Scan all of your theme files for potentially malicious or unwanted code. Be aware of advertisements or dangerous JavaScript inserted into legitimate themes by third party theme download sites.
Future versions will allow to check for other theme vulnerabilities.
Download TAC (Current, v 1.4)
TAC in Wordpress.org Plugin Directory
ABOUT
What TAC Does
TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
Then what do you do? Just because the code is there doesn’t mean it’s not supposed to be or even qualifies as a threat, but most theme authors don’t include code outside of the Wordpress scope and have no reason to obfuscate the code they make freely available to the web. We recommend contacting the theme author with the code that the script finds, as well as where you downloaded the theme.
The real value of this plugin is that you can quickly determine where code cleanup is needed in order to enjoy your theme.
History
TAC got its start when we repeatedly found obfuscated malicious code in free Wordpress themes available throughout the web. A quick way to scan a theme for undesirable code was needed, so we put together this plugin.
After Googling and exploring on our own we came upon the article by Derek from 5thiryOne regarding this very subject. The deal is that many 3rd party websites are providing free Wordpress themes with encoded script slipped in – some even going as far as to claim that decoding the gibberish constitutes breaking copyright law. The encoded script may contain a variety of undesirable payloads, such as promoting third party sites or even hijack attempts.
Frequently Asked Questions
What if I find something?
Contact the theme’s original author to double check if that section of code is supposed to be in the theme in the first place – chances are it shouldn’t as there isn’t a logical reason have obfuscated code in a theme.
If something is malicious or simply unwanted, TAC tells you what file to edit, you can even just click on the file path to be taken straight to the WordPress Theme Editor.
Why does TAC list static links?
First of all, static links aren’t necessarily bad, TAC just lists them so you can quickly see where your theme is linking to.
What about future vulnerabilities?
As we find them we will add them to TAC. If you find one, PLEASE let us know: Contact builtBackwards or post in the WordPress.org Forum
CHANGELOG
Version 1.4
- Compatible with WordPress 2.8!
- Tested in Firefox 3.0.11 and Internet Explorer 8
- JavaScript hiding/showing of theme details
Version 1.3 (Fixes + New Feature)
- Changed title to “Theme Authenticity Checker”, same acronym, makes more sense
- Compatible with WordPress 2.2 – 2.6.1
- NEW! Checks for embedded Static Links
- NEW! Direct links for editing suspicious files in the WordPress Theme Editor
- Improved the CSS
- Uses its own function to get theme file paths
Version 1.2 (Fixes)
- Band-aid fixes to theme file paths that were altered by the update to get_themes() in Wordpress 2.6
- This release is only compatible with Wordpress 2.6
Version 1.1 (Fixes)
- Style sheet doesn’t explode any more when certain threats are detected
- Modified code snippet output to prevent interfering with page structure
- Improved styling for slightly more appealing output
Version 1.0 (First Release)
- This is the initial release of TAC.
INSTALLATION
After downloading and extracting the latest version of TAC…
- Upload
tac.phpto the/wp-content/plugins/directory - Activate the plugin through the ‘Plugins’ menu in WordPress
- Go to Design -> TAC in the Wordpress Admin
- The results of the scan will be displayed for each theme with the filename and line number of any threats.
[...] klik disini untuk download dan lihat situs resminya [...]
[...] TAC – Theme Authenticity Checker [...]
[...] свою тему на «вшивость», используйте
[...] 17) TAC (Theme Authenticity Checker) [...]
[...] TAC(Theme Authenticity Checker) – 检验所下载的主题中是否存在第三方的垃圾代
[...] 1,Theme Authenticity Checker 这个插件就是
[...] of hidden intentions. So finally the security code is the main concern now. Check your theme with Theme Authenticity Checker this will help you to scan for possible malicious [...]
[...] klik disini untuk download dan lihat situs resminya [...]
[...] этом вам поможет плагин TAC (Theme Authenticity Checker). После установки и активации он проверит все [...]
[...] Best Plugin: Miroslav Glavic – Built Backwards http://builtbackwards.com/projects/tac/ [...]
[...] свою тему на “вшивость”, используйте плагин TAC (Theme Authenticity Checker), скачать его можно с страницы плагинов для WordPress. Он [...]
I found this plugin to be quite useful, will you be updating it for WP 2.8?
Thanks,
Gene
Yes, we already have, just haven’t officially released it yet. Thanks for you interest.
-Sam
As of version 1.4 TAC is WordPress 2.8 compatible.
An excellent plugin, for which many thanks.
I uncovered 2 themes with suspect links straightaway, and tossed them out into the wilderness.
It would be great to pre-scan downloaded themes held on the hard drive, without having to upload them to the blog first!
BTW, What’s the theme you’re using on this site? It has nice minimal simplicity.
[...] kode keamanan adalah hal yang paling diutamakan sekarang. Periksalah theme Wordpress anda dengan Theme Authenticity Checker ini akan membantu Anda untuk memindai kode mungkin [...]
[...] In: Wordpress plugins 4 Aug 2009 Go to Source [...]
[...] TAC Theme Authenticity Checker More and more free Wordpress themes are being made with hidden and sometimes invasive encrypted code in the php files. This plugin can detect these files and let you know whether the code is encrypted. Encrypted code means that it’s harder to remove any links but more importantly, it can hide potentially malicious code. [...]
