOR STRISTR ()

20101110.4_r1

Added Echo to SuggeSted.php

20101110.4

Fixed Deprecated Function Call To Get_Plugins ()

20101110.3

Fixed undefined index.

20101110.2

Missing.< in main.php
Added Conditional Checks For License.txt or License Tags in Style.css
UI Improvements.

One of the most important steps when creating a blog is the choice of a high-quality template. There are many sites as extra charge and free. However, caution should be taken here, since there is a great probability along with the file to get viruses, malicious scripts and hidden links.

But even if the template is clean in terms of security, and its design, usability and functionality you are completely satisfied - this does not mean that everything is in order. The topic must have valid HTML and CSS code, as well as meet all CMS WordPress standards. With the latter there are problems even with paid topics and templates made to order.

The engine developers are constantly developing it, and the authors of the templates do not always sleep for them using outdated functions when creating them.

Today I will show 2 ways to check whether WordPress for compliance with standards. These tools are used when adding them to the official directory https://wordpress.org/themes/

WordPress Topics and Joomla templates for compliance with standards

ThemeCheck.org is a free service that allows you to check the security and quality of templates for CMS Wordpress and Joomla before installing the site.

To check the theme, download its archive from your computer by clicking the "Select File" button on themecheck.org. If you do not want the test results to be saved on the service and are available to other users, check the box " Forget Uploaded Data After Results". Now click the "Submit" button.

For example, I took the topic Interface.which downloaded on the official website. 99 out of 100 - 0 critical errors and 1 warning. This is a very good result.

For comparison, the template of my blog received an estimate 0 (14 errors and 23 warnings). I think that many results will not be particularly different, especially if the topics are already outdated. All comments with explanations, indicating the files and lines where they are detected are located on the same page below.

To confess, I understood little there, it will rather be useful for the authors, and it is easier for me to change the pattern than to correct everything. I do not know only when I decide on it.

The main one has a large selection of previously proven WordPress and Joomla webwood with the possibility of adding or evaluating time. When you click on them, you can see detailed information and links to the author's website and the download page.

If you are a developer and your validna theme 100%, you can report it to users by installing a special assessment icon on it.

The value of themecheck.org service is that any webmaster can use it to choose a high-quality topic before it is installed on the blog.

Plugin Theme Check.

You can check the already installed templates on compatibility with the latest WordPress standards using Theme Check plug-in. Link to download the latest version: https://wordpress.org/plugins/theme-check/

The functions of the plugin is similar to the service that I told above. No settings after the standard installation and activation are not necessary. Verification procedure:

Go to the admin desk on the "Appearance" menu page - "Theme Check".
Select the desired topic from the drop-down list if several are set.
Install the SUPPRESS INFO checkbox if you do not want to send information.
Click the "Check IT" button.

The results will be shown on the same page.

As you can see, the standard theme Twenty Ten. either not ideal, but, for example, Twenty Fourteen. Errors has no.

After checking the plugin can be turned off, and it is better to delete at all until the next time.

Output. Before installing a new WordPress template, check it not only for hidden references and malicious TAC plugin code, but also using themecheck.org service or theme check plug-in for compliance with the latest CMS standards.

P.S. Recently browsing Topsape Reader, I saw a new SEO-blog Zenpr.Ru, which holds 1 place among the transition bloggers for the month. If we consider that his age is a little more than a month, then the result is worthy of respect. Design in the style of minimalism, if not to say that there is no one at all, but the author writes - read it. Everything in business and without water. Just like in the title of the blog - "zero extra characters". I recommend to read, you will find a lot of useful information.

Malicious code hits the site by negligence or malicious intent. Destinations of malicious code are different, but, in fact, it harms or interferes with the normal operation of the site. To remove malicious code on WordPress you need to first find it.

What is malicious code on WordPress website

In appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code that is executed, a particular action. Actions can be the most different, such as your new posts, are immediately published on a third-party resource. In fact, it is theft of your content. Codes and other "tasks", for example, placement of outgoing links on the site pages. The tasks may be the most sophisticated, but one thing is clear that the malicious codes need to be hunted and deleted.

How do malicious codes come to the site

Lazakes to hit the codes to the site, also set.

