Using freely obtained premium eCommerce plugins & themes – are they worth the risk?

Premium Themes and plugins; if you sell them you’ll know that eventually most of them end up on file sharing sites which, in terms of the GPL, is perfectly legal but should you use them?

I was prompted to write this post after dealing with a shop owner whom had installed several plugins and a theme all downloaded from a dodgy file sharing site in this manner.

Seeing what’s out there

I chose a random WooCommerce theme (Superstore) and went to grab it from a site called “Mafia Share“. Aside from being bombarded with some untasteful ads, scams and dodgy software downloaders during my visit, the theme I downloaded was not clean, nor up to date.

Modified source code

This particular theme had a few modifications, mainly adding links, but also changing the copyright notices (GPL Violation). The header and footer were both tweaked to include crap like:

2013-12-05 at 17.00

Version 1.0

The version of Superstore I was presented with was version 1.0 from March this year. A 9 month old theme is not going to be compatible with WC 2.0, and its not like you can update these themes automatically after installing them. Old themes can be vulnerable from attack if un-patched, as can any plugin dependencies if you are forced to run old versions due to the theme.


You don’t know what you are downloading

The theme I downloaded was relatively harmless, albeit useless, but you cannot be certain that this is always the case – especially if you don’t know PHP. Malicious code could be snuck in, and you won’t know unless you look through all the files with a fine tooth comb.

Who’s going to support you?

If you download something from a sharing site, you have no support – the author won’t help you (its not their place to) and its unlikely there is a community behind it to help you either.

Same for updates – you’ll have no access. If a security issue is patched, or a dependency is updated and no longer compatible you are not only screwed, but vulnerable.

You are putting customers at risk

If you are using plugins obtained in this manner, you are putting un-aware customers at risk of fraud. If there is something malicious in that theme or plugin which steals data, during checkout for example, its dangerous and you are ultimately responsible.

Even non-intentional issues can affect you. Example: There was a theme on Themeforest a while back which mistakenly saved all POST data during checkout as plain text to a post. Accidental yes, but a huge security risk. Now, if this theme is still out there on some sharing site…well its scary to think some idiot could be using it.

Don’t be irresponsible

The risk is too great unless you are 100% certain the files are safe and unmodified, which is unlikely. Particularly with eCommerce, you risk breeching customer trust, data and your livelihood, all of which will cost you more in the long run than a licence ever would.

Don’t risk it.

Discuss on Twitter

Mike Jolley is a tech hobbyist, astrophotographer, retro gamer, and software engineer who works at Automattic and contributes to open-source projects such as WordPress and WooCommerce.