You Should Delete Unused WordPress Themes

Scanning the log for the website of one of my clients this morning, I saw something that made me smile:

http://[domainname]/wp-content/themes/twentyeleven/footer.php

I had just spotted a hacker.

Unused themes are favorite places for hackers to install a backdoor. They will either modify an existing theme file to add some code or replace it entirely. These files don’t stick out and draw attention to themselves. The blend in. Of course, a regular file scan would catch the modified file, but most website owners don’t go to that effort.

In this case it was obvious to me because I had long ago deleted the twentyeleven theme, so the hacker’s attempt showed up in the log. And knowing that the site had never been running on the twenty eleven theme made it clear that someone was sniffing around.

I blocked the hacker’s IP address and took note of the network name for future reference. If he comes back from a different IP address I’ll block his entire network.