PHP code found in WordPress theme

I found about 174 lines of code – just letters and numbers – hidden in a blog theme. Since then I check every file in a theme before using it.

Just got a new theme with the following code in footer.php

[php]<?php $_F=__FILE__;$_X='Pz48ZDR2IGNsMXNzPSJGMjJ0NXIiPg0KICA8ZDR2IGNsMXNzPSJGMjJ0NXItNG5uNXIiPiA8MSBocjVmPSI8P3BocCBibDJnNG5mMigncnNzYV8zcmwnKTsgPz4iIGNsMXNzPSJyc3MtdDFnLTRjMm4iIHQ0dGw1PSJSU1MgTjV3cyI+PC8xPg0KDQogICAgPGQ0diBjbDFzcz0iRjIydDVyLXQ1eHQiPg0KICAgICAgPHA+DQogICAgICA8cD48MSBocjVmPSI8P3BocCA1Y2gyIGc1dF8ycHQ0Mm4oJ2gybTUnKTsgPz4vIj48P3BocCBibDJnNG5mMignbjFtNScpOyA/PjwvMT4uIFAydzVyNWQgYnk6IFcycmRwcjVzczxici8+DQogICAgICAgIEluIGMybGwxYjJyMXQ0Mm4gdzR0aDogPDEgaHI1Zj0iaHR0cDovL3d3dy4xbGxwNDVyNWM0cDVzLmMybSI+UDQ1IFI1YzRwNXM8LzE+LCA8MSBocjVmPSJodHRwOi8vZ3I0bGxiYnFyNWM0cDVzLmMybS8iIHQ0dGw1PSJHcjRsbDRuZyBSNWM0cDVzIj5HcjRsbDRuZyBSNWM0cDVzPC8xPi4gRDJ3bmwyMWQgZnIybSA8MSBocjVmPSJodHRwOi8vd3BmcjU1dGg1bTVzLm4xbTUvYzF0NWcycnkvcjVzdDEzcjFudC13cC10aDVtNXMvIiB0NHRsNT0iUjVzdDEzcjFudCBXUCBUaDVtNXMiPlI1c3QxM3IxbnQgV1AgVGg1bTVzPC8xPi4NCiAgICAgIDwvcD4NCg0KICAgIDwvZDR2Pg0KICA8L2Q0dj4NCiAgPGQ0diBjbDFzcz0iRjIydDVyLWIxY2tncjIzbmQiPiA8L2Q0dj4NCjwvZDR2Pg0KPC9kNHY+DQo8L2Q0dj4NCg0KPC9kNHY+DQoNCjxkNHY+DQogIDwvZDR2Pg0KPC9iMmR5PjwvaHRtbD4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>
[/php]

I ran it through several online decoders but nothing came up. So, is this safe code for an ad or dangerous and to be removed?

Thanks

Depends on where you got the theme. If its from themeforest or one of its sister sites, then its probably nothing to be concerned about. its actually 2 different variables and $x looks like a url or maybe a key of sorts, possibly to let the creator know who’s using it. $_F could be a custom class or construct.

Sponsor our Newsletter | Privacy Policy | Terms of Service