Time, perhaps, to renew the regular warning about obfuscated theme code – if you’ve just come to self-hosted WordPress, it’s worth being aware of what tricks can go on in this area.

Be cautious when and if you’re going download a WordPress theme from a third-party repository, gallery, call ‘em whatever. Not all sites do this, but it is certainly a relatively simple matter to make a few code additions to a theme and repackage it for download, so that your site is then running their code – and you haven’t a clue what it might or might not be doing.

To be honest, the code is (usually) not too malicious – it ranges from forcing a link to be retained in the footer, through serving up random ads, that sort of thing – but it could, in theory, break your server/database, act as spam mailer, phishing script, or turn your domain into a zombie for DDOS attacks etc.

This can all be reverse-engineered simply enough, to see what’s going on, but if you’re not familiar with PHP and you start seeing eval or base64_decode functions, followed by a string of alphanumeric gibberish in your downloaded theme package that’s probably the time to junk that theme, no questions asked… Most likely, it’ll be in functions.php, but could be in footer.php, header.php, anywhere…

We never use obfuscated code in any of our themes, and we don’t have links for attorneys and SEO companies in any of the footers. Identify the original source of a theme and download it directly from the author’s website. You’ll (almost certainly) be fine in that case…