The Dangers Of Using WordPress Plugins From Untrusted Sources

The folks over at Sucuri have reminded us once again why it’s important to only download plugins from trusted sources. In a disturbing post published on the Sucuri blog, Denis Sinegubko highlights the dangers of using plugins from untrusted sources.

In this post, we’ll talk about “patched” malicious premium plugins. We’ll talk about what they do, how they work, and about websites that build their businesses around stolen WordPress themes and plugins.

The article contains a lot of great information but it classifies commercial plugins being available for free as stolen plugins. If a commercial plugin is licensed under the GPL, the code can’t be stolen. There are always people looking to get something for nothing which is why malicious developers will always have some success using free versions of commercial plugins.

While users are getting commercial plugins for free, they may also be getting backdoors and malicious software. This is not a new problem and it doesn’t affect just plugins. In 2009, Leland Fiegel published a screencast that shows how dangerous it is to use free themes discovered by Google.

The WordPress plugin repository is the most trustworthy place to download plugins. There are a team of volunteers that review plugins to make sure they abide by a strict set of guidelines before they’re added. The repository is constantly under the watchful eyes of the community and if anything malicious is added to a plugin after it’s been approved, it’s removed until it’s fixed.

WordPress Versus Github

More and more plugin developers are moving their plugins over to Github. If you’re going to use a plugin from Github, research the author and make sure they’re legitimate. Check to see if the plugin is also available on the plugin repository since development can be synchronized between the two. The best advice is to purchase plugins from the original source. This way, you know what you’re getting and you’ll be able to receive support if you run into problems.


13 responses to “The Dangers Of Using WordPress Plugins From Untrusted Sources”

  1. why are they moving to github?

    I have woodojo from woothemes.

    Sometimes it is hard to find the original source for plugins.

    I don’t care what plugin (and theme) authors say but you can’t really steal their plugins. I can buy a plugin and make it available free. Isn’t that how the WP license works? If you create something, I can fork it and have it available for free.

  2. I saw the Sucuri post over on Facebook and it is pretty frightening.

    I’ve always stayed away from free themes and the more I learn about WordPress the more I only use premium themes and bought plugins or ones from the WordPress plugin repository.

    And as Miroslav asks “why are they moving to github?” I’m confused on that one.

  3. I question the validity of only using free plugins from the wordpress repository. A few years ago I was looking for a privacy policy plugin on the repository and the only 2 I could find had not been updated since 2009, this is unacceptable as internet laws are changing constantly.

    My wife is an internet lawyer and wrote an up to date privacy policy and terms of use but I got sick and tired of copy and pasting so I wrote my own plugin and submitted it to the wordpress repository however they rejected it with a link to their rules for accepting a plugin. I believe I had followed all of the rules and asked them why they rejected it and the only response from them was they coudn’t use it. this is an up to date plugin as opposed to outdated plugins that in an ever changing world, were no longer relevant. Anybody using those plugins is leaving themselves open to prosecution from governing bodies. But the people at wordpress didn’t feel they need a current one that to this day is still being maintained.

    Funny thing though is that I have found many plugins and themes in the repository that do not follow their rules. So who is it that is making the decisions as to what should and should not be put in the repository?

    We use the plugin now as a list building tool on one of our websites, however if the good people at wordpress become enlightened and decide that protecting their users businesses is important then we will reconsider listing it in the repository.

    • Hi Tony,

      1) I don’t think privacy plugins should be allowed. Different countries have different rules. I am in Toronto Canada as I type this
      2) Your wife and you, are either of you lawyers? (.info site)
      3) The whois search for that .info site is Australia. I am in Canada, our laws are slightly different.
      4) Europe has this thing about telling viewers about cookies. That doesn’t apply to everyone.
      5) Fill in form type privacy sites SUCK HORRIBLE.
      6) You don’t need a plugin for privacy policy.

      If you have advertisements, go to google adsense/linkshare/cj/etc… privacy policy pages and read them.
      Then you go back to your own website, create:
      Explain in your own ways what GA/LS/CJ/etc…said.
      Do you use Google Analytics/Woopra/etc…? go back to your /privacy page and mention that. Mention that GA/WOOPRA will tell you their country/web broser/operating system/etc…

      Mention what happens to the information people leave when they leave a comment on your site. If you use disqus/other 3rd-party…………

      Do you get the point I am trying to say? Do the effort yourself. Don’t need a plugin.

  4. >why are they moving to github?
    Some developers prefer one source control system over another, github is nice because it can support both svn and git clients. It’s also got an issue tracker which you can use to track bugs and issues that are specific to your plugin.
    > I can buy a plugin and make it available free
    I suspect that depends on the terms of your license with the supplier. Some plugins you pay for the support, others you pay for the usage.

    • Any WordPress based product inherits the license of WordPress.

      I said that I can technically speaking do it. If it’s morally acceptable/ethically acceptable…that’s something different. Theme/plugin license discussions happened last year. Many people got pissed.

  5. So please tell me a way I can check my themes integrity to make sure there is no dodgy code in there? Even purchasing a theme doesnt mean there will be no malicious or dodgy code in there…

    Any ideas or websites that can run checks on a theme? (or plugins?)

  6. Well this video is certainly a blast from the past!

    As commercial plugins have gained popularity over the years, it’s not surprising at all that sketchy people have started redistributing popular ones with malicious code for free.

    The same adage applies, only trust plugins (and themes) from reputable sources. is usually a pretty safe bet.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: