Rogue Themes & PHP Injection

I have seen a number of posts about malicious links appearing on blogs and have just finished wasting a weekend wrestling with this problem.

It all began with me looking for a Free WordPress Theme. I used Google to search “Free WordPress Themes” and the top link on the first SERP was https://www.freewordpressthemesbase.com.

They had some nice themes that I then downloaded and uploaded to my themes directory.

Then I noticed a couple of sneaky things that they had done:

1. There was a very sneaky link that was hidden inside of base_64 coding with the instructions not to show it if the user was logged in. Very sneaky.
2. Far worse was yet to come – when I deleted this code and looked through the HTML on my page, I noticed a bunch of spam links for all kinds of crap unrelated to my site – football jerseys, piano players and more.

At that point I decided to delete the theme.
Too late. Those links now persisted on all of the themes on my site – even clean ones that I had previously downloaded from the www.remarpro.com site.

How I fixed it:

1. Delete all the themes that you download from https://wordpressthemesbase.com – this is a rogue site that will install malware on your blog.
2. Upload a FRESH copy of /wp-includes/general-template.php

Done.
Never download anything from https://www.freewordpressthemesbase.com.

A summary of this can be seen here:
https://www.webdeveloper.com/forum/showthread.php?p=1042049#post1042049

—————————————————————

These are the links that were embedded into my blog:

<!– end #sidebar –>
<div style=”visibility:hidden; display:none”>Cheap Retro Replica NFL NBA MLB Throwback Football Basketball Jerseys |
hp printer ink cartridges refills|
Professional Wedding Pianist | Jewelry Making Supplies
</div><div style=”clear: both;”> </div>
</div>
</div>
<!– end #page –>