Could These "Support" Instructions From Theme Creators Be a Virus?

Is there any possible way this could be a Themeforest author’s theme injected with code to steal customer information in the future?

Long story short I picked up an ecommerce theme from Themeforest for my wordpress domain. I bought it from an established “elite author.” Since the initial instructions and download didn’t get me the results shown in the demo, I contacted them for support on their site (linked from Themeforest). My request was how to get their exact demo page up with images and all so I could reverse engineer it, and replace their images with my own.

Their response was the following:

I send the full demo package and the guide install to you, you follow and install it, it is very easy:

1. Link download: You can download the package here:********************************************.zip

2. The guide to install full demo:

- Extract the file, then upload to your server via FTP or hosting cpanel
(Note that the package includes the core of wordpress). Beside
extracted folder, you should find the sample-database.sql(or
1_schema.sql file and 2_init_data.sql file in folder db). Import it via

- Then, open the file wp-config.php. Fill the database informations.

- Chmod the folder wp-content/themes/{theme_folder_name}/cache_theme and all files, folder to 777.

- Open browser, type Enter your site url( After, go to backend, navigate to Setting > Permalinks and Appearance > Theme Options, save them again.


*Default admin account is: *******/demo

If you have any problems while you install, please let me know, I will check and help you.

Note: Please you download soon because the link download limit access on day.

Many thanks!

My concern is the Chmod instructions with a database. My concern is unpacking some modified version of the themeforest package injected with code designed to take information from customers. Is this an irrational fear? If so, why?

My fear isn’t totally unfounded. On the author’s page within the last week, someone asked about this package after buying it, and said it got blocked and flagged as a virus by their host. This got my radar up obviously.

Appreciate any feedback.


This practice is used by many authors for support tickets. Because some hosting companies do not total grant permissions to the files in your hosting package, and the demo can not be imported. Injections in your mysql can be made but that depends how the author’s intentions.
My advice is to choose another hosting company and self install your demo. is a perfect solution from my experience with import demos .
If you use code “ENVATO” you have 15% lifetime discount.


Thanks for the feedback,

I’m curious, why would I use another hosting company? I’m using Godaddy, but how is that relevant to this question?

Further, the authors on Themeforest are rogue and unpoliced by Themeforest/Envato? They can just run around like bandits using their themes as hacking tools with impunity? Envato lets them do this?


Hmm. It’s strange that why the package they provided need to include the core of WordPress as stated in their note. Actually you should be able to use only the purchased theme package with SQL files to import the data (or just an XML file). Also chmod 777 shouldn’t be used. (More info: .)

Did you ask them the reasons for doing all this?

Godaddy does not let you import images. You must change the permissions on your ftp in 777 and after should amend back as they were. If this does not work the problem may be caused by limited memory.
To import the full demo on godaddy hosting see these tutorials :

1 Like

If you use Mac read maybe solution here (burleyc1 - post) :

Godaddy is a very good company. But because their security systems, I had problems with importing demos. One of them was that : I use Mac (solution here), once because permissions for folder upload and limited memory.

Good Luck!

Does this sound like a reliable answer? It doesn’t sound like it aligns with the responses in here as to why they would need chmod 777. Any insight? I’m having trouble trusting this person.

Thanks for any relevant feedback

Using cache to store dynamically generated CSS based on theme option is likely true, but editing wordpress core file isn’t good. Wordpress themes should work without editing any wordpress core files, and on any version the theme is advertised to support.

You can also try to contact Envato support about this.

My 2 cents… Since when a big company should more trusted than a smaller company when it comes to people informations? as far as I aware, those big boys out there are much more interested by your clints info than the small local coding team. But this is internet, at the end of the day, you can flag any single person that you don’t know