Free Premium Plugin and Theme Downloaders – Beware!

Reading this article may end up saving your site from getting hacked.

This Tips and Tricks HQ blog gets so many queries on the term “Free eStore Download”, “Free WordPress eMember” and many similar terms from bloggers not wanting to pay for the WP eStore or the WP eMember plugin. I am pretty sure the same is true for most premium plugins and themes. I understand some of you not wanting to pay for a plugin or a theme but trying to get a free download (possibly from a warez or torrent or file sharing site) is not the solution.

I always believed in the fact that there are no free lunches in this world. If you see someone giving someone else’s premium plugin or theme for free you have to ask yourself the following question:

“Why are they giving it away for free?”

When people offer you something for free, like premium plugins or themes because they know thousands are looking for it, you need to think twice before downloading and USING it.

Anyone can easily add code to the original plugin or theme and offer it to you for free. Now this premium plugin that you got for free can give them a backdoor access to your site after you upload it to your site. As soon as you upload a plugin to your site it has admin access to do whatever. Once the plugin is uploaded there is no going back! This model of malicious file distribution is widely used by hackers.

For example, the bad plugin can change the admin email address of the site to the hacker’s email address when it is activated. Now, all the hacker has to do is use the reset password feature of WordPress and the new password will be sent to his email address… suddenly you don’t have access to your blog anymore!

I have seen instances whereby someone downloaded a free copy of the Thesis theme and it inserted bunch of hidden links to questionable sites in the footer section of that site. The admin of the site had no idea about this until his site dropped from Google’s index!

Increased Number of Websites Getting Hacked

WordPress itself is very secure but why do so many WordPress sites get hacked everyday? Majority of these sites get hacked because the admin of the site decided to upload plugins and themes that they got from questionable sites, giving the hacker an easy backdoor entry!

Remember the story of the “Trojan Horse”? The plugin or theme that you download from questionable sites is essentially a Trojan horse that you are putting inside your site yourself (you never know when the hacker will strike!). Always download a WordPress plugin or theme from the original developer’s site.

Mattcutts from Google has mentioned that there has been an increase in website hacking since the desktops are getting harder to hack after the release of Windows Vista and Windows 7. If you own and operate a website then this means you need to be extra careful.

No, Antivirus will not Save You

You might be thinking, “I will just check the package with an antivirus software”.

I have got news for you… Malicious code in a PHP file cannot be detected by your antivirus software. WordPress plugins and themes are written in PHP (these are not like your average desktop softwares), PHP scripts can be edited by anyone and there is nothing malicious about it. The hacker can easily add a few lines of code that will email him some details from your website to his email address when you activate the plugin!

Always remember that these people offering plugins and themes for free might seem like your best friend because they are giving you something but it is only because they want something in return (Access to your site!).

There is no point in securing your site using other means if you are going to upload content (disguised as a plugin or theme) that you got from questionable sites.

My advise is, why put yourself at risk over a few bucks. If you do not have the money now, you can always save up and get the original at a later date. You need to spend money to make money and there is nothing wrong with supporting the original developer who spent countless hours working on the plugin or the theme. When you pay for a product you also get support for it.

Don’t forget to leave comments below to let me know what your thoughts are on this topic and read the Essential WordPress Security Tips post to learn more on WordPress security.

Edit: Since I published this post there has been some good comments, so make sure you read them.

Found this article interesting? Subscribe to Tips and Tricks HQ

email icon rss feed icon twitter icon google plus icon

Comments (44 responses)

  1. Michael says:

    Very true with WordPress sites getting hacked with free premium themes or plugins. I personally did not have one hacked that way, but I did download a free backlink pro software that added a thousand backlinks. I let the software run and I think it added some really nasty backlinks to old site of mine and in just few days the site was redirected and said it was hacked by someone. I can’t remember the hacker, but it was nasty enough I could not use the domain anymore. Beware of where you get free backlinks too.

  2. Artur says:

    I know what you are talking about. One of my sites got recently hacked and some files were replaced. Not a serious damage and the sites were old, but it happened after installing some freebies.

