=== TAC (Theme Authentication Checker) === Contributors: builtBackwards Donate link: http://builtbackwards.com/donate Tags: themes, security, javascript, admin Requires at least: 2.6 Tested up to: 2.6 Stable tag: 1.2 Scan all of your theme files for potentially malicious or unwanted code. == Description == = NOTICE: CURRENT VERSION 1.2 IS ONLY COMPATIBLE WITH WORDPRESS 2.6 = Don't worry, this release is only a band-aid to deal with a core function change in Wordpress 2.6. The next version will be backwards compatible to at least Wordpress 2.5 as well as working with 2.6 [View CHANGELOG on Plugin Homepage](http://builtbackwards.com/projects/tac/ "View CHANGELOG on Plugin Homepage") TAC got its start when we repeatedly found obfuscated malicious code in free Wordpress themes available throughout the web. A quick way to scan a theme for undesirable code was needed, so we put together this plugin. After Googling and exploring on our own we came upon the [article by Derek](http://5thirtyone.com/archives/870 "article by Derek") from 5thiryOne regarding this very subject. The deal is that many 3rd party websites are providing free Wordpress themes with encoded script slipped in - some even going as far as to claim that decoding the gibberish constitutes breaking copyright law. The encoded script may contain a variety of undesirable payloads, such as promoting third party sites or even hijack attempts. **What TAC Does** TAC stands for Theme Authentication Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. Then what do you do? Just because the code is there doesn't mean it's not supposed to be or even qualifies as a threat, but most theme authors don't include code outside of the Wordpress scope and have no reason to obfuscate the code they make freely available to the web. We recommend contacting the theme author with the code that the script finds, as well as where you downloaded the theme. == Installation == After downloading and extracting the latest version of TAC: 1. Upload `tac.php` to the `/wp-content/plugins/` directory 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Go to Design -> TAC in the Wordpress Admin 4. The results of the scan will be displayed for each theme with the filename and line number of any threats. == Frequently Asked Questions == = What if I find something? = Contact the theme's original author to double check if that section of code is supposed to be in the theme in the first place - chances are it shouldn't as there isn't a logical reason have base64 encoding in a theme. = What about future vulnerabilities? = As we find them we will add them to *TAC*. If you find one, PLEASE let us know: [Contact builtBackwards](http://builtbackwards.com/contact/ "Contact builtBackwards") == Screenshots == 1. TAC Report Page = Closing Thoughts = We hope this helps out. Please enjoy being secure! Ciao! The builtBackwards Team