The folks over at Sucuri have reminded us once again why it’s important to only download plugins from trusted sources. In a disturbing post published on the Sucuri blog, Denis Sinegubko highlights the dangers of using plugins from untrusted sources.
In this post, we’ll talk about “patched” malicious premium plugins. We’ll talk about what they do, how they work, and about websites that build their businesses around stolen WordPress themes and plugins.
The article contains a lot of great information but it classifies commercial plugins being available for free as stolen plugins. If a commercial plugin is licensed under the GPL, the code can’t be stolen. There are always people looking to get something for nothing which is why malicious developers will always have some success using free versions of commercial plugins.
While users are getting commercial plugins for free, they may also be getting backdoors and malicious software. This is not a new problem and it doesn’t affect just plugins. In 2009, Leland Fiegel published a screencast that shows how dangerous it is to use free themes discovered by Google.
The WordPress plugin repository is the most trustworthy place to download plugins. There are a team of volunteers that review plugins to make sure they abide by a strict set of guidelines before they’re added. The repository is constantly under the watchful eyes of the community and if anything malicious is added to a plugin after it’s been approved, it’s removed until it’s fixed.
More and more plugin developers are moving their plugins over to Github. If you’re going to use a plugin from Github, research the author and make sure they’re legitimate. Check to see if the plugin is also available on the plugin repository since development can be synchronized between the two. The best advice is to purchase plugins from the original source. This way, you know what you’re getting and you’ll be able to receive support if you run into problems.