The wp-vcd malware creates an admin account with a known password. The malware’s creators use the admin account to install backdoors and further malware, which can be used to inject SEO spam or any other content or code that benefits the attackers. The use of pirate themes as a vehicle to infect WordPress sites with malware is not new, but it’s becoming increasingly common.
Novice WordPress users may not realize the risks, or even that there is anything wrong with installing themes they find on the web without verifying the source. There are thousands of free WordPress themes available online, many of them perfectly safe. But developers are free to create premium themes and to sell them. Themes are made available for free or for pay at the developer’s discretion.
Criminals are well aware that many site owners want the features of premium themes without having to pay for them, and they’re quite happy to exploit this fact for their own gain. Although some of the sites that distribute pirate themes are open about what they’re doing, others are not. Less careful or knowledgeable WordPress hosting clients can easily be tricked into installing a free theme with no understanding that its developers did not intend for it to be free.
What can WordPress owners do to decrease the risk of being infected?
Don’t be tempted to use themes that you know to be pirated. The WordPress community takes a dim view of theme and plugin piracy, and you aren’t going to find an honest source of pirate themes. If you don’t pay for a premium theme, there’s a strong chance that it’s infected with malware.
Make sure you download themes from a reputable source. For free themes, it’s best to stick to the official WordPress theme repository unless you have the expertise to audit the code yourself. The WordPress theme repository team check themes to make sure they don’t contain malicious code.
Avoid Googling “free WordPress themes” and downloading themes from pages in the results unless you can be sure it’s a reputable source.
It’s more difficult to verify the source of a premium theme, many of which are available from theme marketplaces or the developer’s site. Your first port of call should once again be the official WordPress theme repository, which also contains some commercial themes. Popular third-party theme marketplaces include Themeforest and Mojo Marketplace.
Before downloading a theme from a developer’s site, carry out some common sense checks: does the site look legitimate, have the themes been reviewed by other users?
Remember, when you install a theme or a plugin, you’re putting a lot of trust in that code. It’s worth taking the time to be sure that it is safe.