I adore Wordpress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin - TAC (Theme Authenticity Checker) which checks for any malicious code in the Wordpress themes present in /wp-content/themes folder. When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. More http://techpp.com/2008/11/29/how-to-decode-encoded-php-script-in-wordpress-themes/
Do you realize that encoded string in a Wordpress themes footer is most likely the credit links back to the designer, plus any sponsors the theme might have? You are not supposed to remove them. The "plugin" is most likely reporting the encoded string as malicious BECAUSE it's encoded and the plugin doesn't know what it is. So, you're basically telling people how to rip off designers and sponsors, real nice...
One of the designers I follow had to post to people to only download directly off his site, since some 'free download' sites were embedding encrypted code in the footer of the version available on their site - and it was malicious. I'd check back with the original designer. If it's his string, he'll appreciate knowing that encrypting it is triggering this alert. If not, you'll be able to get a clean version you can use.
Nice resource, but it's encoded because the credits should be given to the author of that theme, and I think that code should not be removed or decoded.
Ofcourse I understand what footer is meant for but as a user isnt it dangerous to use a theme which has an encoded string? And if you read the article correctly I have told to replace the encoded stuff with the decoded one, and not how to remove the designer links. I will never be comfortable in using something which is not secure enough.
Right approach! But how will you know who the original author is of the theme whose footer is encoded? For that you must allow the code (which might be compromised) to get executed to see any links. And the ripper might have removed the author's links as well. My point is simple. The end user of the theme must be sure that the theme is clean and safe. After verifying the decoded string, he can either retain the encoded stuff or replace with decoded stuff, but author links must not be replaced at any cost, that will be unethical.
Usually the encoded code is just a "echo" of some links. In most cases. I never find any dangerous code. By the way if you still curious and the code looks like eval('something'); : If you find something like "base64_decode", you can copy the whole encoded code to a single new PHP file (lets name it "test.php"), replace the "eval" with "echo", execute the script on your browser, and usually you will get a new output, or a new PHP code, or even the other "eval" again with the other "base64_decode". For example if you find another eval, delete your old eval in your old "test.php", and replace it with the new code, execute the script on your browser again, over and over until finally you won't get an "eval". By the way, usually if there is no malicious code, and the encoded code is just a simple "echo", i remove the encoded code with the simple one. It's faster isn't it? And i don't remove the author's link anyway.
You can just view the unencrypted output when you active the theme to check if theres any nasty code in there. As long as you leave the links that were already there, I see no problem with removing encoded PHP that are just adding time to pageloads. Of course if it's explicitly specified that you must leave everything as is, you must abide by those terms or use another theme.