[...] Homepage [...]
Thank you! My theme had many trash links. Excellent plugin)))
[...] You have something to say about the WP plugin I wrote: TAC (Theme Authenticity Checker) [...]
[...] TAC – Theme Authenticity Checker [...]
[...] TAC – Theme Authenticity Checker [...]
[...] TAC – Theme Authenticity Checker [...]
[...] TAC – Theme Authenticity Checker [...]
[...] TAC – Theme Authenticity Checker [...]
[...] ). Друг вариант, специално за темите е плъг-ина TAC ( Theme Authenticity Checker ), който може автоматизирано да прерови сорса на темите [...]
[...] Theme Authenticity Checker скачиваем [...]
[...] Theme Authentity Checker – Permite escanear el código fuentedel theme que tenemos instalado, siendo capaz de encontrar inyecciones de código o ataques similares además que muestra su ubicación exacta para poder limpiar el código. [...]
[...] 8、TAC – Theme Authenticity Checker [...]
[...] TAC – Theme Authenticity Checker [...]
I have had a lot of trouble with spam links being added to some of my HTML source files, so I installed TAC today.
The plugin seems to be working. It shows “theme OK” and tells me that there are 157 static links.
I know that some of those links are spam and I would like to get rid of them. There’s a Details link on the TAC page, but when I click it, it doesn’t do anything or go anywhere.
I would appreciate any help.
Eddie
The Details button uses basic JavaScript to reveal a hidden div that contains the details of TAC’s findings. I would suspect that it is a JavaScript issue. If you would please post this issue at http://wordpress.org/tags/tac?forum_id=10#postform so that we can properly document the problem and solution it would be much appreciated.
Thanks, Sam
thanks so much for this plugin ! i actually found malecious links in some themes .
i hope there is gonna be TAC for plugins too (PAC) . keep the good work
[...] TAC – Theme Authenticity Checker etsii käyttämistäsi teemoista haitallisia koodinpätkiä. [...]
Спасибо! Пригодится…..
[...] downloading a theme that contains malicious code or obfuscated code, this somewhat new tool called Theme Authenticity Checker may help you out. 5 Links In [...]
Thank you!
Nice plugin! I have a lot of themes in a test installation of WP 2.8 and it found a large base64_decode that is very interesting in the Brown Rush, Fluid Solution, Meganews, Matatag, ModXBlog, Photo Frame, Resume Junction, Schemertype Mag, Triplex, and Warm Autumn footer.php.
FunctionPlus’ and sonartech2’s footer.php and functions.php is even more interesting, but only because of the size and the additional encrypted work.
A report from the MotherNature and Seashore themes contact.php seems to be a false positive and it appears to work on encoding email headers with the contact’s information (but then, I can’t read it either).
It’s a good plugin – thanks for your work!
Bill
[...] 17th, 2009 · No Comments TAC – Theme Authenticity Checker WordPress Plugin | builtBackwards Scan all of your theme files for potentially malicious or unwanted code. Be aware of advertisements [...]
[...] Read Details: http://builtbackwards.com/tac/ [...]
FANTASTIC !!! Worth it’s weight in gold ! Gives me such piece of mind !
Cool stuff… any intentions of extending it to plug-ins?
We’re considering it, thanks.
[...] それらのテーマ内部をチェックしてくれるプラグイン「TAC (Theme Authenticity Checker) 」が登場しましたので、早速、導入してみた。 [...]
[...] there is a solution to this problem. You can download the Theme Authenticity Checker for WordPress and detect these Base64 strings that link to sites you do not want to endorse. You [...]
[...] JavaScript inserted into legitimate themes by third party theme download sites. TAC stands for Theme Authenticity Checker which is a WordPress plugin which will scan all of your theme files for potentially malicious or [...]
[...] a solution called “TAC” aka “Theme Authenticity Checker”. What it does is searches the source files of [...]
[...] Dave’s pick: Theme Authenticity Checker [...]
An excellent plugin, for which many thanks.
I uncovered 2 themes with suspect links straightaway, and tossed them out into the wilderness.
It would be great to pre-scan downloaded themes held on the hard drive, without having to upload them to the blog first!
BTW, What’s the theme you’re using on this site? It has nice minimal simplicity.
We were using The Buffet Framework, now we are using The Unstandard, by Derek Punsalan – both were modified to our preference.
[...] Super Cache ・WP System Health ・TAC (Theme Authenticity Checker) ・Permalink Redirect ・WPtouch iPhone [...]
[...] Tech Tips 20 Oct 2009 TAC (Theme Authenticity Checker) is a small Wordpress plug-in which snips out malicious code and static links present in Wordpress [...]
[...] Download TAC [ Source - Life Rocks 2.0 ] WP ThemesTest and Setup Local Wordpress Blog For Testing Theme With XAMPPDownload Windows 7 Official Regional Themes and Wallpapers From MicrosoftPwnageTool 3.1.3 Direct Download Links – For iPhone 3GS 3.1 and iPod 2G 3.1 For Mac OS Only Posted under: wordpress [...]
Мне это пригодится.
[...] that contains malicious scripts or unwanted code, then you might want to to check out a new tool Theme Authenticity Checker (TAC). It scans all of your WordPress theme files for potentially malicious or unwanted [...]