Managed VPS hosting provider, Future Hosting, has warned its WordPress web hosting customers to be wary of plugins and themes downloaded from unverified sources. Many such plugins and themes would be infected with malware which was also reported by WordPress security researchers at Sucuri. By installing compromised plugins and themes, WordPress website owners would expose their users to serious security risks.
Malware would be a particular problem for so-called nulled premium themes. Criminals take legitimate premium themes which the developers charge for, insert malware code into them, and release them as free versions. Tempted by the lower cost, WordPress web hosting clients would often install these themes, thereby opening their WordPress website to the attacker and any software he or she may want to install.
“We provide hosting for thousands of WordPress websites,” said Maulesh Patel, VP of Operations of Future Hosting. “The WordPress application itself is quite secure, especially when it’s hosted on a secure platform. Most of the WordPress security problems we see are caused by poor management of the CMS, including actions like installing themes from untrusted sources. We strongly recommend that users download themes from official repositories or reputable developers.”
Injecting malicious code into a website is the goal of most attacks against WordPress. Usually that’s difficult to do because the attacker has to find some way to breach the security of the server or content management system (CMS). If users install nulled themes, they’re doing the attacker’s work for them.
Plugins and themes should be downloaded from the official WordPress Plugin Repository or Theme Repository. Premium themes are available from many sources, but WordPress users should ensure that they download from a reputable marketplace, or from the sites of the theme or plugin developer.
Founded in 2001 and based in Southfield, Michigan, Future Hosting is a privately held Internet solutions provider specializing in managed hosting, including dedicated servers, virtual private servers (VPS hosting), and hybrid virtual private servers.