Anyone who operates a WordPress, Joomla or Drupal site should exercise extreme caution when selecting themes and plugins. You should assume that any commercial theme or plugin offered for free contains malware.

Popular Content Management Systems (CMS), including WordPress, Joomla and Drupal can be customized through the use of themes and plugins. A theme is a collection of styles and other files that modify the default appearance of a CMS. A plugin typically adds specific functionality to a CMS. Many CMS themes and plugins are available for free, but the commercial ones are among the most popular, since they often include more and better features.

As with all commercial software, CMS themes and plugins are sometimes copied and offered for free on pirate sites. Unfortunately, it’s very easy for a theme or plugin to be modified so that any site using it can be compromised and then used for illegal activities.

The people at Fox-It recently published a document describing “CryptoPHP” (PDF) – malware that is showing up on CMS sites with alarming regularity. They traced the source of the malware to thousands of themes and plugins that had been modified to include a single line of PHP code that allows CryptoPHP to infect any site that uses one of those themes or plugins.

Recommendation: if you operate a CMS site, do not use any commercial theme or plugin that is offered for free. Make sure you obtain themes and plugins from the developer/author, or from a reputable source like wordpress.org.

There’s more information over on the Wordfence blog.