Hoodwinked: Dodgy Free WordPress Hosting, Themes, and Plugins

If you’re on wpmu.org, you’re probably a WordPress fan. How could you be otherwise? WordPress is an open-sourced “Jack of all trades” website builder. It can do anything.

Unfortunately, not all online freebies are as benevolent. What looks edible might actually kill your website. So hold it, Little Red Riding Hood. Before you start foraging for free hosting, themes and plugins, read these cautionary tales from the world-wide woods.

Little Red Riding Hood in the woods

Free-Hosting Services

If you’re starting a new blog or business, the free-hosting service you’ve found in the world-wide woods seems attractive. After all, why pay for the roof over your head, when you can get it for nada? But will your free-hosting service properly house your website or is it a gingerbread house, a hosting trap for the unwary? Let’s have a look at some possible scenarios:

1. The free-hosting service points you to your room, which is the linen cupboard under the stairs. 

Some free-hosting services offer you the online equivalent of a Japanese capsule hotel room. Finitesite.com really is finite in the amount of space it provides: 20MB for free subdirectory hosting or 10MB for yourdomain.com hosting. 

Webhosting-for-free.com is slightly more generous with its 100MB disk space and 1000MB monthly data transfer. This may suit you fine if your website is text heavy with minimal traffic. Start throwing in sound clips, videos, or high-resolution images and you’ll soon outgrow your space. If you build enough web traffic, you may also outgrow your bandwidth. You’ll either have to upgrade to the free-hosting service’s paid plan or relocate.

2. The facilities are basic. 

Tortoise gets nudged by a hare
The tortoise and the hare: free hosting is usually sluggish when compared to paid hosting from the same provider. Speed (or lack of) encourages free-hosting users to upgrade. Image credits: BAD RABBIT INC.

Some free-hosting services support 1-click install but limit the type of script. For instance, biz.nf only supports WordPress and Joomla.

Uptime and speed can also be less reliable when compared to paid-hosting services.

3. There’s not much help around the house. 

Support is limited. Profreehost.com does not provide phone, email or livechat support to its free account holders. If there is support, expect tardy response times: 100webspace.com guarantees a response within an hour for paid accounts, but they’ll leave free accounts hanging for up to 6 hours.

4. You must live by the house rules.

Free-hosting services like webng.com and sitepalace.com won’t let you run your own ads.

Imbahost.com discriminates on geographical location, blocking users from countries like Brazil, China, India, Nigeria, Somalia, Taiwan, and Iran.

Some restrict upload file sizes; others restrict upload file types. Byethost.com restricts the size of uploads to 10MB, whilst nofeehost.com does not support .exe, cmd, .bat, .dll, and .scr.

But host-ed.me has the most impressive rule list by far, sporting restrictions like “Max 1 email per hour,” “File storage is not allowed,” and “NOT to contact us [host-ed.me] over the chat unless interested in upgrading/signing up for [a] new…paid hosting account.” They will also terminate inactive accounts:

A free hosting account with us is marked for suspension either if you have less than 1 MB of disk space uploaded and/or less than 1 MB of monthly traffic until the end of the current month.

5. The free-hosting service has a habit of leaving the windows open.

An open window poses a security risk
Leaving the windows open: most free-hosting websites do not offer security or backup services, leaving your site vulnerable to attack. Image credits: Angelo DeSantis

Backups and other security features are usually not included. What did you expect? These things cost money plus resources and you didn’t cough up.

6. While money isn’t exchanged, favours are expected. 

Some free-hosting services will put ads on your website, usually in the form of pop-ups, banners, and or links. Examples include topcities.com, huuzy.com, and bravenet.com. They have to make a living somehow.

Others like xetaspace.net will press you into compulsory forum posting.

7. The free-hosting service starts demanding rent money.

Many paid-hosting companies offer free-hosting options to attract potential clients, which is fine until they spam you with upgrade offers or hold your website at ransom until you hand over some money.

Finitesite.com even has the cheek to demand your credit card details for “verification purposes.” Ummm?

"We demand money for houses" protest sign
Show me the money: 100webspace.com advertises its free-hosting as a “fully featured free trial” while biz.nf allows you to “test our webhosting services at absolutely no cost.” Even though both allow you to use your “free trial” indefinitely, chances are they’ll persist with upselling until you give in and upgrade. Image credits: Miami Workers Centre

8. You move in. The free-hosting service drops dead. 

Free-hosting services come and go. Some run out of space and stop accepting members, some scrap their free-hosting plans on purpose to force you to upgrade to a paid plan, whilst the unviable ones simply disappear.

The moral of the story?

Free-hosting services do have their place as developmental and or learning tools. If this is what you’re after, check out free-webhosts.com for a comprehensive list of vendors.

