3rd Door – Today The Advice: Don’t Steal Premium WordPress Themes

WordPress-Christmas-03
A friend called me and informed me that he had found two links in his footer to spam websites. He "found" the premium theme, which he was using "on the Internet". I have looked at the theme again and the footer.php was consisted of the following (shortened by me):

$_F=__FILE__;$_X='Pz4JPGQ0diA0ZD0iZjIydDVyIj4NCgkJPHAgY(....) 
==';eval(base64_decode('JF9YPW(...)Ow=='));

I have decoded the footer and it was "only" the original footer with two additional links to spam sites, together with the associated keywords. It could have been also some harmful code that makes it possible to break into your blog for example. What exactly the code is, that is not seen for a person without profound coding expertise.

Imagine that it is possible to break into the blog, or potentially damage the entire web space of the server. I wouldn't like to pay the invoice of your provider for the damage and surely don't want to lose my whole website and files. And all this because you wanted to save $59!

If you want to have a special theme, buy it! The theme developer also provide support within the $59, also many developer help with customization, updates and much more. A pretty good deal in my opinion.

So take the advice and rather buy a premium theme than download it for "free" somewhere else. The same applies also for premium Plugins.

Comments are closed.

24 comments

  1. David Coveney

    While I don't think there's a great moral dread in redistributing premium themes (so long as they're GPL, so redistribution is a right) it's worth making sure you get those themes from reputable sources.

    The most reputable sources are the originators.

    But you can't really accuse someone of getting some GPL code for free of being a thief. And I'm someone running a themes club that will, at some point, be placing some of our future GPL themes behind a paywall.

  2. SHG

    If it's GPL, it's not stealing.

  3. redwall_hp

    @David Coveney: Not so. GPL'd themes, for the most part, are licensed with two licenses: The PHP is licensed under the GPL, but the images and stylesheets are not. If you obtain a copy with the original images and CSS, you're breaking the license terms.

  4. JohnONolan

    Not 100% accurate redwall, I know where you're coming from but a lot had changed recently and most premium themes companies including the biggest ones (StudioPress, WooThemes, etc) are now fully GPL including CSS and images.

    They didn't all start out that way it was more along the lines of what you described - but that's how they are now!

  5. Bill Robbins

    This really doesn't have anything to do with the GPL--it's about knowing the source of your software. If you acquire a theme, plugin or whatever from a source other than the author, you could be putting yourself at risk. That's the point. Is saving $20 to $80 worth losing your site?

    About theme licensing, it should be noted that the themes listed in the Commercial Themes directory on WordPress.org are not dual licensed. The images and css are required to be GPL as well in order to be included there.

  6. David Coveney

    @redwall_hp If the club is listed on the WordPress.org site then they've had to go the full GPL route, including the images.

    Caused us no end of pain because licensing images and artwork for GPL is far more expensive than for limited use. It meant that some of our plans had to be put on hold as our cost base suddenly shot up.

    Others may be dual licensing.

  7. Brian Gardner

    Alright, let's not kill (yet again) another good post and potential comment thread with the GPL argument. I think the underlying idea Michael was trying to portray here - and possibly should have titled the post "Why you should purchase a premium theme from the original author" - is that you run a risk with injecting your site with malicious code or spam links if you don't get it from the original source.

  8. Brian Gardner

    Misspelling your name in the email line will no doubt result in a stock Gravatar. Let's see if this works better. :-)

  9. Alex

    redwall_hp is right. You are using WordPress for your blog, but does it mean your content is also GPL and free to be copied? I don't think so. You have to seperate those things. Also Brian saw the real meaning of this post. If you get it from somewhere you don't know what is in there. :)

  10. Bill Robbins

    @alex. The GPL licensing has to do with the themes, not your site's content which you can copyright. They are two different things.

  11. Michael

    I agrree with Brian. Not another GPL Discussion. That is not the point. The point is the risk to dowload a theme or a plugin from unkown sources.