  3. shravankumar says:

    Thanks for all the information its very informative and i have learned so much from your article.I have downloaded some premium plugins from some websites but i have not installed in my site, is there any way to know that the code hided in plugins and themes to know that it is hacked one or not … i am new to this but i am reading and knowing all the information from the net i recently installed and started my word press blog…

  4. Sanjib says:

    Hi, I completely agree with you. Nobody gives away any freebies without any ulterior motive. I heard of free trials but not free products. Your post is very helpful for many of us.

    Thanks a lot

  5. bns says:

    Man you are really awesome.. your tips is very true that is happening in the wordpress websites.

    Thank you..

  6. awesome games says:

    No free meals, it is true you should never believe in something easy, it’s easy AT will have reason

  7. Rasel Rony says:

    yeah you are right, we should aware of downloading free premium contents

  8. MarkL says:

    Yes but they already had the upper hand, passing this knowledge on to normal people is our best defense.

  9. Victor says:

    Hackers are something else. And with social networks feeding them with this much info. they are even stronger

  10. admin says:

    Lately, a lot of sites are getting affected by a trojan that attacks the following file:

    wp-includes/js/l10n.js

    This makes it to where the above script tries to attack anyone who is browsing your site. This results in Google blocking your site as Google doesn’t like sites with malware.

    If you are receiving complaints about malware on your site check the above mentioned script and make sure it has not been compromised.

  11. coolteli says:

    i think this is the right place to share what i went through….i got a premium theme from a free offering site and uploaded and activated it on my blog.for a few days it went good till one day i found strange search queries in my stats leading to my blog..those keywords had nothing to do with my blog.i checked and to my horror i found a whole different site was being displayed above my header with those keywords.i talked with my host and they told me alien code in my wordpress files.it took them a week to clear all that stuff and regain my account……gosh …so beware friends…

  12. admin says:

    Probably start with a free plugin that you can download from WordPress.org. I know that there are a few free eCommerce plugins out there.

  13. RO says:

    I’m the type of person that likes to experiment with different plugins to see which one works best for a site (especially eCommerce.) I don’t have the money to throw at plugins I may not like or not use in the end. What can I do?

  14. Bruce says:

    Wow, That is some valuable information right there! I try and learn something new everyday, and that is just eye opening. I appreciate the tips, and keep up the great work I will have to add this feed :) Thanks, and God bless!

  15. Ripul Kumar says:

    I want to add 1 more thing. Being a developer I understand your pain. Just a piece of advice for people wanting a free lunch.
    Where ever money matters don’t compromise. If you want people to pay you, you need their trust. Think is someone visits your site to pay you and his/her paypal gets hacked or someone hacks your paypal id. In first case all your reputation will be lost, just 1 bad experience is enough to ruin a whole business.
    Support the developers. Even if you are using sites to get to know about latest plugins/softwares, you can try them but don’t use them forever.
    If you want more such stuff you should, Support the developers!

  16. Steves says:

    Thanks for the info. I was almost tempted to use a free affiliate software and some free plugins. They are in my email for activation but I haven’t them touched yet. Actually I plan to buy orig copies from tips&trick. I just have other priorities for my money.

    This answers my question, “What’s the catch after downloading those freebies.” The same is true with free trial antivirus that I downloaded. Before the expiration of the free trial, a lot of virus swarmed my computer. I had no option but to reformat and purchase an original antivirus. Unfortunately, the bkup copy I prepared became defective, so I have to start all over again.

  17. Mahadir says:

    Thanks for this post, now I know the reasons why some premium plugins or themes are given for free.

  18. John says:

    Yes, no one can save you except yourself. Can’t agree with this more. WordPress themes are quite secure and search engine friendly. But plugins are not so sure. I think everyone should bear the risks while you enough the benefits those plugins bring. Always security first, then comes comfortableness.

  19. Ed says:

    I used to use “free” plugins and templates, only for testing them… Just at a few occasions there were some links in the footer, wich i could remove. I guess i was lucky! About 1 1/2 year ago i stopped with these “free” goodies. I buy the plugins and the templates, i have now 1000′ of dollars worth on plugins and templates. AND THEY ARE WORTH EVERY PENNY! Why did i bought them? Because of the updates and the most importent part: SUPPORT!

