A malicious code in a WordPress Theme/Plugin package, can damage the website severely.
Therefore, it is always advisable to download themes/plugins directly from WordPress repository or the Author website. However, author websites also are not 100% foolproof for safe code. WordPress repository on the other hand is mostly safe and has legitimate software. When you download the theme from wp.org or by searching inside the WordPress, then stay assured, there is no malicious code in it.
Because of 2 reasons –
- Every package, let it be a theme or a plugin, has to go through a scanning process, and is tested for quality and safety against WordPress Coding standards as well as Malicious code.
- WordPress does not allow malicious code because it may harm their own eco system as well as it may cause damage to users, causing users to go for other CMS packages.
But if you downloaded it from any other source then there is no guarantee that the package will be safe, unless the package comes from a trusted/famous author.
Many times, some premium themes or plugins are available to download for free on non-authorized websites. These are called “Nulled” versions. They may not be up to date and may contain malicious code added by the person offering it for free. Always avoid using such packages on live environment. This may cause serious damage to your system. You can test it on localhost but just for the sake of research and development. But never on a live site.