[wp-forums] Comment about [sticky] Posts requests for theme decoding in here

Mark E mark at edwards.org
Fri Jun 25 20:11:48 UTC 2010


I'm thinking that the sticky on decoding does more harm than good. The 
reason is because if a person can't decode simple base64 stuff, even if 
it's nested and has other tricks tossed in, then it's a pretty sure bet 
that they won't be able to look at the decoded theme code to find 
malicious code within it. There are so many ways to hide bad stuff in 
PHP - a person has to be pretty savvy to find the more subtle ones.

So actually, helping someone decode is basically adding to their overall 
risk factor in the first place. And that simply leads to more "oh my WP 
site got hacked" complaints.

It might be better to tell people that when they find a theme they like 
to hire a developer to create one similar to it.

That's my two cents.

Mark

mrmist wrote:
> In message <4C24C69B.5070809 at automattic.com>, Jane Wells 
> <jane at automattic.com> writes
>>
>> A boilerplate sentence promoting safe, reputable theme sources and 
>> linking to the one for their current theme would maybe be good.
>> Jane
> 
> We have the "How to Decrypt an encoded theme" sticky (separate to the 
> decode themes here thread) which already discourages the use of the 
> themes - but judging from the traffic on "decode themes here" the advice 
> falls on deaf ears.
> 
> if anyone fancies re-wording the How to Decrypt sticky so that it offers 
> a stronger positional statement, I for one welcome you to take a stab at 
> it.
> 
> I sit firmly on the fence with this one, having been swayed by both 
> sides of the argument.  It's a tricky judgement to make.  However, the 
> popularity of the thread does suggest that - should we close the sticky 
> - there'd still be requests made, and - should we then want to take a 
> hard line on it - there'd be a reasonably large moderation overhead.


More information about the wp-forums mailing list