    In the long run, it will cost you a lot of money if you keep using the “free” plugins and templates

  20. Chris says:

    I’ve seen “free premium” themes injected with Google AdSense ads

  21. This is truly very informational. Reading through the comments taught me to be more careful. Although it saddens me to see good people trying to earn a decent living online has to experience this things. Very eye opening. Thank you.

  22. Daniel says:

    Thank you for the nice explanation. Saved me from going down this path :)

  23. admin says:

    Hi Melinda, Downloading plugins from the WordPress repository should be safe as I am sure the WordPress team checks the code before a plugin author can upload it there.

  24. What about the free plugins downloaded from wordpress.org/extend? Are we able to trust them as opposed to free plugins downloaded from a non-wordpress site?

  25. Dan says:

    My site just got flagged by the antivirus guys! Now anyone landing on my site with antivirus installed on their computer automatically gets redirected to a page where they get the following message:

    mysite.com may be risky to visit according to McAfee.
    Why were you redirected to this page?
    When we visited this site, we found it exhibited one or more risky behaviors. SiteAdvisor LIVE Protected Mode is enabled, which shields your computer from interaction with risky sites.

    I have no idea how to get rid of this but I am loosing a lot of traffic now because no one wants to visit my site after they see this warning!

  26. admin says:

    Hi Nathan, there are too many things a hacker can do (it depends on what he is after) but I am just going to give you a simple example without going too much into details:

    Example 1

    1) Someone writes a WordPress plugin that inserts various hidden links to your theme’s header or footer when activated. There is nothing wrong with it (it could even be a functionality that someone wants from a plugin)

    2) This person then give this plugin the following name:

    “WP-eStore.zip”

    3) Uploads it to a file sharing site disguised as an e-commerce plugin.

    4) You download this plugin (thinking its an e-commerce plugin) and upload it to your site. As soon as you hit activate, every page of your site now has hidden links to sites that you don’t want (the best part is that you don’t even know that its there because the links are hidden but search engines can see those)

    Example 2

    1) Someone writes a PHP script that inserts various hidden links to your theme’s header or footer when activated.

    2) This person adds this script inside a well known plugin and re-zips the folder.

    3) Uploads the package to a file sharing site.

    4) You download this plugin (without knowing that this package has been tampered with) and upload it to your site.

    5) All the hacker has to do now is execute the script inside the package you just uploaded to your site by simply going to the URL. The script gets executed and every page of your site now has hidden links to sites. When you upload a script to your site it runs as root (kind of like an administration) so it will do whatever it was programmed to do (in this case it was programmed to do something that you don’t want).

    Why would the hacker need to get admin password and log into your WordPress site? They don’t have time to log into each site… they want to spread the disease virally without doing any manual work (you are doing the work for them).

    Since we are on this topic I might as well explain how the hacker can get your password too :)

    The bad plugin (disguised as an e-commerce plugin) can modify the “Admin Email Address” of your blog when activated (it can change the admin email address to his email address). Now, all the hacker has to do is use the reset password option and the new password will be sent to his email address as that is the new admin email address. Suddenly you don’t have access to your blog anymore!

    Let me know if that makes sense.

  27. nathan says:

    i admit that there is so many hackers. but how would they hack our site if we dont give password and always remember that thing your doing.

  28. jan says:

    Many themes are used to spread links that you now there also can build anything else because I had not thought of, thank you

  29. Julie says:

    @Corrine: I think “idiot” is too strong a word. I’d say most of the people who download free plugins from wherever they can get them are, at worst, just naïve. (All right, that’s pretty close to “idiot,” but still not the same.)

  30. Jason says:

    Another victim here. I had to completely reinstall my WordPress as after I installed this theme it inserted whole bunch of doddy scripts in various places which can copy itself and do nasty things! It also inserted code in the database tables so just removing the pirated copy of the theme didn’t solve anything. It was painful to start over with a fresh WordPress install.

  31. eshanne says:

    That’s why the developers need to give a users discount after trial and maybe less.. :) perhaps.. Most of us a Bloggers didn’t have that much money including me, dont forget about the students too.. :)

    I have played several times of the most plugins that has been crack and hack, and yes they’ve implemented something in the wp-settings.php.. rite now im still searching for a nice one and cheap plugins store / themes and even softwares.. im scared to download more hack / crack plugins ..

    P/s – When free, things will get cocky.. Beware!!!

