Recently a new wordpress theme malware is found, which is mainly a piece of base64-encrypted code, in a free wordpress theme’s functions.php file distributing through some freely available wordpress theme from a wordpress theme dump website. Jay wrote a long post on his blog regarding this.
The malware-ridden theme’s functions.php file contains code that inserts a zip file on a theme’s screenshot file. Once activated, the file unzips itself into a new directory and executes the malware file, adds itself (the malware code) and infects other themes in the user’s wp-content/themes directory. This type of malware is really clever because once it accomplishes its goal, the file erases itself so it won’t be traceable.
Additionally, this malware sends notification to its creator about it existence on a server and allows him to insert links on writable theme files on a wordpress installation. Otto, the coder of my Gravatar Hovercards plugin, wrote a post called Anatomy of a Theme Malware where he explains the nature of this malware. Read here
Better be careful. Download themes from offical sites alone. It’s safe or before installing check your functions.php file to ensure that the virus coding is not there.