Reading this article may end up saving your site from getting hacked.
This Tips and Tricks HQ blog gets so many queries on the term “Free eStore Download”, “Free WordPress eMember” and many similar terms from bloggers not wanting to pay for the WP eStore or the WP eMember plugin. I am pretty sure the same is true for most premium plugins and themes. I understand some of you not wanting to pay for a plugin or a theme but trying to get a free download (possibly from a warez or torrent or file sharing site) is not the solution.
I always believed in the fact that there are no free lunches in this world. If you see someone giving someone else’s premium plugin or theme for free you have to ask yourself the following question:
“Why are they giving it away for free?”
When people offer you something for free, like premium plugins or themes because they know thousands are looking for it, you need to think twice before downloading and USING it.
Anyone can easily add code to the original plugin or theme and offer it to you for free. Now this premium plugin that you got for free can give them a backdoor access to your site after you upload it to your site. As soon as you upload a plugin to your site it has admin access to do whatever. Once the plugin is uploaded there is no going back! This model of malicious file distribution is widely used by hackers.
For example, the bad plugin can change the admin email address of the site to the hacker’s email address when it is activated. Now, all the hacker has to do is use the reset password feature of WordPress and the new password will be sent to his email address… suddenly you don’t have access to your blog anymore!
I have seen instances whereby someone downloaded a free copy of the Thesis theme and it inserted bunch of hidden links to questionable sites in the footer section of that site. The admin of the site had no idea about this until his site dropped from Google’s index!
Increased Number of Websites Getting Hacked
WordPress itself is very secure but why do so many WordPress sites get hacked everyday? Majority of these sites get hacked because the admin of the site decided to upload plugins and themes that they got from questionable sites, giving the hacker an easy backdoor entry!
Remember the story of the “Trojan Horse”? The plugin or theme that you download from questionable sites is essentially a Trojan horse that you are putting inside your site yourself (you never know when the hacker will strike!). Always download a WordPress plugin or theme from the original developer’s site.
Mattcutts from Google has mentioned that there has been an increase in website hacking since the desktops are getting harder to hack after the release of Windows Vista and Windows 7. If you own and operate a website then this means you need to be extra careful.
No, Antivirus will not Save You
You might be thinking, “I will just check the package with an antivirus software”.
I have got news for you… Malicious code in a PHP file cannot be detected by your antivirus software. WordPress plugins and themes are written in PHP (these are not like your average desktop softwares), PHP scripts can be edited by anyone and there is nothing malicious about it. The hacker can easily add a few lines of code that will email him some details from your website to his email address when you activate the plugin!
Always remember that these people offering plugins and themes for free might seem like your best friend because they are giving you something but it is only because they want something in return (Access to your site!).
There is no point in securing your site using other means if you are going to upload content (disguised as a plugin or theme) that you got from questionable sites.
My advise is, why put yourself at risk over a few bucks. If you do not have the money now, you can always save up and get the original at a later date. You need to spend money to make money and there is nothing wrong with supporting the original developer who spent countless hours working on the plugin or the theme. When you pay for a product you also get support for it.
Don’t forget to leave comments below to let me know what your thoughts are on this topic and read the Essential WordPress Security Tips post to learn more on WordPress security.
Edit: Since I published this post there has been some good comments, so make sure you read them.