  12. Alex

    @Bill, I know! It is the SAME different thing as with images and design, which is included in a Premium WordPress Theme. But like Brian already said, don't let started with the already boring neverending GPL discussion. :)

  13. Bill Robbins

    I've never attempted to download a commercial theme from anyone other than the author, but I've never tried to download Photoshop from anyone other than Adobe either.

    With such vast amounts of malware out there, why wouldn't I assume that someone has altered the code to steal my data, push their site, or just make my life miserable?

  14. Kenneth Younger

    I think this bothers me more than anything else out there regarding IP.

    You do not STEAL when you copy something that you shouldn't. It is called infringement, and it is fundamentally very different than stealing. One deprives the owner of property, the other doesn't.

    It's important to use the right terminology when dealing with these issues, as not doing so means potentially conveying the wrong meaning to those that don't understand the issues and technology behind the issues.

    As most have pointed out, in this case it's not even infringement because the GPL was used on the original theme.

  15. Alex

    @Kenneth, the header might be little bit confusing for some, infringement or stealing - we split the hair.

    We just wanted to show the risk if you USE a theme from a dubious source, which is not from the originator of the theme. That's all.

  16. Wordpress Guy

    Hmmmmmm. I *love* the smell of FUD in the morning.

    1. There's no such thing as stealing a theme (unless is in a shrink wrapped box in a store).

    2. You can't steal something that's licensed under the GPL anyway. (exception see 1).

    3. This just shows there is a need for a reputable site that distrbutes premium themes freely and as intended under the GPL. Someone want to setup free-premium-themes .com?

  17. Leland

    Back to the actual point of the article, this is definitely an important issue, but the problem isn't exclusive to premium themes. Free themes with malicious code added by third-parties are likely much more widely used.

    Do a search for "wordpress themes" in Google and I'm sure you'll find a lot of rogue theme repositories which host (already) free themes with added malicious code. Unfortunately a lot of people unknowingly use these themes, thus making their site vulnerable.

    I think the title would be better suited as: Don't download themes from untrusted sources.

    Themes hosted on WordPress.org are can usually be considered safe. They are hand checked by a moderator after they are put through a number of automated checks.

  18. Christina Warren

    I'm with Leland -- the issue isn't exclusive just to premium themes (regardless of what license they are under), but themes in general. In fact, that was a big issue with the first iteration of the WordPress themes directory and the unofficial directories that got a lot of the traffic.

    The problem is, a lot of new users might not know where to go to get a theme by an original author. If a site has a link to something, says "download here" -- people who don't know how vulnerable PHP can be to this stuff might not know any better.

    Although it would be more difficult for the code to actually offer a backdoor to your site (frankly, it shouldn't be able to do that -- if it can, then that's a much larger security bug that should be addressed with WP Core), the spam links in the footer are still things you don't want.

    It's good advice to all users to be aware of where you are downloading your theme from -- just because something looks legit doesn't mean it is.

  19. Boni

    Yeah, stealing other works is not good.

    I think it is better to use paid version. It is cheap enough, and the best part is you can get the update of the themes, and you can have consultation with the developer to modify the themes as you want.

  20. Christian

    Ok...So a long thread about the dangers of using bad code in stolen themes...
    When long, strange code is at the bottom of tons of free themes on line. Hell, everything from webhostingfan.com seems to have these long "safety codes" to "prevent others from replicating their sites"... in truth it's just to continually perpetuate their back-links. I agree with you in regard to the hot copies, but think this can happen with anything not in the codex

  21. lintang

    well, i pay for the support, i dont think its GPL ed :)

3 pingbacks

  1. WordPress Premium Themes aus zwielichtiger Herkunft - Schadhafter Code, Diebstahl, Exploit - dynamicinternet
  2. Stop Downloading WordPress Themes from Shady Sites | Theme Lab
  3. DO NOT download WordPress themes from untrusted sources | Themes | WereWP