The one note here is that it is the intention of the programmer that really matters. Sure you can add this as a backdoor hack to manipulate WordPress blogs. And lets face it, those with bad intentions most likely already know how to do this.

So for you that are arguing that this is bad, at least the average user can see how it is implemented and can look at the functions of a theme they are thinking of using so any suspicious code.

And for those claiming that you can encode this, that is yet another warning for the average user. If you look in the functions.php file and see a set of random characters, beware. This is encoded data that may do a number of things. I have seen code like this automatically add “spammy” links, and more. And yes, some of the themes with this sort of code are actually found at WordPress.org! (or at least were last time I looked)

Bottom line, if you use this code in your theme, you should disclose to the end user why it is there so they can decide for themselves. If as a user, you aren’t sure about a theme, don’t use it. If you see a random line of characters, know that something is encoded and beware.

Also thanks Tommy for the response, that sounds like an interesting application as well.

Regardless, it’s not like Brad just invented something new here. This is one of the least detrimental things one could do to your blog if they wanted to. A theme is like a plugin — I could use a theme to spam other blogs, give me access to the files on your server, etc. etc. etc.

but I see where you are coming from. That’s why I said don’t be evil

Prejudices, Brad? :)

As stated above, it may be very easy for theme creators to insert such code into themes. It can also be encoded and inserted somewhere randomly as just a line of text. Most users are illiterates so chances are they won’t even suspect it.

Yeah – they could.

I’m using similar code via a plugin for clients. The plugin sits in the admin sidebar and acts, mostly, as a contact form. It sits there in case a client needs help with something. When they do, they click on the link in the sidebar and fill in the form to “call” us.

If there isn’t already a dedicated user for us, a button is also on that page with a reminder that it’s best to have us work under our own username, and that they can click the button to generate one for us.

I’m not a WP expert, but if a WordPress theme creator (Such as leland) inserted this code into a themes function.php file… couldn’t he gain access to any blog using the user/pass defined in that code?

Just wondering, as I said, I’m not WP expert.