EN / ZH
Serious WordPress Vulnerability: Your Theme Could Be Leaking!
2011-10-02 | 458 words · ~3 min read# WordPress

Today is the second day of the National Day holiday. I wasn’t planning to write anything, but something happened tonight that compelled me to start typing.

Here’s the story: someone reached out to me on QQ this afternoon, asking how I added the “back to top” button in the Deve theme. I checked out his blog — he was also using Deve — so I told him to download the update package from our group chat.

That evening, the same person contacted me again, asking how to set up the music album and artist name fields in Deve’s music post format. I once again directed him to download the patch from the group’s shared files… And then he kept going back and forth with me. The more I listened, the more something felt off. So I searched for his QQ number in the group — couldn’t find it! That’s when I realized his theme was either pirated or leaked.

After asking around, I learned he got the theme by downloading a ZIP file from a specific directory on Liangxin’s site that had the same name as the theme. This reminded me of a group email Liangxin had sent not long ago, asking us to check whether a certain WP directory contained any ZIP files and to delete them if found.

Speaking of that directory — the day after I switched my domain, I actually told Liangxin that my directory still contained theme ZIP files and asked if I should delete them. At the time, he just said to delete them and didn’t think much of it…

After chatting with this person who had a pirated copy of Deve, I learned that many hosts have ZIP files in their /wp-content/uploads directory. According to him, whenever you install a theme or plugin by uploading a ZIP file, a copy remains in that directory! I checked some of my friends’ hosts, and sure enough — by accessing the direct URL, I was able to download themes from three of them, all premium themes (though I already had copies). This was genuinely alarming!

So I’m writing this to let everyone know: check your /wp-content/uploads directory for ZIP files, and delete them all!

Not every host will have this issue, but you should check just to be safe!

PS: Don’t try to download themes from any blogs mentioned in this post by guessing their file paths. Since I’ve written this article, do you really think my friends won’t have deleted theirs already?

As a member of the WordPress blogging community, I absolutely despise people who steal themes via direct file paths. It was like this with Loper before, and now with Deve too. When will the WP community ever get some peace?

Tags: #WordPress
© 2026 Len Chou