WordPress - WSO Programs - SECURITY!!

22 replies
Hi All!
I have been a member of the WF for only a short time. But I finally made it over to the WSO section to look around. A lot of offers there, for sure.

Lots of WP themes and widgets, programs to install on your computer, etc..
All very nice.

BUT

I have to wonder, is there anyone or a system that checks these for security? I think a lot of people that are not tech savy may just be installing these without giving any thought to what they may be installing.
As much as we all like to trust people, unfortunatley, there are some out there that are not so trustworthy.

Let me give a short example:
You install a theme that you just bought from someone you have never heard of before. You use this theme on your WP and begin building your list.
Now, What IF the developer of this theme created it to not only supply you with a theme, but also wants to gather all of your WP information, including all of members, etc.? Have an ecommerce store? It sure would suck to be sending credit card information to your merchant account and to your theme developer, wouldn't it?
It would be Very Easy to do such a thing.

Once you install the theme, they now have access to all of the content that you have in your WordPress database and even everything that is sent from your website.

You think that is bad? What about giving someone access to everything on your PC? When you install an untested program that you just got a great deal on, what makes you think that you are not sending whatever information that they want to the developer? It is not hard to do this. In fact it is very easy.

I'm not saying this is happening here, but I am sure that it has happened. There are just too many dishonest people out there to trust everyone.

So be very carefull when you decide to try a theme or widget or program that is new and untested. Do some checking to see who exactly you are buying from. If you cannot verify the person in some form or another, I believe I would pass the product by.

Just thinking out loud.

Have a wonderful night!

JL
#programs #security #wordpress #wso
  • Profile picture of the author wfhblueprints
    Certainly some food for thought Jesse!

    I would hope that people developing ecommerce sites would go down the route of using established robust platforms to prevent that sort of data being shared about either accidentally or maliciously.

    It might be an idea if someone created a way of certifying plugins/themes/software as safe and allowing them to receive a certificate of compliance...that way we'd know first hand that they've gone through extensive testing and are fit for purpose.

    Seems like I've given someone a potential business model

    Regards

    Chris
    {{ DiscussionBoard.errors[7335899].message }}
    • Profile picture of the author Daniel Elss
      Great thinking Jesse. I have thought about this myself when purchasing a plugin, from WF or straight from installing from WP. You'd think being an IT guy I would take it a little more serious but I also give close attention to the developer, reviews, ratings etc.,. That's not to say they all of a sudden decided they earned the trust of hundreds of people and decided to throw in a little malicious code.
      If it's a theme or plugin, and a person wants to make sure it's safe, it'll be a perfect time to start learning code.

      PS - WP Exploit Scanner
      {{ DiscussionBoard.errors[7335986].message }}
  • Profile picture of the author WillR
    The other issue with buying a lot of the Wordpress themes and plugins sold as WSO's is the update issue. A lot of them end up being unsupported just weeks or months after they are sold.

    You are best buying themes from people who are actually wordpress coders and do it for a living. The problem with people selling them on this forum is they are just outsourcing the work in most instances and just want the profit. Once they get the money they move on to the next project.
    {{ DiscussionBoard.errors[7336624].message }}
    • Profile picture of the author Claire Koch
      I hear your concerns but you are just talking about your computer and the web in general. All you have to have is a wifi or hard connection to the internet and people are all over your computer.

      Thats why we install security on our computers. Your security should show you that program has a virus in it and wipe it off your computer I recommend you get a refund after that.

      Its our computers that do the work but even the best security cannot catch everything. This is like the thread I found in a group of mine where they were freaking over spam.

      Some things are out of our control. unfortunately.
      {{ DiscussionBoard.errors[7336817].message }}
    • Profile picture of the author UMS
      Originally Posted by WillR View Post

      The other issue with buying a lot of the Wordpress themes and plugins sold as WSO's is the update issue. A lot of them end up being unsupported just weeks or months after they are sold.

      You are best buying themes from people who are actually wordpress coders and do it for a living. The problem with people selling them on this forum is they are just outsourcing the work in most instances and just want the profit. Once they get the money they move on to the next project.
      I agree 100% with this.

      When I am looking to get a new theme or plugin (or any software for that matter), I place the level of support and development near the top of my list.

      I can't count the number of times I've had to fix up client sites that used a theme or plugin that looked fancy, but had non-existent support and no updates.
      {{ DiscussionBoard.errors[7339036].message }}
  • Profile picture of the author Hani D
    Great share my friend, you are right and I agree with you, you can find the same problem if you use a cracked version for some sort of software.

