Blog Post

Beware of pirated plugins and themes

Many WordPress users, in the attempt to save some money, instead of purchasing plugins (or themes), they are searching for pirated versions of popular premium plugins and themes and use them instead.

Pirated plugins and themes

Most pirated plugins and themes include more than just a plugin or theme, they include hidden code that will infect the website as soon as the plugin or theme is activated.

Themes from popular theme developers studios and especially themes from ThemeForest and the main target for many websites illegally distributing software. Plugins like Gravity Forms, or Yoast SEO, plugins from CodeCanyon and even some free plugins, are very popular for illegal download too. And, many of my own plugins ended up with pirated versions.

In recent months I have seen increased number of reports that GD bbPress Toolbox Pro and GD Rating System Pro are available on various websites distributing pirated plugins and themes. There were hundreds of download links for different file hosts, some easy to download, some with some sort of click baits, many of them flagged by Google and anti-virus software.

If you wonder how premium plugins and themes end up being pirated, there are two usual ways for that:

  • Pirates gain access by chance to the website that uses premium plugin or theme, they download it from there.
  • In many cases, they purchase plugins or themes to gain access to download, usually with stolen credit cards, so the purchases get refunded, but the plugin or theme is already downloaded and ready for distribution.

How malware works?

To see what is being distributed, I have download GD bbPress Toolbox Pro from one of these websites. I have downloaded few other popular plugins, and they all contained similar malware.Prepared to what I might get, I tried installing the plugin on the isolated local server. As soon as I have activated the plugin, the website crashed. So, I have run the analysis to see what happened.

The malware code embedded in the plugin has created some new files, replaced some default files and modified functions.php in all themes that it has found. But, that is not all. The code finds the server root and searches for any other WordPress installation, and infects all of them!

The first step this malware takes is the creation of wp-cd.php file in the WordPress wp-includes folder, and modification to post.php to add a line to load the wp-cd.php. And, as soon as WordPress loads the post.php file, malicious code is executed. In some instances, load part of the code is added to several other WordPress files (canonical.php, taxonomy.php…). File wp-cd.php contains part base64 encoded PHP code and part normal code. When the wp-cd.php is executed, it will search WordPress themes folder for all themes, and in each theme, it finds functions.php file. At the beginning of this file, it will place decoded version of the base64 encoded PHP code, and it will restore last modification time for this file to cover up its activity.Once it does that for all themes, it will contact its host website (you can see the URL in the screenshot below, lines 42 and 43). Malware code sends installation data to that host so that owner of the malware code can use it to access your website (or maybe it is done automatically, that part doesn’t work on the localhost, only on live websites).

Once it does that for all themes, it will contact its host website (you can see the URL in the screenshot below, lines 42 and 43). Malware code sends installation data to that host so that owner of the malware code can use it to access your website (or maybe it is done automatically, that part doesn’t work on the localhost, only on live websites).

Piece of the malware code
Piece of the malware code

From this malicious host, the malware code downloads another piece of code that is used to completely replace WordPress core class-wp.php file. This code will effectively replace the loading logic WordPress uses to generate the page. In the end, wp-cd.php will change itself to remove delivery code, and it will disable all error reporting, masking any issues that malware might run into. And, once that code in class-wp.php is executed for the first time, it will create a new administrator user account with predefined password and username that will use later on.

As for the code in the functions.php theme file, this code is triggered by the HTTP request from the malware code owners and that code can do few things: it creates new database table where it stores its content, modifies content of all posts in the database to include some own code and links, and it can generate HTML displaying their own content instead of your website content.

All this code is very convoluted, encoded and hard to understand at times, but it also is written for the specific type of server configuration. It was created to use ‘mysql_escape_string’ function. This function belongs to old MySQL extension in PHP, and it is not used by every hosting. Depending on configuration many hosts have switched to PDO MySQL extension, but even with that, the old extension might be active too. If you run PHP 7.0, this extension is completely removed, so the malware code will not be completely effective. Still, it will make a mess of many things on your website.

How to clean it up?

This is the important part. How to remove this malware once it infects your website? Safest thing is to replace all WordPress files with clean files, delete wp-cd.php, check out all themes functions.php, and replace them with the clean file for each theme. And finally, remove pirated plugin or theme you used in the first place. But, if you run the older server setup, your database will be infected as well. Cleaning that might prove very hard, considering that each post you have will be modified by this malware. This malware was designed to infect older, less reliable hosting companies hosted websites that will not be quick to respond to the infection.

Other malware types

Many users are not experienced enough to recognize the malicious code. The example here is just one of hundreds of variations that are out there. Some will display ads, some replace your content and ask for ransom to unlock it, some will delete everything your website has, some will steal your users’ information. And, all these malware are ever evolving. I expect that in a few weeks this malware will work fine on PHP 7 with updated code. And it will do some more damage to your website, most likely.

Also, some malware can target specific plugins you might have (security plugins, file scanners), and disable them. So, even if you have security plugin that should detect file changes, it can be completely useless once the malware code has disabled it.

