Apart from Official WordPress repository there are hundreds and thousands of websites which provides free WordPress themes and Plugins but the problem is you can not trust them always.
Yes, Most of them add a malicious code to themes and plugins which is not too easy for you to find out.
After downloading the plugin or theme,The first thing you should do is to check for virus,trojans and other worms that you may not like it.
Now lets check for unwanted codes in plugins using another WordPress plugin called Exploit Scanner,which can be securely downloaded from WordPress website.
Adding a backlink in a free theme is very common technique but you can easily find those exploited themes by the plugin called Theme Authenticity Checker (TAC).