Theme Change Detection
Alert ID: theme_changes
MITRE ATT&CK: T1072 – Software Deployment Tools
Severity / Criticality
Section titled “Severity / Criticality”| Level | Condition |
|---|---|
| Low | Existing theme update |
| Medium | Theme deletion |
| High | New theme installation or active-theme change |
Why is it considered malicious?
Section titled “Why is it considered malicious?”- Nulled or pirated themes: often include hidden backdoors and malware.
- Active-theme change: can alter site functionality or weaken security.
- Malicious code in
functions.php: automatic execution when the theme loads. - Defacement: full alteration of the site’s appearance.
- Data exfiltration: themes that expose sensitive information to external domains.
When does the alert trigger?
Section titled “When does the alert trigger?”- Theme change:
switch_themehook. - Installation:
upgrader_process_completewithtype=theme. - Update:
upgrader_process_completewithaction=update. - Deletion:
deleted_themehook. - Parent theme check: detection of changes in child themes.
Technical Indicators (IOCs)
Section titled “Technical Indicators (IOCs)”| Type | Pattern / Example | Description |
|---|---|---|
file_pattern | @ini_set('display_errors', 0); | Code often seen in nulled themes |
file_pattern | $GLOBALS['_876'] = base64_decode | Malicious obfuscated code |
network | wp_remote_get('http://suspicious-domain.com') | Communication with external domains |
file_pattern | theme_temp_setup function hook | Suspicious hook in functions.php |
Common false positives
Section titled “Common false positives”- Planned design changes or maintenance.
- Theme testing in staging environments.
- Legitimate automatic updates.
- Creation or modification of child themes.
Investigation steps
Section titled “Investigation steps”-
Verify theme legitimacy: official source, license, and version.
-
Analyze code for external calls:
Terminal window grep -r "http://" wp-content/themes/[theme-name] -
Search for obfuscation or suspicious execution:
Terminal window grep -r "base64_decode\|eval\|gzinflate" wp-content/themes/[theme-name] -
Compare with the original theme version and validate checksums where available.
Recommended mitigations
Section titled “Recommended mitigations”=== “Immediate”
!!! danger "" - Revert to the previous theme if suspicious behavior is detected. - Scan the theme with security or antimalware tools. - Validate the integrity of all active-theme files. - Create a full backup before any modification.=== “Preventive”
!!! tip "" - Install themes only from trusted and verified sources. - Avoid nulled or pirated themes. - Test all changes in staging before production. - Monitor changes to `functions.php` and theme files. - Use child themes for safe, traceable customizations.References
Section titled “References”- Theme Security Guidelines – WordPress.org
- ThemeForest Malicious Code Check