Why are cracked premium WordPress themes dangerous?

I know what you’re going to say: “Oh, Alex, you’re just saying cracked premium WordPress themes are dangerous because you want us to use your services!” Well, the truth is, yes, but not for the reasons you might be thinking.

Look, we all want to save money; it’s human nature to want the best deal. I actually did used to use a cracked premium WordPress theme in the past, knowing there were risks involved, and I ended up regretting it pretty sorely because I had to fix a little hot mess.

Curious? I’ll come right out of the box and say that I had a malicious snippet of code that somehow inserted itself into my live site after months of no updates on my part while I was in South Korea. Porn links started showing up in the navigation menu… Constant vigilance! barked Alastor Moody. (Sorry for the Harry Potter reference. Couldn’t help it.)

Actually, just don’t do it. The fact is, maybe someone hacked my site and inserted that code, or maybe the person from whom I downloaded the cracked premium WordPress theme did it without my knowing or consent.

There are two types of free themes: the ones in the free WordPress theme repository, which are perfectly safe to use; and the ones that have been cracked from premium paid themes and are offered illegally. The WordPress repository lets you know which ones are regularly updated so you have a better idea how much support its creators offer (hint: if longer than a year, you kinda want to keep searching, as the old code may break your site with the current WordPress version). The cracked ones cannot be updated because they are illegal copies of premium paid themes, and therefore you cannot benefit from safety features or bug updates. It goes without saying that, without safety features, your site is at the mercy of hackers, as executed malicious code can wreak havoc on your website.

“Free” premium WordPress themes usually come with these risks

  1. Hidden, sometimes dormant malware code, including Javascript and iFrame codes that could intrude upon and then break your server at a whim.
  2. Hidden viruses that can and probably will harm your data files. All that hard work, poof!
  3. As I touched upon earlier, there is, more often than not, no technical support on free WordPress themes. WordPress itself is a software install that is regularly updated. Some of these software updates require subsequent theme updates in order to continue displaying your website or blog properly.
  4. Many, in fact most, free premium themes are pirated and hacked, which means the pirate may have surreptitiously added code to hack your website.
  5. Most often than not, infected themes generate spam. This is the last thing you want Google robots to see when they crawl your website.

Real-world examples of risks involved

I mentioned earlier that I’d had to fix a little hot mess on this very website a few years ago. Here’s where I ‘fess up and admit it: yes, I had downloaded and used a pirated premium theme, which I’d thought then was “just for a while”, until I’d find a better theme I’d definitely pay for (I pay for the theme I use now, by the way). My mentality was basically “I haven’t found the one theme, so I’ll make do with this one because it’s convenient and available”. I ended up paying a little bit for my mistake.

When I originally installed the free theme, I already understood the risks involved (even though I wondered who’d want to hack a little nobody’s website), and that I would not be able to update the theme even though it kept asking me to, because it was locked behind an update key wall. So on I trudged, adding my portfolio pieces and a little about me.

And then I went to Korea and didn’t touch my website in over a year, after which I got antsy, started doing some design work, and wanted to update my portfolio. My landing page had been hacked. There was a line of spam where there wasn’t supposed to be. I flipped out, understandably, and went on a hunt to find out where the malicious code was. I deleted it, but wondered if I was sitting on a ticking timebomb. So I changed my password, and decided right then and there to change my theme to a paid one. I’m now using Divi to build my websites, which gives me a heck of a lot more flexibility to create pages how I want them instead of how the theme creator wants them. As such, I’m obviously not going back.

But even scarier than a simple little line of spam on my landing page is a complete takeover. I know someone whose entire business website (a Canadian pastry shop) was completely hijacked by some random clothing store from the UK. The landing page was not theirs, the links either. Everything had been hijacked. Scary, right? Imagine the poor customers wanting yummy pastries ending up with a site they never asked for.

In conclusion

Free themes, or the cracked paid ones you might find on illegal sharing sites at least, are often fraught with malicious code that could do way more harm than a few dollar bills used to pay for a clean copy. The decision is yours: do you prefer paying nothing but fearing spam and hijacks, or do you prefer paying a few dollars but knowing you won’t pay down the line for your bad business decision? The ball is in your court. And hey, if you can’t be bothered to build your site yourself, there are people (ahem) willing to do it for you for a few bucks.