3 Tips to Avoid Dangerous Themes and Plugins

Posted by DK
February 10, 2009

We all love how easy it is to install plugins and themes but how do we know there is no hidden jack in the box waiting to pop out? Viruses, worms and backdoors could be embedded into any theme or plugin and uploaded to the Internet for public consumption.

Here are three easy to use ideas to help you choose nice, clean, pure plugins and themes.

Be Smart!

We wouldn’t walk down a dark alley in the middle of the night  — hopefully!

Many-a-time, we go through a process of elimination, downloading this, that and everything else that matches the description on our Google search. We know if we just try download and install one more plugin it could be the exact thing we were looking for! But wait! think for a moment because the next plugin or theme you download could be the last! (does anyone hear evil drums in the background?)

Be smart. Don’t just download, install and run. Plan your searches carefully. Take a minute to be alert and look around. Are there stats on how many times the plugin/theme has been downloaded? Are there comments? Is the author known? Is their a big red sign that says, I want to take over your blog!

Be alert, be smart!

Seek out Reputable Authors

As touched on in the above point, Velvet Blues recent post, “Are Plugins Ruining Your WordPress Website” offers some sound advice:

… when making decisions on which plugins to include in your website, it is important to make smart choices, such as only using plugins that are popular or developed by reputable authors. Additionally, try to keep your plugins to a minimum.

Generally, Velvet Blue’s advice is good to follow but sometimes we can’t even trust known, reputable authors.  Some of you may remember when a WordPress hosted systems was hacked and a new release of WordPress backdoored. Loads of people were downloading the new version of WordPress, only to find out later that a hacker had broken in and placed some bad, hidden code into the new WordPress release.

Sticking with reputable authors can really help 9/10 times, however, its taking a blind, passive approach to your security and putting your trust in third party software could sink your ship.

Anti Virus

How can we be a little more pro-active?

It is often an overlooked feature, but most “half-decent” AntiVirus solutions can often detect malicious code in PHP files. Many web servers don’t have AntiVirus installed, however, most desktops do. Before downloading a theme or plugin to your blog, try download it to your local computer first. Your AntiVirus should be able to alert you to anything suspicious before allowing you to open it. This is another great technique to use before uploading the plugin/theme to your blog.

If you want to test your Anti Virus out, there is an archive of backdoor web scripts (some which I wrote) on Michael Daw. I have used these a lot when testing various systems. When attempting to download the file, your AV should flag these backdoors up immediately. AVG Free edition picks up the PHP backdoor in this archive.

Summary

These techniques are simple but effective. Using them consistently will definately help you keep a tighter ship and hopefully save you from a mistake that could be very costly.

Articles, Reflections, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by tonyfrost on February 10, 2009 @ 3:28 pm

Good tips regarding scanning pluggins & themes with your antivirus!

Comment by Chung Bey Luen on February 10, 2009 @ 5:22 pm

Great security tips to protect our blog. Keep it up.

Comment by Pete on February 10, 2009 @ 8:26 pm

Thanks for the tips – As a relatively new Wordpress user setting up several blogs for myself and clients, it’s great to hear ways of protecting my sites. Really appreciated.

Comment by Velvet Blues on February 12, 2009 @ 12:45 pm

Very good tips, and thanks for the mention.

Scanning downloads is SUPER IMPORTANT. And as you mentioned, even ‘reputable’ software/downloads can be problematic. And even though that WordPress problem that you referred to happened over a year ago, you never know what some enterprising hacker can do…

Also, when it comes to plugins that I don’t completely trust, I am savvy enough to review and edit the source code.

Comment by a WP user on February 15, 2009 @ 1:25 pm

“… when making decisions on which plugins to include in your website, it is important to make smart choices, such as only using plugins >> that are popular << or developed by reputable authors. Additionally, try to keep your plugins to a minimum.”

So being a popular makes it reliable?….

Bit of a silly thing to say.. usuage does not dictate the quality of the code written by any means, take Windows as one of many examples…

Pingback by Check Your Wordpress Security | Online Marketing | Search Engine Marketing | SEO | PushON blog on February 18, 2009 @ 7:43 pm

[...] Be careful about which themes and plugins you install – you may be installing a virus, hidden links, etc. [...]

Comment by hiroshi on February 22, 2009 @ 7:08 pm

I would recommend some anti-virus other then AVG free edition. That’s not much secure using free edition of AVG. We can try kaspersky or Rising antivirus free edition. Thanks for tips!

Comment by tightjj on March 10, 2009 @ 7:40 pm

OK, AntiVirus is good, but you give an example of AVG Free edition which is PC only.

What’s the best for the MANY OF US out there on Macs?

Comment by Sarah on March 11, 2009 @ 1:36 pm

Never thought that Themes can be a problem. I am not sure if AVG free edition is the best choice. I prefer Avast since Avast will notify me of any malicious websites and downloads.

Comment by Peter on May 13, 2009 @ 10:26 pm

Great tips, will definitely use these as a guiding stone when choosing plugins. Thanks

Comment by Vladimir on June 9, 2009 @ 5:55 am

Just do

grep -R “base64″ *

If it finds something suspicious, you definitely should check thoroughly the plugin/theme in question.

Leave a comment

(required)

(required)