Most often, these are topics and plugins downloaded from the "left" resources. Although, such penetration is characteristic of the so-called encrypted links. Explicit code does not fall into the site.
Penetration of the virus when hacking the site, the most dangerous. As a rule, the site hacking allows you to place not only a "disposable code", but set the code with Malware elements (malware). For example, you find the code, and removes it, and it is restored, after a while. Options, again many.

Immediately notice, the struggle with such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: first decision - Use Antelorisian plugins, for example, plug-in called Bulletproof Security.

Such a solution gives good results, but takes time, although small. There is a more radical solution, getting rid of malicious codes, including complex viruses, it is to restore the site from pre-made backups of the site.

Since, a good webmaster makes periodically, then roll back to a not infected version will work out without any problems. Third decision For the rich and lazy, just contact the specialized "office" or a specialist of an individual.

How to search for malicious code on WordPress

It is important to understand that malicious code on WordPress can be in any site file, and not necessarily in the working topic. He can be laid with a plugin, with the topic, with the "self-made" code of the brought from the Internet. Try to find malicious code in several ways.

Method 1. Manually. List all the site files and compare them with the files of the unreleased backup. Find someone else's code - delete.

Method 2. With WordPress security plugins. For example, . This plugin has a wonderful function, scanning the site files for someone else's code and plugin perfectly copes with this task.

Method 3. If you have a reasonable support hosting, and it seems to you that on the site "Alien", ask them to scan your site with your antivirus. All infected files will be indicated in their report. Next, open these files in a text editor and delete a malicious code.

Method 4. If you can work with SSH access to the site catalog, then forward, there is your kitchen.

Important! No matter how much you searched for malicious code, before searching and submitting code deletion, close access to the site files (turn on the maintenance mode). Remember about the codes that themselves are restored when they are removed.

Search for malicious codes by Eval function

There is such a php eval function. It allows you to execute any code in its row. Moreover, the code can be encoded. It is because of the encoding a malicious code looks like a set of letters and symbols. Two encodings are popular:

BASE64;
Rot13.

Accordingly, in these encodings, the Eval function looks like this:

eval (Base64_Decode (...))
eVAL (STR_ROT13 (...)) // in internal quotes, long not clear sets of letters and symbols ..

Algorithm for finding a malicious code according to the EVAL function Next (we work from the administrative panel):

go to the site editor (appearance → editor).
copy Functions.php file.
open it in a text editor (for example, NotePad ++) and search for word: eval..
if found, do not rush to remove anything. It must be understood that this function "asks" to execute. To understand this code needs to be decomposed. For decoding there are online tools, called decoders.

Decoders / Coders

Work decoders simply. Copy the code to be decrypted, insert into the decoder field and decoder.

At the time of this writing, I did not find any encrypted code found in WordPress. I found the code from the Joomla site. In principle, there is no difference for understanding the decoding. We watch photos.

As you can see in the photo, the EVAL function after decoding, it brought not a terrible code that threatens the safety of the site, and copyright encrypted link, author template. It can also be deleted, but it will return after updating the template, if you do not use.

At the end, I note not to get a virus to the site:

Malicious code on WordPress more often comes with themes and plugins. Therefore, do not put templates and plugins from the "left", not proven resources, and if you put, carefully pump them, for the presence of references and executive functions of PHP. After installing plugins and those with "illegal" resources, check the site by antivirus.
Be sure to do periodic backups and perform others.

And at Google Fair, do not even waste time.

the Google tool, with all its shortcomings, is able to do the fact that the rest do not know how to determine that the pictures on the site are not outlined in their size. This is when the miniature of 100 × 100 is displayed 1000 × 1000, horrible browser up to 100 × 100.

i literally recently cleaned the client's clock on this. There were 110 × 82 miniatures in Sidbar - but the pictures were stuffed there, full-sized.

plus to everything - what other tool will show you that your pictures are not strongly optimized? When a PNG file can be without loss of quality hp from 500kb to 45kb - it is very important information.

well, why do you advise again nonsense?

and now show me what other tool can identify such obvious site shoals?

https://i.imgur.com/tozcemv.jpg.
https://i.imgur.com/fearwyt.jpg
And TD .. I hope it is enough.

FlectorIf you used normal tools (and did not consume different googlefaces) - these would simply have no questions.
All the above mentioned give information by 3 orders of magnitude higher and more useful than this googleface. Really necessary and useful information.

