Flat’s publicly hosted on GitHub — its code is there for anyone to see. I can assure you, it contains no malware. Over the past few weeks, a few potential XSS issues have been resolved by adding in more of WordPress’ sanitization functions where needed, but as for directly containing malware? No.
Generally, if your site is hacked — commonly by an automated script — the malicious code that they add will be added to your theme files, regardless of what the theme actually is. A former client of mine had her site attacked and her theme, based on the über popular Genesis framework, received all sorts of nasty code, resulting in a Chrome browser malware warning on her site.
If your site is hacked and has malware, you need to change all of your passwords to something insane (mixing symbols in is less important than the length of your password; the more bits your password has, the longer it’ll take to crack) — FTP and/or shell account, web host, WordPress admin panel, etc. etc. Anything connected with your site.
Your webhost’s server logs should allow you to search for weird query strings or other suspicious behavior, and your webhost may work with you to find the source of the problem.
If, ultimately, the problem was with Flat — an insecure function call, a variable not properly sanitized, etc. — please let us know, and we will harden that part of the theme further.
Thanks.
