All that free shit tends to be the downfall of many WordPress Sites

Many WordPress 'webmasters' sell their 'clients' on the usage of WordPress because it has much more FREE extensions than any other website management systems, and while that's true, it is also the main weakness. The old adage "there is no free lunch" applies. There are numerous free WordPress plugins that are injected with 'backdoor' access coding to allow the developer easy entry to the user's database or to the file manager, and unless they do something really drastic to expose their presence, none of the 200k users of the free plugin will ever know that someone is scalping valuable data from their site ie: user email and personal data, stored credit cards, company secrets etc.

Case in point:

There is the very excellent plugin called Display Widgets by which allows the user to determine which pages specific widgets should display, because the default function of widget publishing is on every possible page, and there is no core method to define pages where a widget must not be shown. For this reason, over 200k WordPress websites have actively been using the superb plug, without issues. The problem started when the developer sold the plugin to someone in May 2017, possibly because there was no donation being given to help them maintain the script. The buyer then added backdoor access coding and released it as an update with versioning 2.7.0 which notified the 200k users who naturally just applied the update, as expected by the malicious devs. Luckily the hack was detected in June 2017 and the WP repository was notified, so they removed it from their list and suggested that users should delete it. The developer however has released his original version 2.0.5 and if you have 2.7 installed, there should be a notice to update and when you do, it will revert to the cleaned 2.0.5, so it's Ok to continue usage of Display Widgets plugin.

The above circumstance is not isolated. There are thousands of FREE WordPress plugins that are malware, though distributed via the WP repo, and while a commercial plugin could have malshit included, it is less likely because the dev wants to keep their name clean.

The point being, buy the damn extension to be safe!