    Originally Posted by Jesse L View Post

    Hi All!
    I have been a member of the WF for only a short time. But I finally made it over to the WSO section to look around. A lot of offers there, for sure.

    Lots of WP themes and widgets, programs to install on your computer, etc..
    All very nice.

    BUT

    I have to wonder, is there anyone or a system that checks these for security? I think a lot of people that are not tech savy may just be installing these without giving any thought to what they may be installing.
    As much as we all like to trust people, unfortunatley, there are some out there that are not so trustworthy.

    Let me give a short example:
    You install a theme that you just bought from someone you have never heard of before. You use this theme on your WP and begin building your list.
    Now, What IF the developer of this theme created it to not only supply you with a theme, but also wants to gather all of your WP information, including all of members, etc.? Have an ecommerce store? It sure would suck to be sending credit card information to your merchant account and to your theme developer, wouldn't it?
    It would be Very Easy to do such a thing.

    Once you install the theme, they now have access to all of the content that you have in your WordPress database and even everything that is sent from your website.

    You think that is bad? What about giving someone access to everything on your PC? When you install an untested program that you just got a great deal on, what makes you think that you are not sending whatever information that they want to the developer? It is not hard to do this. In fact it is very easy.

    I'm not saying this is happening here, but I am sure that it has happened. There are just too many dishonest people out there to trust everyone.

    So be very carefull when you decide to try a theme or widget or program that is new and untested. Do some checking to see who exactly you are buying from. If you cannot verify the person in some form or another, I believe I would pass the product by.

    Just thinking out loud.

    Have a wonderful night!

    JL
    {{ DiscussionBoard.errors[7337527].message }}
    • Profile picture of the author aprilm
      This is a very scary thought indeed. I have never bought a theme or plug in from the WSO section here at WF, so I have no experience with this....but you are right.... As a non tetchy person myself, I would have no idea if there was a security breech of some sort.

      I always buy my Wordpress themes from Studiopress......in case anyone on this thread is looking for a professional company to buy premium themes from. They are very trustworthy with lots of support and updates.
      {{ DiscussionBoard.errors[7337562].message }}
  • Profile picture of the author so11
    This is an excellent post!

    It is also important to not to confuse your PC security and your website/e-commerce security. As these things are very related and very different at the same time.

    The tools/practices you use to achieve security for your PC will not work for your e-commerche/website/blog bussiness. Many think that your PC antivirus will take care of your website malware problems...wrong!!! there many more examples of this...

    good luck
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[7337682].message }}
  • Profile picture of the author PAFoster
    How to Scan Your WordPress Site for Potentially Malicious Code

    Might be useful for anyone concerned. Generally it's hackers accessing your wp site through themes etc, and not the theme/plugin coders/sellers themselves.
    {{ DiscussionBoard.errors[7337698].message }}
  • Profile picture of the author WillR
    For those playing at home, a great source of inexpensive and professional looking themes, that are usually supported VERY well because you are dealing with the coders directly, is Premium WordPress Themes, Web Templates, Mobile Themes | ThemeForest
    {{ DiscussionBoard.errors[7339706].message }}
  • Profile picture of the author andrewpeacock
    Jesse,
    As a WP plugin developer myself, I understand where you're coming from. And it's the reason I never encrypt the code in my plugins. Encryption never really stops anyone sharing the code via the sharing sites anyway, and it just makes it look like there's something to hide (assuming the purchaser knows how to look at code).

    You do have to be careful.


    Peter: I totally understand where you're coming from as well :-)

    Regards,
    Andy
    {{ DiscussionBoard.errors[7339782].message }}
    • Profile picture of the author SteveSRS
      Originally Posted by andrewpeacock View Post

      Jesse,
      As a WP plugin developer myself, I understand where you're coming from. And it's the reason I never encrypt the code in my plugins. Encryption never really stops anyone sharing the code via the sharing sites anyway, and it just makes it look like there's something to hide (assuming the purchaser knows how to look at code).

      You do have to be careful.


      Peter: I totally understand where you're coming from as well :-)

      Regards,
      Andy
      That is how it should be! If I would buy a plugin which was 'encrypted' I would put it out there for 100% on purpose..

      I just purchased 2 WP plugins (sorethumb & generation plugin) and I checked code on both and they check out just fine (no annoying 'encryption' nor hidden data was send, didn't check for exploitable issues though that costs a lot more time).

      I've been thinking about setting up a security / penetration testing service here however the thing is it costs A LOT of time and A LOT OF knowledge. I'm good at it but still very basic. Which means price tag goes up fast.

