Theme author deliberately withholds code for demo import

I bought a theme today.

After demo import the site doesn’t look like advertised on the theme author page.

I reached out, and there’s a small css code that needs to be added. This addition is intentionally withheld. How do I know?

It appears the goal is, after import, when things don’t look right, you’ll get in touch with support, right? Good, the first thing they’ll do is ask for your WordPress access. I call this B’s because not every website is necessary a fresh install. Often, it’s a switch from one theme to the other, which means there may be sensitive and or private info on the server the admin can’t just give access to a random stranger just because they sold them a theme that’s broken to begin with.

Now I’m doing back and forth, and I find such a deliberate move very dishonest and unscrupulous.

There’s a difference between after demo import, something not working as it should vs the developer DELIBERATELY leaving things out so that they can cunningly get access to customer’s admin dashboards.

That’s a very weird move and I find that alarming.

Are you folks handing over your WordPress admin to theme authors? Is this a behavior of theme authors in general?

Of course, I didn’t give my access, but I’m wondering if this isn’t a behavior that should be reported to envato


No need to worry.

Getting the Wp-Admin details is generally the most effective way to solve the problem but if you don’t want to share the login details, the support may be a bit slow.

While importing the details, sometimes, the custom CSS codes and some others may not be imported properly. At that case, the author may need to get involved but remember that some of the “demo data” doesn’t have to be the exactly the same as preview.

This sometimes happens and it’s understandable. This isn’t the case. The author knows explicitly that, the needed css is missing. Although it can be added to the theme’s css, it’s been taken out just so the user will reach out to them.

This isn’t the case of something isn’t imported right. Everything imports right, as it should except by design, it’s “broken”

Agreed. Doesn’t have to be, unless the theme author says that’s what buyers will get. If and when the author advertises A, best believe buyers will expect A at least, without a deliberate “brokenness”

Update: I gave access to the author on a blank WordPress installation. I blanked out my db to ensure they’d have no access to any personal info.

One key thing I’ve noticed is that, the plugin they let the user download from themeforest is NOT up to date. The only way to get the up to date plugin is when they manually upload it when you give them access to your admin.

Why? Why is a user paying 70$, yet you’d withhold the latest theme builder plugin from them?

There may be some other reasons but the most common reason is to keep the theme available for the users who actually purchased it. There’re lots of “wares” websites that shares the themes for free, worse for subscription, this is one of the only way to manage the authors to license their items properly.

I’d argue that’s actually an insult to the intelligence of anyone who’s determined to pirate.

You do realize I can still take the version they uploaded and put online for pirating right after tweaking any license related triggers? Right?

How does the author manually installing the update fix any of what you described?

How is that the “only way to manage” the license. Seriously?


I had purchased an item that I needed to go to author’s website to download the “working” plugin recently, as it appears, it’s common these days.

In any matter, there’s no solution to protect the codes/license but if you add the “plugin” and include some specific details to the theme per user, when you see the codes outside being shared, you could actually track back to the user who’s sharing it to the outside world - then next time, you could ignore or report the user.

If you’re curious about why it has to be done that way, just ask the author why the latest plugin is not included to the theme ZIP. Pretty sure he’s gonna tell a similar reason.

I had to go through the plugin source code because I don’t trust these guys with the wp admin access and all. Before I realize they probably would have planted a malware somewhere.

And I noticed function names that are unique because they look like func792hdksbzh838(…) kinda function names.

I’ve asked the author. It’s past 24 hours no response. I doubt they have any sensible reason other than to try and bs me, which they well know I’m won’t buy their bedtime stories.

Until they respond, I’m reading through their code trying to find if there aren’t any hidden malicious codes.

The reason everyone getting the same thing is less suspicious is because it’ll be weird to give bad or malicious code to hundreds of buyers from the themeforest.

But if you’re going into everybody’s dashboard, what’s to say someone ain’t paying them 2x the theme price to install some crypto or sleeper agent code?

Besides it’s a website that’ll be connected to the internet 24/7 and if the website is taking part in a coordinated global network activity, before I’d know, my vps would be shutdown and my account probably suspended

Before I could explain and exonerate myself, too much trouble.

Is it encryption?

Nope. Just a normal function called elsewhere, but the name of the function is just unique gibberish, something one would do to indirectly identify a file or project

That’s my point.