WordPress is extremely popular. It powers over a fifth of the tens of millions of sites on the web. One of the reasons it’s so popular is the ease with which inexperienced people can build a site with WordPress. The ability of WordPress to empower millions by giving them a voice on the web is awe-inspiring. But there are those who would prey on the less-informed and take advantage of their lack of experience.
WordPress is a modular system: much of its functionality is contained in third-party plugins and themes. For the most part, the plugin and theme ecosystem is at worst benign and at best incredibly useful. Unfortunately, parasitic “hackers” use plugins and themes as a vector for malware.
It usually works something like this. An individual who lacks to the skill to contribute something useful to the world will buy a premium WordPress plugin. The PHP code for plugins is easily modified. The malefactor will change the plugin’s code; they will add malware payloads and code to exploit the vulnerabilities in people’s browsers. The modified plugin will then be sold on a seemingly legitimate marketplace for a fraction of the original cost. To the inexperienced, it just looks like a great bargain.
The WordPress user suckered by the offer will install the plugin on their site, and it will work just as it’s supposed to. From the perspective of the site owner, they got what they needed. But the extra code in the plugin will infect the site’s users with malware, redirect them to dangerous sites, create thousands of additional pages for SEO poisoning, and any number of other unpleasant strategies that benefit the hackers.
The first thing a site owner is likely to know about the problem is when they get an email from Google informing them that their site is infected and has been blocked by browsers and dropped from the search index.
How To Avoid Being The Sucker
The advice here is quite simple. Don’t buy discounted themes and plugins you find on Google. Don’t download premium themes and plugins when they are offered for free. Always make sure that you are downloading from a recognized or reputable repository or developer.
Unless you really know what you are doing, for free themes and plugins stick to WordPress’ official repositories. Almost every free theme and plugin is there, and unless you have the expertise to check the code yourself or trust someone who does, it’s not worth the risk of downloading them elsewhere.
For premium plugins and themes, the situation is a little more complex. They are often sold via the developer’s site and theme marketplaces, and it can be tricky to assess the legitimacy of the source. Use your common sense: if it’s too good an offer to be true, avoid it. Research to find out who the developer of the plugin is, and make sure you are downloading from their site or from a reputable marketplace like ThemeForest.