      However I've already seen some 'products' which have various wholes to completely open to any abuse.
      {{ DiscussionBoard.errors[7341181].message }}
      • Profile picture of the author Jill Carpenter
        Originally Posted by Jesse L View Post


        I have to wonder, is there anyone or a system that checks these for security? I think a lot of people that are not tech savy may just be installing these without giving any thought to what they may be installing.
        As much as we all like to trust people, unfortunatley, there are some out there that are not so trustworthy.

        Let me give a short example:
        You install a theme that you just bought from someone you have never heard of before.
        Here is the real problem.
        Why does everyone want the "WSO Classified"(for lack of a better word) to be responsible for understanding and testing every product before allowing an ad to go up?

        What is your rush that you are blindly buying themes from someone you've never heard of before?

        If you don't know who it is from or have any way to verify the person, then don't buy it! WSO's are a specialty type classified section. That is all.
        Signature

        "May I have ten thousand marbles, please?"

        {{ DiscussionBoard.errors[7341365].message }}
    • Profile picture of the author KylePeters
      Originally Posted by andrewpeacock View Post

      Jesse,
      As a WP plugin developer myself, I understand where you're coming from. And it's the reason I never encrypt the code in my plugins. Encryption never really stops anyone sharing the code via the sharing sites anyway, and it just makes it look like there's something to hide (assuming the purchaser knows how to look at code).
      Hey Andy, when you mean encrypt the code, do you mean base64?

      In Many Thanks,
      Kyle
      Signature
      Some cool Graphic web design services and training courses!
      {{ DiscussionBoard.errors[7723447].message }}
  • Profile picture of the author lanew
    Heck, I just would be happy if we had more WSO that put out Mac software!
    {{ DiscussionBoard.errors[7340978].message }}
  • Profile picture of the author CyberSEO
    Originally Posted by Jesse L View Post

    I have to wonder, is there anyone or a system that checks these for security?
    Unfortunately it's impossible to check PHP scripts for security vulnerability in automatic mode. Thus this shall be done only manually by a professional PHP/WP developer.

    I can do such a job for fellow WF members of the whole WSO section (if WF administration is interested in my services). If anybody interested in such a service, please don't hesitate contact me (PM or by email).

    As a proof of coding skills, please check my signature. I'm not a newbie
    {{ DiscussionBoard.errors[7341597].message }}
  • Profile picture of the author drsst
    Hi
    I am still an infant when it comes to IM but I bought a WSO called WP Security and in that package is a .php file that works as a plugin called TAC. (Theme Authenticity Checker)
    When it is activated, it purportedly scans all of the theme's code for any malicious code: backdoors, sending info out etc.
    I am not certain this as I have no way of double checking but it reports if there is or not.
    So far nothing suspicious has showed up but the themes I use are all from reputable vendors as far as I know? (WOO themes, clickbump etc)
    {{ DiscussionBoard.errors[7341870].message }}
  • {{ DiscussionBoard.errors[7341920].message }}
  • There are alot of companies out there claiming to be "experts" in malware removal as well, we've seen several sites butchered by companies using so called "automated" scripts to clean client sites - not a pretty sight. There are several free plugins you can use to help secure your wordpress site, what we typically reocmmend is:

    Mute Screamer
    File Monitor
    Timthumb Vulnerability Scanner
    Secure Wordpress

    They are all free and help you to block malicous activity as well as alert you when something isn't quite right. As far as any automated tools that "look" for malware on your site - stay away unless your an expert in that area and know what your looking at.
    Signature
    {{ DiscussionBoard.errors[7580485].message }}
  • Profile picture of the author tomerep
    Jesse is typically right. i think you just have to make sure that where you are buying it is actually the one who really made it. so that if there are problems, like update issues or whatsoever, you would be able to ask the seller how to solve that problem.
    {{ DiscussionBoard.errors[7723463].message }}
  • Profile picture of the author sbucciarel
    Banned
    There are plenty of plugins for Wordpress for security, both free and paid but they don't address malicious coding that can be put in before the site is live by "developers" or those who get free Wordpress themes and redistribute them, often after putting malicious code in.

    Free themes and themes from unknown developers can be dangerous but there are some scanners out there that will scan your site for you for malicious code. PA Foster posted a useful link for that purpose

    How to Scan Your WordPress Site for Potentially Malicious Code

    I buy a lot of themes and plugins and haven't had any problems so far, but I buy from people with a reputation on the forum rather than just anyone. If you're short on cash and have to have a free theme, at least scan it before keeping it.
    {{ DiscussionBoard.errors[7724408].message }}

Trending Topics