Serious bloggers and businessfolk who want a customisable WordPress should consider spending money on their hosting though. A paid-hosting service isn’t necessarily expensive; it can even be cost effective when compared to the wordpress.com equivalent.

Don’t know which hosting service to go for? Start at Raelene Wilson’s “Web Hosting Review: So Just Who is the Best?” and go on from there.

Free Themes and Plugins

WordPress would be much more restrictive without its themes and plugins. Nevertheless, whilst WordPress’ core code is fairly reliable as long as you use the up-to-date version, themes and plugins are less so. This is due to their third-party nature.

In a recent report, Checkmarx noted that

…any developer can add a WordPress extension to enhance the basic blogging platform. Although there are some set of coding standards and recommendations, there is no security guidance or requirements that a plugin developer needs to adhere to.

So when you come across a free theme or plugin, is it safe to consume or is it a poison apple?

1. It isn’t poisonous but it ain’t fresh either. 

Themes and plugins found in the wild are not as regularly tended as those sourced from reliable sites like wordpress.org.

For instance, a Google search for “free WordPress plugins” brings up the following:

Ithemes.com offers free WordPress plugins.

“Latest Free Plugins” sounds promising. But what does wordpress.org have to say about the matter?

This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

So much for downloading that plugin.

A bunch of rotten apples
A bunch of rotten apples: It’s the same story for the other free plugins on ithemes.com’s list, except for PB-Tweet which is “no longer under active development and does not function due to changes in the Twitter API.” Image credits: Nick Savchenko

A theme or plugin found in the wild may also be an outdated version. This particular website features the 1.02 version of Caroline Moore’s Spun theme instead of the current 1.06 version.

TAC sniffed out some static links in both wild and wordpress.org downloads of Spun v1.02. Both sections of code were identical.

Running both downloads of Spun v1.02 through TAC: the top theme is downloaded from freethemefinder.com, whilst the bottom theme is downloaded from wordpress.org.
Running both downloads of Spun v1.02 through TAC: the top theme is downloaded from freethemefinder.com, whilst the bottom theme is downloaded from wordpress.org.

Exploit Scanner threw up heaps of “CCS style used to hide parts of a web page” for both, but softened its warning with “often used legitimately.” Nothing too scary there! Apart from not being current, this “wild and free” theme seems okay.

Nevertheless, avoid older versions of a theme or plugin. Even if an older version of a theme or plugin does not contain malicious code, it can still contain publicized vulnerabilities.

Earlier this year, a wordpress.org user reported a possible remote code execution within popular plugins WP Super Cache and W3TC. The developers responded by disabling the function in the update.

Anyone who uses the older version of WP Super Cache or W3TC, however, is now an easy target for hackers, since information on the vulnerability was widely disseminated online.

2. Tastes like cardboard?

apple made out of paper
A fake apple: you think its a free theme/plugin but it isn’t. Tasteless! Image credit: FooNar.

WordPress.org themes and plugins are either free or cost money. Unfortunately, some developers aren’t upfront about payment and or restrictions on the free version. You don’t realise that a plugin won’t work or that functions are limited until after the download and install. In advertising terms, this is called a “bait and switch.” We just call it “plain tasteless.”

Take Wapple Architect Plugin for instance. There’s no mention of payment on its wordpress.org page, only mention of a need to sign up for a “Wapple Architect Dev Key”. In order to sign up, you need to pay for the privilege: 5 pounds per month apparently.

3. One bite out of this apple will put you in a glass coffin. 

In its report, Checkmarx also notes, “Since anyone can develop a WordPress plugin, hackers can also exploit this vulnerability to hide their own nefarious plugin.”


Most dangerous themes and plugins are distributed in the wild but some have also cropped up on wordpress.org, usually after a developer has been compromised.

For more on dodgy free themes, check out Siobhan McKeown’s “Why You Should Never Search For Free WordPress Themes.”

Snow White is poisoned by an apple
Beware: some themes and plugins are poisonous. Image credits: Lauren Pollock

The moral of the story?

Instead of gathering free themes and plugins in the wild, download them from well-tended sites like wordpress.org and wpmudev.org. It’s like sourcing your food from the farm gate. You’re less likely to end up with Snow White’s apple or something equally poisonous.

Follow Sucuri’s advice: “use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework.”

Once you’ve downloaded free theme or plugin, test them out on a demo website. This is where you can use your security tools like TAC and Exploit Scanner. Don’t forget to use your eyes as well if you know how to check code. Plugins and programs can only do so much.

Remove any unused themes and or plugins. Just because it’s disabled doesn’t mean that it isn’t susceptible to attacks. 

And make sure everything stays fresh. That means regular updates.

Featured image credits: martinak15.