What not to put into WordPress themes
After developing the public theme for everyone last week. I took some time to go through some popular WordPress theme’s that the public seems to use. I wanted to take a look at the code and see if I did anything different from them. I was surprised at what I found out.
One of the most popular WordPress theme’s available has some things inside of it that I found to be pretty shocking. A couple of things that not only make it more difficult for the person to install the theme, but hidden portions of code inside of the theme that look to drive traffic to the original authors Web site. Let’s get started.
Blog Ranking Code
I noticed that in the header there was an odd code, it looked like it had some Java Script that collects data. From what I have found out, this seems to be a blog ranking code. Why would you not want to put this in your theme? When people install this, and use it, the author is reaping the “traffic statistic” benefits of everyone else’s Web sites. Seems very unethical to me.
Feedburner RSS Address
When putting together a theme, try and use the bloginfo rss feed code. Don’t put your own Feedburner RSS feed URL into the header content. When users install the theme, their users are subscribing to the authors RSS feed, just seems unethical to me, again. I try and make every theme as flexible as possible for each user, from the beginner, to the advanced user. I have to assume that the very beginner user doesn’t know how to change the RSS feed URL, so why would someone put their own RSS Feedburner URL in that space? To gain RSS readers in an “accidental” manner. In the header is only one location out of the many that I found where the RSS feed is promoted. In order for this theme to be legitimate, the user would have to scour through all the template files and make multiple changes.
Google Analytics
Don’t put any form of Google Analytics in your theme. If you want to track who is downloading your theme, start using Mint. You don’t need to put Google Analytics hidden in the footer. While we can’t be certain what this Google Analytics code actually collects. We can only assume the worst, that this Analytics code is collecting traffic data for the original author’s Web site. What does that mean? If people don’t edit the footer, every bit of traffic that the user is receiving, the theme author is “cheating” his way into increasing his traffic statistics.
All of these are horrible examples of things to put inside of a WordPress theme. All of these examples was from one single, very popular, WordPress theme. Can you guess which theme and theme author uses these unethical ways? This theme is one of the most popular WordPress theme’s used. Should it be?
Apr 22nd 2008
Thanks for bringing up these great points! I am no expert on themes and I just got into using wordpress themes as of late and tinkering with css. I pay close attention to the code but sometimes I have no clue what I am looking at! Atleast now I know what to look for
Apr 22nd 2008
Thanks Adelle, think you want to take a stab at the theme author who created these amazingly unethical ways of cheating his theme users?
Apr 22nd 2008
Is it the adii guy that is all over the screen grabs?
I’d hope this isn’t a deliberate tactic, merely an oversight. Pretty shady either way.
Apr 22nd 2008
DES WINS!!!
Des, it seems pretty diliberate, since he not only hid things inside of the header, but the index, the footer, the sidebar, and many other places. You are 100% correct, it is REALLY shady!
Apr 22nd 2008
Awesome! I never win anything
I wonder how many themes include this tactic? It’s not on really. I can understand a comment in there or something giving credit, but hiding links to yourself and stealing traffic is bad bad stuff. Nice work for pointing it out, lets hope people take note.
Apr 22nd 2008
Wow, that is shady. I wonder if he put those “gems” in his paid themes? That would be supershady.
Apr 22nd 2008
I never knew this practice exists. Thanks for pointing out, and we’ll see what the theme’s author have anything to say about this thing.
Apr 22nd 2008
Patrick - Seems like you have some kind of vendetta against me, after leaving a pretty derogatory comment on my blog (about something that’s not related to this post) over the weekend as well… And you could’ve just as well published my name, as it is pretty obvious from the code that you were talking about me… That way it would’ve at least been easier for me to spot the post and be given a fair opportunity to defend your claims!
So before anyone decides to go on a witch hunt, I’ll just provide some facts as everything that Patrick has said is based on observations. When I released WP-Polaroid last year, I was actually using that exact theme on my own blog and after several requests from readers about the theme, I relented and decided to release a more generic version of the theme (as I didn’t want 100’s of other blogs sporting the same theme as me).
So what I literally had to do, was to “clean up” the theme of everything that was only related to http://www.adii.co.za. As you can imagine - there was a lot of references / sections of code that had to be either removed or changed and unfortunately the code snippets that Patrick has published were oversights in my part. I did thus not maliciously include that code in the theme to boost my own ego or something - it was a honest mistake that I randomly learned about, about 3 months after releasing the theme.
So why haven’t I fixed it? Well - it’s probably no excuse, but I just haven’t had the time to go back to such an old project. In fact, until I saw this post today, I had completely forgotten about it.
Also note that I had very little to gain from those snippets of code… I doubt whether the Google Analytics code or Amatomu embed will change everything in terms of the figures on my side, since the theme won’t be used on adii.co.za. On the RSS - surely a user of the theme would realize that my RSS was still hardcoded into the theme and would change that to their own?
So to end off; Yes - I should’ve changed the theme a long time ago and there’s no excuse (that will satisfy you) for this. But no - it wasn’t done deliberately and I doubt that I have gained anything from it. For proof that this was an isolated case - download ANY of my other free themes (or paid themes if you want to buy it to make sure I’m not lying) and try find “malicious” code.
And Patrick - Surely you can write about something more exciting!?