WordPress security and malware

WordPress is a very secure system. If you use some good security plugin to harden the security further, your website will be protected against all sorts of attacks. But, if you install malware yourself by installing pirated plugin or theme, then security systems are irrelevant because you have introduced malware yourself, you allowed it to modify WordPress and make it insecure. No matter how well website is protected, it can’t fight back if website owner deliberately adds malware code to it.

Even if you don’t know that plugin you have installed contains malware, you are to blame, because you have knowingly downloaded plugin from the suspicious website, and you have installed such plugin (or theme). And, all the security systems you have will fail due to the human factor.

How to protect your website?

There are few things you need to know:

  • Use reliable hosting companies to host your website! They will always run latest server software, latest versions of PHP and MySQL and that will ensure that server specific exploits will not work.
  • Update your website regularly! This will ensure that WordPress core is always secure and containing updates to fix potential security holes or other problems. WordPress development team is quick to fix any security issues and it is essential to run latest WordPress versions.
  • Download WordPress from only! Never download WordPress from another website, you might end up with the website full of malware from the moment you install it.
  • Download free plugins from only! There were few instances in the past where malicious users tried to distribute malware through plugins, but in general, is safe, and maintained by many dedicated developers that will react quickly to any malicious activity.

And since this article is related to malware in the pirated premium plugins and themes, this part is critical:

If you need a premium plugin or theme, buy it from the developer directly, and download it from developers website only! By buying the premium plugin or theme, depending on the developer, you get support, access to the knowledge base and other support resources, you get regular updates with new features and fixes. If you decide to save some money, and download pirated plugins and themes, you can end up loosing your website and your hard work, and you will maybe, end paying someone to clean up your website. And, if that happens you can only blame yourself.

Most premium plugins and themes are fair priced, and that price reflects hard work developers invest to make the plugin or theme and to support it.  I understand that the price might be high for some users, but, most developers offer discounts, especially around important holidays, and there is always a way to save some money and still get a full premium product. In the end, the price you pay will never be as high as the price you might end up paying by using pirated plugins and themes.

Please wait...

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

license management

License Code Validation and Management

Dev4Press License validation system updates will soon be deployed, including license code management via the Dev4Press Account Dashboard. All updates will be deployed on April 14, 2024.
panel options

In Development: SweepPress Pro 5.0 and Lite 3.0

In about two weeks, brand new, significant updates to SweepPress Pro and Lite plugins will be released, bringing several game-changing features to WordPress cleanup and maintenance tools already included.

GD Press Tools Pro 6.3

The new major release for GD Press Tools Pro, version 6.2 is here, and it brings some major changes. First of all, the plugin has two addons less, one addon is added and one more addon has been deprecated (but still included for now).

9 thoughts on “Beware of pirated plugins and themes”

  1. Thanks a ton mate. I just received an email from Wordfence that class.wp.php was infected. I checked my host and observed that all of my blogs had class.wp.php which had obfuscated code. I decoded it and came to know that it was inserting users into database. I then came across your post and I also removed wp-cd.php file from all my blogs. I then edited all post.php files and removed the code which was calling wp-cd.php. Could you please let me know what else should I do?

    Please wait...
    • Thank you for sharing your experience. You need to remove whatever plugin (or theme) did this in the first place. Replace all WordPress files, check all themes for extra code and all plugins too, best to remove the and upload clean files. Remove users added by this malware. And, stop downloading pirated plugins, the price of the plugin is not worth getting your website destroyed.

      Please wait...
      • Thanks for the quick response. I appreciate it.

        Isn’t there an alternate way to scan all files on cpanel for “malicious code injector”? I have multiple blogs running on shared host.

        How about the possibility of malicious code in database? If the db is hacked then how would I know which fields/tables need to be removed?

        BTW I have created a ticket on hostgator support asking them to scan all the files and database for malicious code.

        Please wait...
        • There are some security plugins that can do that, but they are usually checking only if files are changed in some way, and the process is not 100% reliable.

          Please wait...
          • Alright. Thanks again for the article and your inputs.

            Please wait...
  2. MillaN, thank you so much for your article, helped me a lot and I clean my website. I will never use pirated plugins again – is like you said, you can be without money, but even so: “In the end, the price you pay will never be as high as the price you might end up paying by using pirated plugins and themes.” Fortunately, I payed for the theme and many plugins, but I got infectect by one, just one that I thought I could get for free. Now I learned.

    Please wait...
  3. By the way, I respect a lot the work of programmers and developers and I think everyone should receive for their hard work. Otherwise, it is not fair at all. Thank you again.

    Please wait...
    • Thanks for the comments Ana! People usually don’t understand how much work it takes to make the plugin or a theme. And, there are markets that sell plugins for next to nothing and that changes users perspective on the price the plugins or themes should have.

      Please wait...
  4. Great explanation on how malware works in infecting your site and what to do about it. Having decent WordPress security processes in place can certainly save a lot of time wasted on avoidable problems.

    Please wait...

Leave a Comment

GeneratePress - The perfect lightweight theme for your next project
SiteGround - Managed WordPress Hosting