[This post is part of WordPress Security series.]

In an early post, I described various ways hackers break in to a site, right? Among them one read: Nulled Plugins and Themes. This post delves into that topic, defines criteria of a trustworthy plugin and theme, suggests ways to judge a plugin or theme in terms of security. If you have implemented all the ins and outs of security tips and tricks, but overlooked this aspect of security, nothing will help!

You can change default admin username, install security plugins, stay on top of all updates but security requires endless care. It is never 100%. A site stays 100% secure if that level of security and extra care is maintained. Today’s topic does not necessarily strengthens your site’s security; all it does is help it stay that way.

Let’s start.

Always Use Official Stuff

In context, official means plugins and themes hosted at WordPress.org respository. Though anyone can upload their theme or plugin uploaded to the official repository, not all are approved. Of course, hackers try to upload malicious themes and plugins. But WordPress review team doesn’t let them get away with nulled code. This is why you should always download stuff, be it themes or plugins, from the official WordPress.org repository.

Since official repository hosts over 37,000 plugins, it should mostly have plugin you require, right?

Downloading same plugins and themes from unofficial sources is plain and simple an invitation to hackers.

Author Authenticity and Reviews

Author credibility is a reliable factor to consider. Ask questions like:

  • Is the plugin/theme author someone known and respected in the community?
  • Or with a weird name and no human photo?
  • Check to see if author has any previous records
  • How many plugins/themes has he published


Reviews tell a lot. You should listen to these as well. It’s possible that plugin/theme has received tons of negative feedback. Read through a couple of reviews. Google the name of plugin/theme and read what others have to say about it.

Update History

This is a vital point. You should check out the frequency of updates from the plugin. How often a plugin has had updates tells lots about the authenticity of the author, right? Good thing about WordPress repository is that it has sections for ChangelogSupport, Reviews, etc. all in one place. Use this information to decide whether a plugin/theme is as good as it claims/seems to be.


Never ever install plugins which have not been updated for 1+ year! They are almost always buggy and likely to break the site.

Check Support Page

Every plugin hosted at WordPress repository has its own Support section. Check this out. This section is supposed to be the place for plugin users to post their problems, issues and bugs concerning said plugin. If you see too many unsolved issues, complaints and bugs reported, you should reconsider if plugin is worth the install.


For Premium Themes & Plugins

Then there are premium themes and plugins. Contrary to popular misconception, premium does not necessarily mean “pure code”. Hackers may put this premium stuff (seemingly!) with their malicious code. It’s possible that their landing pages may be compelling, full of promises and features, but also possible that said theme or plugin may be nothing more than piece of malicious code!

You should always think twice thrice before purchasing premium stuff. Here’s a incomplete list of things to consider:

  • Author Credibility – It’s same as the point mentioned above. But applies more here.
  • Read reviews – Feedback from fellow-users should guide your decision.
  • Update history – Premium plugins tend to update more often than fremium models, so check this bit as well.

Ways to Detect Malicious Code

Theme Authenticity Checker – TAC scans all themes for potentially malicious code. And reports if comes across suspicious code by giving the path of the source file, number of line and highlighting portion of suspected code. Though TAC may suspect a piece of code, but still emphasizes that just because some code has been found doesn’t mean it’s threat. It suggests to contact theme/plugin author before removing such code.

Sucuri Security – Sucuri, Inc. is known globally for it’s services concerning website security. It specializes in WordPress security. This plugin is free and complements security. It monitors your site for malware, virus and malicious activity and scans as well.

Premium Stuff for Free Sucks!

There are many sites that provide premium themes and plugins for free. Not only do they hurt copyright laws, hurt original author’s income but also slip malicious code behind the scenes. Why would anyone be so kind to give premium stuff for free? Of course, there’s some catch! Beware of such sites!nothing-is-free


Certain security techniques are taken once, but maintaining that level of security is an entirely different thing. By constantly monitoring your site with Sucuri Security plugin, scanning newly-installed themes with TAC, you yourself a great favor!

[This post is part of WordPress Security series.]