  32. Christien says:

    Very informative article indeed. I know now how to keep my blog safe and that’s good because in the payday loan niche, there are a lot of people who try to hack into your site… Anyway, thanks for the great post and keep up the good work!

  33. Joseph says:

    Thanks for this post, very informative.

  34. really helpful article> thanks a lot

  35. Shree says:

    The experiences shared by Dave and Robert can be real eye openers for those who are still in the search of free themes and plugins. The article is no doubt valuable at this time when hacking has become so rampant.

  36. Corrine says:

    I don’t mean to be rude but you have to be pretty idiot to download a package from a site not owned by the original developer and upload it to your site! Never ever do that if you are serious about making money online.

  37. Jamie says:

    WOW! Simply wow! Never even thought about this!

    I could be paying specialists hundreds of dollars to secure my site but If I upload one compromised plugin or theme to my site then all that other security stuff doesn’t matter anymore! Thank you very much for sharing this.

  38. admin says:

    Hi Linda, Traditional malware protection or antivirus software that you use on your desktop application cannot do anything against this kind of attack. Antivirus is made to work in a certain way. They are only useful to to find viruses for example that are harmful to your computer. It cannot do anything against a script that works on your website and gives the hacker an upper hand.

    Why not? I will give you a very small example and try to explain…

    1. Lets say “Akismet” was a paid plugin
    http://wordpress.org/extend/plugins/akismet/

    2. a hacker sees a lot of people looking for a free copy of this plugin so he gets an idea in his head.

    3. He downloads this plugin and adds this one line of code to the plugin file:

    echo "Admin email address".get_bloginfo('admin_email');

    There is nothing malicious about the above code. It simply shows the admin email address. He will probably make it so it actually emails this info rather than showing it. The point is that it is all valid PHP code (this could even be a required functionality for someone’s case). No antivirus or malware protection software will find this malicious.

    4. He repackages it up (zip up all the files) and call it “akismet.zip”

    5. Uploads it to some file sharing site.

    6. Post the link on some forum or something.

    7. Someone finds this link and jump up in joy because he thinks he got something valuable for free.

    The thing is that PHP code is not compiled code like desktop application which are probably written in C++ or Java or in a similar programming language. With compiled code after the .exe file is generated you cannot change the code. If you do the anti-virus can pick it up as the file signature will change. web applications get executed directly from the source code (there is no concept of compiled code).

  39. Linda says:

    Seems the hackers are everywhere these days… always coming up with new tricks… do you have any suggestions as to what software or plugins to install that will help with monitoring your site or finding/checking for code? Will a program like Malwarebytes help with scanning plugin files before using any plugin?

    I’d like to hear your thoughts on this…

    Thanx
    Linda =}

  40. admin says:

    @Dave and Robert, thank you for sharing your experience.

  41. Robert says:

    Nicely explained! Hackers are trying hard to get into your site these days because its easy for them to get a share of the money that you make from your site once they have a backdoor access.

    One of my site had all of its Google adsense code altered so the money from the clicks were going to his account!! Obviously, I couldn’t see any difference when I just looked at the adsense block on my site (it was serving same adsense ads). I only found it out when one month I didn’t receive payment from Google… very sneaky!!

  42. Dave says:

    I wish I read something similar 8 months ago! Here is what happened to me…

    I downloaded a premium shopping cart plugin by following a link that I got from one of those script sharing sites.

    I was selling a few things from my blog using this shopping cart plugin. I roughly make about 10-12 sales a week (this amounts to $150-$250). I have smart email filtering so the PayPal sales receipt gets tagged and archived so my inbox doesn’t get crowded with them. One week I logged into my PayPal account to transfer the money to my bank account and I was surprised to see that the money amount was a lot less than what I expected. So I started to check the settings of the plugin and guess what! The PayPal email address was changed in the settings to someone else’s address, so all the money was going to this other person’s account!!!

    I changed the email address back but it got changed again after a few days. This is when I realized that someone else is doing something funny. At this stage, I was stuck with a plugin that has been tampered by a hacker so I had to stop using it and buy the original one. I lost more money by getting that free copy of the plugin. I could have saved all the hassles and frustration if I just bought it in the first place.

Speak Your Mind

*