One of the things that makes WordPress so good to use is how customisable it can be. You can choose any theme or plugin you want, from any marketplace or any site, or you can code your own, and WordPress will run on your site. It’s one of the best things about the system.
One of the worst things is that you can get any theme or plugin from any site, regardless of its authenticity, and WordPress will still run it on your site. Some sites will promote premium versions of plugins or themes available completely free of charge. Occasionally, they will refer to them as “nulled” themes or plugins.
While some people may like a freebie, these come with a bonus that you may not be willing to pay for. “Nulled” themes and plugins almost always come bundled with malware, script injections, or significant security holes purposefully opened to make your site intentionally vulnerable, so it’s important to be aware of them.
Why do they target WordPress plugins and themes?
It’s not only WordPress sites, but it does fall foul of a lot of attacks like this. The problem is that WordPress is effectively a victim of its own success. One in three websites uses WordPress, with some figures putting the actual number at 455 million websites running some version of WordPress. If one in ten thousand websites – or 0.01% – of the websites uses just one nulled plugin or theme, that’s still over 45,000 WordPress websites. Just one-hundredth of one per cent of WordPress websites – not any websites that use any other system – equates to over 45,000 sites, with each site containing the information of countless users, countless visitors, countless editors, and countless commenters, all exposed and ripe for exploiting.
Are nulled themes and plugins illegal?
Here’s the problem – those plugins technically aren’t illegal, or at least aren’t breaking any licensing conditions. The reason for this is ironically one of the things that makes WordPress such a great system.
WordPress is released under the General Public Licence, or GPL. I’ve made a whole other post on the GPL, but to recap: The GPL gives you certain rights and freedoms. Those freedoms allow you to download and edit my GPL software, rebrand it and repackage it as your own, and distribute it as your own package. Ostensibly, this is what nulled plugins are – a repackaged version of a premium plugin or theme, released free of charge. So when it comes to licencing conditions, there are no issues with nulled themes.
The issues come from what they add to the system, the breaches they put in, the security holes they open up, and the malware they infect sites with. You may not be aware of the issues they have caused with your sites, but your users will be affected whether you intend on it or not, and it will be because of these themes that you have installed. Because each nulled product contains different security issues, it’s not that easy to tell exactly why they are illegal, but they are almost always harmful.
Removing them isn’t always possible either. Once you deactivate the plugin and remove the files, the effects and the malware may well remain in the database and in other files. They could even infect other plugins or the core files, and then you’re in a whole world of hurt. At that point, your best option is to remove the site, ask your hosting provider to check for any malware, and start again from scratch with a clean install and clean downloads of all of your plugins.
Some nulled providers may simply be people looking to “stick one up to the man” and offering plugins and services that would cost hundreds of pounds or hundreds of dollars free of charge. But unless you explore the code, you cannot tell the difference between one that’s just looking at doing that or one that’s looking to bring your site down, so it’s usually better and safer to assume the worst with these and avoid them at all costs.
Who actually gets hurt with nulled themes and plugins?
While you may not see it, nulled themes and plugins can cause a lot of problems for people. It’s not just your site that’s the problem, it can hurt a lot of people.
Your users
If you have a nulled theme or plugin on your site, you risk not only causing harm to your own site, but also to the computers of your users. Nulled download providers don’t advertise the malware they infect your site with or the security holes they open up, so unless you look through the code you won’t know what can happen. If you don’t know what has been added, your users won’t know either, and they will be affected because of it.
You
By installing a nulled theme or plugin on your site, you are risking damaging your site and your server. Even if you do so unwittingly, you could be infecting your site with malware or opening your site up to exploitation. That can bring your site down completely, which if you’re using your site to sell products, can result in a major loss in sales and revenue. It can also impact your trust and your brand since customers will see you as a threat to their own security and take their business elsewhere.
Other businesses and your hosting provider
Most hosting providers will offer shared hosting, especially on tiers at low prices. They share the storage, the operating system, the database system, everything – even with account isolation. That means, everything that happens on your own site and with your account may have an impact on their sites and their accounts. If your plugin infects their sites, you can potentially bring the entire shared server down, resulting in heavens knows what sort of damage to people completely unconnected to you
Me
While I don’t mean me personally, nulled themes do cause problems for other developers. Because ultimately, if you are going to these nulled sites and getting these plugins free of charge, you’re not paying the original developer or service provider for their time and energy. That means they’re not getting paid for you using their plugin. If enough people went for the nulled version of my plugin, what’s the point in me making the plugin in the first place? My time and efforts would not be valued or worth anything, I’d likely be wondering whether it’s worth me continuing since my work is worthless. All because someone decided it wasn’t worth paying a few quid for.
Why do they make these themes and plugins?
“Nulled” items are made to compromise the websites of targets who download and install them. They do this to spread their malware or malicious scripts using your website and your server to propagate their software. The vulnerabilities can even render your site unusable to anyone but the attacker and can result in them taking over your site and spreading messages of terrorism rather than selling your services. The problems are worse if you use shared hosting, as bringing your site down is likely the best case scenario here. At worst, if other people are using the same server as you are, their sites could also be compromised if the malware is severe enough or the server’s security is not up to standard.
One of the reasons they are so effective is that the plugins and themes they use are popular and desirable. For example, the website above offers Yoast SEO Premium. Yoast SEO is the most popular SEO service for WordPress, with over five million active installations and over three hundred million downloads recorded for their free version alone. Their premium service is incredibly powerful and offers access to many features, but costs £99 per year. These features can add a huge benefit to a site where the plugin is installed, and some of the people who want to use these features cannot afford them. If someone were to offer these people the ability to get these features without paying for them, at least one person will accept the offer, and that one person is enough.
Is there anything good that can come from using a nulled plugin?
There is an argument for using them, but I don’t think it’s a particularly good or strong argument, considering what the downsides are.
Some services are very expensive, and if you cannot afford them then a nulled version can offer you the function you need without the price tag. Not everyone can afford it, but is that really enough of a reason to put your site, your users, and your hosting providers at risk of major data breaches? With laws such as GDPR, you could face stiff penalties for these breaches, and those fines would cost far more than the plugin.
There’s also the argument that you could be looking to try out a service before committing to paying the full fee. Even if you do so in a local environment, you risk infecting your computer and potentially infecting your live site when you publish it. While trialling a service is a good idea in theory, quite a few plugins have a free version to allow you to do just that without impacting your own security. Why risk your computer’s security to test out a few features?
How do I make sure my site is secure?
I’m writing a post on that to add more detail and to look at specific products that might help, but there are some simple steps you can take to keep your site secure:
- Check the plugins and themes you use come from reputable sources.
- Keep your WordPress software and all themes and plugins up to date.
- Make regular malware checks on your site – you can use free services such as Sucuri for basic checks
- Make sure your accounts use complicated and unique passwords or passphrases
- Add multi-factor authentication to your site
- Remove all unused plugins and themes from your site
- Make sure you use an active and up-to-date SSL certificate on your site
- Make sure your hosting is secure and behind a firewall
Any questions?
Got anything you want to ask? Want to talk about your own experiences with nulled plugins and themes? Head on down to the comments and let’s discuss.