Free premium wp plugins vs wp theme downloading beware

There are too many things smart players can do (it depends on what he is after) but I am just going to give you a simple example without going too much into details:

Example 1

1) Someone writes a WordPress plugin that inserts various hidden links to your theme’s header or footer when activated. There is nothing wrong with it (it could even be a functionality that someone wants from a plugin)

2) This person then gives this plugin the following name:

“WP-eStore.zip”

3) Uploads it to a file sharing site disguised as an e-commerce plugin.

4) You download this plugin (thinking its an e-commerce plugin) and upload it to your site. As soon as you hit activate, every page of your site now has hidden links to sites that you don’t want (the best part is that you don’t even know that its there because the links are hidden but search engines can see those)

Example 2

1) Someone writes a PHP script that inserts various hidden links to your theme’s header or footer when activated.

2) This person adds this script inside a well-known plugin and re-zips the folder.

3) Uploads the package to a file sharing site.

4) You download this plugin (without knowing that this package has been tampered with) and upload it to your site.

5) All the smart players have to do now is execute the script inside the package you just uploaded to your site by simply going to the URL. The script gets executed and every page of your site now has hidden links to sites. When you upload a script to your site it runs as root (kind of like an administration) so it will do whatever it was programmed to do (in this case it was programmed to do something that you don’t want).

Why would the hacker need to get admin password and log into your WordPress site? They don’t have time to log into each site… they want to spread the disease virally without doing any manual work (you are doing the work for them).

The bad plugin (disguised as an e-commerce plugin) can modify the “Admin Email Address” of your blog when activated (it can change the admin email address to his email address). Now, all the hacker has to do is use the reset password option and the new password will be sent to his email address as that is the new admin email address. Suddenly you don’t have access to your blog anymore!

I used to use “free” plugins and templates, only for testing them… Just on a few occasions there were some links in the footer, which I could remove. I guess I was lucky! About 1 1/2 year ago I stopped with these “free” goodies. I buy the plugins and the templates, I have now SEVERAL′ of dollars worth on plugins and templates. AND THEY ARE WORTH EVERY PENNY! Why did I buy them? Because of the updates and the most important part: SUPPORT!

ADDITIONAL WORDS

I want to add 1 more thing. Being a developer I understand your pain. Just a piece of advice for people wanting a free lunch.

Where ever money matters don’t compromise. If you want people to pay you, you need their trust. Think is someone visits your site to pay you and his/her PayPal gets hacked or someone hacks your PayPal id. In first case all your reputation will be lost, just 1 bad experience is enough to ruin a whole business.

Support the developers. Even if you are using sites to get to know about latest plugins/software, you can try them but don’t use them forever. If you want more such stuff you should, Support the developers!

In the long run, it will cost you a lot of money if you keep using the “free” plugins and templates
Let me know if that makes sense.