Apart from Official WordPress repository there are hundreds and thousands of websites which provides nulled premium WordPress themes and Plugins for free but the problem is you can not trust them. Most of them are infected and malicious codes are added to theme purposefully. These can be to get a backlink from your blog, to add adverts, redirect your blog to spammy website or at worst to get a backdoor access into your blog.
It is very difficult to identify a malicious code in a nulled theme unless it is placed at a lame place. Even if you download free premium wordpress themes from warez or torrent source they too may be infected by malicious codes.There are many free and premium tools available to scan wordpress blog for potential threats and malicious codes.
#1. Virus Total
VirusTotal is a free tool to scan files for virus, trojans, worms and all other kind of malwares. Head to VirusTotal.Com, upload zip file of wordpress theme and click scan for virus. If everything is fine here proceed further.
#2. Theme Authenticity Checker (TAC)
Tac is a free plugin available at wordpress repository. Tac scan all files of in wordpress setup for potentially malicious or unwanted code. Often hackers inject malicious codes into core files of themes and plugins for which it is a wonderful tool identify such codes. If such codes are found it displays the path and line number of infected files.
#3. Exploit Scanner
Exploit Scanner is another free wordpress plugin for scanning malicious codes. It is far more robust than Theme Authenticity Checker because it scans and search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers. It also examines your list of active plugins for unusual filenames.
Aggressive Exploit Scanner returns tons of false positives. So before you delete any line of code double check it to know what really it is.
Sucuri is a robust wordpress security scanner. It has two options available for users. free edition is a basic scanner to check if site is doing fine. Real power of sucuri lies with Premium edition which monitors your blog round the clock against all security threats. It scan every activity on blog and if anything looks fishy, sucuri blocks the IP. They also send you email and twitter alert if they notice something unusual. Sucuri is well known for malware cleanup service, which can be used incase blog is already affected. This service comes free of cost to all premium users regardless the size of their blog.
Further you can visit Google Safe Browsing diagnostics page and scan your blog. Remember you can prevent Google from labeling your website as infected, if you take prompt actions and remove malicious codes spreading bad karma on internet.
Link : http://www.google.com/safebrowsing/diagnostic?site=YOUR-DOMAIN-NAME.COM
In some cases if it is not possible to detect where the malware is located and your blog is showing signs infection. You should perform a clean reinstallation of wordpress setup, replace all your themes and plugins. You can even hire professionals at sucuri who are experts in cleaning up malwares and protecting blogs from further infection. Security is of course an important issue for any blog so it is important to take preventive measure well in advance.