All the above mentioned give information by 3 orders of magnitude higher and more useful than this googleface. Really necessary and useful information.

i do not like the tool from Google at least that his own services are not guided by them. But obvious things like pictures he shows perfectly. Well, there is still gzip, browser caching and so on - that is, the most obvious.

and I prefer to watch Google, since only his assessment is important. What is the difference that the extraneous services will show if Google still be guided by its own assessment?

Check your where pictures incorrectly inserted. What are the problems?
I hardly managed to find something like that to remove the screenshots.

since only his assessment is important.

Who is important? Just do not say that google 🙂

Yes, evaluation. Get 100/100 - There are no problems. But for the site it is a catastrophe.

Yes, evaluation. Get 100/100 - There are no problems. But for the site it is a catastrophe.

well, you snapped google 503 error, what's the point?
This is not a solution to the problem.

and yes - the rating Google is important.
I do not know how much they do not reveal such numbers - but it would be foolish to do a service, from which nothing depends, right?

PS Yes, and even if Google does not care about your own rating - it is primarily necessary for the webmaster itself, and not for Google. If the webmaster does not include gzip, browser caching and pictures are not in its size - it must be corrected.

and there is no need to correct what Google does not consider it important (this is me about estimating other services) - just a waste of time will be.

and yes - the rating Google is important.

Learn how to analyze issuance.

but it would be foolish to make a service, from which nothing depends, right?

I will open you a terrible secret - Gugalvisians (and not only Google) have long been done not for people. How many services of the same Google ringed in the summer? How many really useful was, and then disappeared? The times have long passed when Google did something for people. Bigdata, yes.

this is primarily necessary for the webmaster itself,

For webmasters there are valid and useful and necessary things. And there is nothing to spend time on different trash. (If you did not notice - they and googlopopugaev also shown)

what a magic excuse - learn to analyze issuance.

oK - I will also answer you - learn to analyze issuance. With all others equal (absolutely the same ranking factors - from reference to PF) the first in the extradition will be the highest assessment of Google.

do not believe? Well, your right.
Test the like anyway will not work - there are no equal sites.

this in any case does not matter - because optimization is done not so much for Google as for its own visitors. As with the same pictures when the webmaster inserts a 5MB as thumbnail.

what is the meaning?

In the "importance" of Googlopopugugaev.

what a magic excuse - learn to analyze issuance.
Straight argument for all occasions.

If you declare something about PS, it is the issuance that is the only true proof.

test the like anyway will not work - there are no equal sites.

Where are different? Do you even have sites from issuing you can check the googles? There and 50 and even 30 are quite in the top10 sit.

it is only one of the thousands of ranking factors. Therefore, I talked about "equal" (not different) sites - only in this case one can make sure that the googles work.

facebook may have an assessment of "0" for googles - but it will still be the top1 on request "Facebook". It seems to be obvious.

Google Pagespeed Insights has only one plus - a separate analysis of issuing for dexte and mobile, otherwise it is bad in the same way than the forever dissatisfied grilling wife 😀 understed, it makes it impossible to fix (resources from other domains, including the same Googles )
It is full of analogues, the problems of the site configuration analyze very many services,
I did not specifically give a link at the beginning of the topic on Pingdom, for example, I like the WebPagetest, the difference is only in the form of how the result is served, and subjective convenience.
There are many bad pictures, too, many find, the question is only to throw 10 parrots and give out that - pictures do you on the site are not at all optimized from 1 byte difference ...
Take the same GTMetrix, there is an assessment by pagespeed algorithm and YSLOW,
Moreover, the site having 95% PageSpeed \u200b\u200bcan be "bottom" non-optimized on insights, this is really their problem and they make it problems to others, especially those who cannot analyze the meaning of assessments and results.
The site is good, optimized, and on G PS I - "Oh all bad"

do you really think that these most "googles" is the most important in the light of the ranking factor?

I think it is a parrot. They do not give any useful data. And to the boot speed at all any sideways (what kind of pagespeed? From the very name of the service - Fake). Speed \u200b\u200bis measured not in the googles, but in bits / s.
What is before the ranking - if the sites in the TOP10 has 30Gugalopopugaev, what is the meaning of them at all?
Something like that.

only in this case you can make sure that the googles work.

Do not parrots work, but all the factors. There are no 90% of which in this Goulofeka, and 90% of the fact that there is a non-Brad mare.
The only benefit from it for Lamer - you can download optimized graphics. But only graphics, not styles and scripts.

The topic "Checking the site for errors" is closed for new answers.