Apr 22nd 2008
To play devils advocate for a moment, is this something that is consistent across all the themes he releases or just the one? It would be pretty easy to try a theme out, or put it up as a demo with this information in, and then forget to remove it before releasing it.
What did Adii say when you asked him?
Apr 23rd 2008
Can you let me know which of his themes actually do this? I’d like to verify this myself.
Apr 23rd 2008
@Andrew: I have no proof that this is across the board, like I said in the post, this is just on one theme.
@Nathan: I am not going to out anyone, this post was not made to be directed at a specific person, although it has cultivated itself to being that.
@Adii: I have no personal vendetta against you Adii. While, I understand that releasing the “theme” to the public is a good thing, especially when people ask. I don’t know if I personally would consider it a theme. A theme has to work perfectly out of the box in my opinion, if I have to install it and edit each template file, I don’t know if I would consider it a theme. Also, the comment about Grid Layout is legitimate, the theme doesn’t follow correct grid ruling. I am sorry but that’s what we do, we let the public know about the ethical issues at times. Just like letting people know about John Chow affiliate link scams, and Probloggers affiliate link baiting. I don’t tell everyone what it’s like to be on the moon, because I have never been to the moon!! In my opinion I see a lot of people using keywords to drive traffic, like “Grid Layout” and seeing a Web site or theme that isn’t! But do understand, like I have said above, this has no trackback URL, or link or even name to a specific theme. Honestly, it was up to the public to guess and decide.
Apr 23rd 2008
@Adii,
That’s a fair explanation. It is difficult to *completely scrub a theme, especially when you’re in a rush.
But I’d be careful not to downplay the impact of this oversight. It probably has bloated both your subscribers and your traffic, probably quite significantly.
And Google analytics may not keep track of individual page records because of the URL difference, but it certainly would alter the number of daily/monthly unique visitors.
Since you mentioned you don’t have the time to fix this, I went ahead and removed the offending code in the header.php and footer.php files for you and zipped it up. You can get it here:
http://www.nathanrice.net/files/wp-polaroid.zip
I suppose this is a lesson to us all to be a lot more careful when releasing themes.
Apr 23rd 2008
@Adii
Ive seen you mentioned on a good few websites, ie wpdesigner etc… when you and sp had a little debate on something… cant remember now, but anyway!
You say you had no time to code it and it was a genuine mistake? Hmm…
You posted that fairly big ass comment rite there, doesnt changing this like take 2 seconds?
Apr 23rd 2008
@ Patrick - Never claimed to be a Grid expert and I admire guys like Khoi Vinh in this regard… That theme (Author’s Grid) is however still grid-based - might not be full-on grid, but it is going in that direction. That said, this post wasn’t about that… Hope that my explanation of the situation was sufficient!?
@ Nathan - Thanks for that… Will update the download link accordingly. And yes, I agree that theme designers should take more care and my mistake in this regard was releasing something that was previously my own (and thus didn’t have to adhere to free theme principles).
Apr 23rd 2008
Kudos to Adii for actually stopping by and explaining what happened. Looks like there was a lesson learned by all here. I also believe that Patrick didn’t out anybody but instead, question the ethics of some of the theme designers out their. All of this stuff might not of been done on purpose but at least we are now aware that we end users now have to trudge through our themes to make sure they are clean before we use them on our own site.
Apr 27th 2008
I find that explanation totally inadequate. Of course he had to come and try to defend himself, but I’m sure that he saw the benefits of those bits of code to his website and decided that it would be worth his while to leave them in there.
May 6th 2008
This is exactly the reason why I find it so difficult to find a theme. I’ve made a shortlist of 31 themes I really like, but, as a beginning blogger, I don’t know how to recognize malicious code. This could be a wonderful task for the themeviewer, but that website is so outdated. Can’t you examine more popular themes more often?
Thanks,
a reader from Holland.
May 8th 2008
@Smithy: +1
May 17th 2008
the whole idea of open source is that the code released is seen by many, and bugs can be sighted and resolved, inefficient code can be made efficient etc.
although the author of the theme does get minus points for this boo boo, malice is out of the question because the source code was released, and it was bound to be found out.
May 24th 2008
First let me say I’m by no means a WP power user. I only have a couple of blogs with WP… the vast majority of my sites are blogger blogs.
Second, Adii, respectfully that’s a load of crap you’re trying to sell. I may not be a WP expert, but I DO know analytics and feedburner and math and your stats were getting the benefit of these snippets, without question.Now I’m willing to give you the benefit of the doubt that you missed them while cleaning up an existing template, fair enough. But the didn’t the exponential increase in traffic reported via analytics give you a gentle reminder every time you looked at them? By your own admission above, you were using this theme on YOUR main blog…and we’re supposed to believe you didn’t notice the increases in your stats? Come on guy…
I’m also on-board with Anto, if you really considered it a big deal, wouldn’t the right thing to do have been to make the corrections and provide a link to the “clean” theme in your lengthy response above? It had to take you longer to write that response than it took Nathan to remove the offending code…and he had to look for it!
And finally Kinjal, I see your point and respectfully disagree. Just because someone else could read the code and find it doesn’t mean everyone else can or will…and the fact that if can be found says nothing about malice. Viruses can be found if you look for them too, that doesn’t mean they aren’t coded with malice.
End the end, as developers we need to be uber careful about the product we put out, and as consumers, we need to know where that package is coming from before we open it.
Patrick, thanks for pointing this out to eveyone.