Yesterday, a post by Denis Sinegubko addressed the dangers of downloading plugins from unofficial sites. Sinegubko explained how “patched” malicious premium plugins work, what they do, and how some websites build their entire business around these stolen plugins.
There are people that—due to lack of knowledge—download free plugins from untrusted sites. But, more often than not, people download pirated software to avoid paying the premium costs. While this, quite obviously, leaves them with the benefit of a free premium plugin, their site is nonetheless left vulnerable to a variety of attacks.
Why would someone spend their time to steal software, and then post it to various sites and forums where they can’t even count on any advertising revenue? . . . By adding some undisclosed functionality to the stolen plugins like backdoors, ads, hidden links, and SPAM.
The post discussed—in great detail—the plugins that Sucuri found to be infecting sites.
Although it can be tempting to download a free version, it’s simply not worth the risk. This news is a good reminder that you should make sure you’re downloading from secure sites. You can ensure that you aren’t downloading a corrupt plugin by going directly to the official WordPress repository. For premium plugins, you should go directly to the developer’s website.
Where do you download your plugins from?
Marie Dodson is an editorial assistant at Torque. She graduated from Cornell University with a degree in Biology and Society. She enjoys wine, good books, and travel.
Join the conversation