by | 30 Jul 2015

Can we trust premium themes and plugins?

Many SMEs and online shops are using CMS and a multitude of themes and plugins to promote their online platform. It is tempting to use the latest cutting-edge technology to provide new features to its customers and stand out from competitors, but at what price? Discover in this article the risks of premium themes and plugins, without forgetting effective solutions to better protect your CMS from hackers.

An accelerated and dangerous development process

During the development process of plugins and themes for CMS (WordPress, Magento, PrestaShop, etc), developers focus on adding new features, reducing costs and development time to meet the expectations of its community.

Developers overlook the dramatic consequences of an accelerated development on the safety of their products. Your responsibility is exposed by using their products to promote your online business.

Most often the release of a theme or plugin is made ​​with exploitable vulnerabilities. Hackers take it over and easily identify breaches left by developers. Not to mention that the more you are using a popular theme or plugin, and the more you are at risks.

I am pretty sure that you are using or have used a plugin from the following list: Jetpack, WordPress SEO by Yoast Analytics, All In One SEO, Gravity Forms, UpdraftPlus, WP-E-Commerce, WPtouch, Download Monitor, Related Posts for WordPress, My Calendar, P3 Profiler, Give, iThemes products, Broken-Link -Checker, Ninja Forms. Yet all of these plugins have experienced one or more vulnerabilities in the past few months.

Risks of premium themes and plugins

We tend to trust the developers to release a secured solution. But it is not their main job, and if no precautions are taken the consequences could be dramatic for your eCommerce platform. We also tend to believe that having our plugins and themes up to date is sufficient to protect against web attacks. Is this really the case?

Premium themes on Envato or ThemeForest marketplaces are pre-build with external plugins (Visual Composer, Slider Revolution, LayerSlider, etc) which are not usually free. It is all coming together beautifully… But when an update is available for these bonus plugins, you are not warned because you have not the right to update it. It’s up to you to manually check that your plugin is up to date and if not, to buy the plugin to benefit from the last security updates and features. Here is a good example with a theme including $224 of premium plugins:

capture themeforest premium plugins

Image from on WP SEO premium theme.

By failing to update these integrated plugins, you are likely to be vulnerable to a SQL injection attack or a Cross Site Scripting (XSS).

These attacks allow hackers to deface and change the content of a website, or steal critical data. If you are an eCommerce, this can result in a significant loss of your income. You certainly have vulnerabilities in your themes / plugins, and they will impact the integrity, confidentiality and availability of your eCommerce.

Solutions to better protect your CMS from hackers

Three tools to protect your CMS against sophisticated web attacks:

Web Application Firewall (WAF): to filter inbound traffic and protect against sophisticated attacks. Using a web application firewall is one of the best solution to protect your website in addition to a vulnerability scanner. However, it requires advanced technical skills and its cost is unsuited to SMEs.

Vulnerability scanner: to identify vulnerabilities and reduce the attack surface. In addition to a web application firewall (WAF).

360 ° cybersecurity solution: to assess both the risk level of your site and to protect against sophisticated cyber-attacks (DDos, XSS and SQL). You may think that kind of solution is costly and requires advanced technical knowledge. But it is not always true: OZON is a 360 ° cybersecurity solution compatible with most of the CMS used by eCommerce sites (WordPress, Joomla, Magento, Drupal, Prestashop …), and requires no technical skill or tedious installation. You are not only protected against sophisticated web attacks but you can also make regular assessments of your website to patch vulnerabilities until their full remediation.

Are you an eCommerce site? Are you currently using a CMS?  A theme or plugins developed by a third party? You do not know if you are protected against sophisticated cyber-attacks and frauds? Assess your site risk level for free with OZON!