As a beginner or starter in WordPress, we tend to download themes from 'sources' other than the original theme author's page. Most probably this unsupported and unsecured files will be filled with hidden malicious code and backdoors. This will eventually cause you a hard time in future when your WordPress website gets hacked. Also, your website ranking will drop as Google will put a big banner on its search near your website results saying 'this site may harm you'.
To keep away from this malicious code, I would always suggest buying the theme from the original theme author's page. You could find some really good premium WordPress themes, that's well developed, security checked and put on the affordable price tag at ThemeForest. Or if you are downloading a free WordPress theme, make sure it's the original theme author website. For other basic WordPress security tips, read our article on Guide to better WordPress security.
Nevertheless, we may need to do a recheck on every downloaded WordPress themes for malicious codes or hidden backdoor codes. Here's how I check a WordPress theme for malicious code and its authenticity.
How to Check a WordPress theme for Malicious Code
Before going through the theme check process, you should know why people add malicious code to WordPress themes. Hackers do that for creating a backdoor to your website. Others, for creating a backlink from your website or to add an advertising snippet. In all these ways, you are not gaining anything, but losing the trust of your website visitors.
There are several ways you can do a full review of the downloaded WordPress theme files. If you are WordPress developers, then go through each file manually. Or you could use WordPress plugins to do those tasks in a few seconds.
WordPress Theme Manual Review
It's one of those NO/I'cant situations. Still, if you know one or two things about WordPress theme files and PHP tags then the most effective way to check a WordPress theme for malicious code is going through each and every file manually. Check for unwanted codes in functions.PHP, header.php and footer.php, this is some commonplace you could find malicious codes.
However, a full manual review of the WordPress theme files will also help you build confidence in further customising the theme.
Use WordPress Plugins to scan WordPress Themes
WordPress is a big open community, so you get its own perks. You could find lots of WordPress plugins in the WordPress repository that can help you to scan WordPress theme files for the malicious or unwanted code. One of those top-rated WordPress plugins is the Theme Authenticity Checker (TAC) by built backwards. It can scan each and every theme files, check its source code for potentially malicious code. If such codes are found by the plugin, it will clearly display the path to the theme file, the line number, and a small snippet of the suspect code.
There is another WordPress plugin - Exploit Scanner from the WordPress creators Automattic itself. In addition to scanning your WordPress theme for malicious code, the plugin can search files on your website, and the posts and comments tables of your database for anything suspicious.
You could also try the Theme Check WordPress plugin by Otto42 and pross. It runs all the automated testing tools on a WordPress theme that WordPress.org uses for theme submissions in their theme repository.
Online tools to check Malicious Code in WordPress themes
VirusTotal, an online free service that can analyze suspicious files in a WordPress theme or any kind of files (plugins, core WordPress codes etc). It also facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
To start, upload the zip file of the WordPress theme you want to check for malicious code or virus to VirusTotal and click 'Scan it!'. It will list out every possible issue it could find with any of the files you have uploaded.
Peace of mind with Sucuri
Sucuri is one of the best website security platforms out there. For users like us, they have provided a powerful website malware and security scanner for free. You just need to enter your WordPress URL and the tool will check your website for known malware, blacklisting status, website errors, and out-of-date software.
However, the real value is in the Sucuri paid version. It can monitor your website 24x7 for hacks and blacklisting. It can protect your website from Brute Force attacks, DDoS attacks and prevent malware and hacks, optimize your WordPress website and do daily backups of your website. The best part, Sucuri can completely clean and restore your hacked or compromised WordPress website.