Nulled WordPress Plugins – Dangers and Downsides

In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem.

Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that a nulled plugin is installed on their site.

During our recent investigation into the prevalence of nulled plugins, we found that over 23,000 sites are running nulled versions of the Wordfence plugin. Site owners with these installations may not be aware that their Wordfence installation is a nulled plugin, so we will be alerting these site owners of the risks, and to take action to protect their sites.

Wordfence is not alone. Our investigation shows that numerous popular plugins, both paid and freemium, are often nulled and redistributed, often with malware included. In order to elevate awareness of this troubling trend, we have compiled a list of frequently asked questions about nulled plugins and themes.

What is a nulled plugin?

A nulled plugin is a copy of a paid premium plugin that has been modified to provide some degree of premium functionality without paying for a license. In most cases, nulled plugins and themes fail to provide full premium functionality and often contain backdoors and other malware.

Nulled plugins usually retain the same brand name and logo as the original, creating the impression that the customer is receiving a paid version of the original plugin. However, when the customer opens a support request with the original vendor, they discover the vendor has no idea who they are.

How do I know if I’m using a nulled version of Wordfence?

If you have purchased a “lifetime license” or a copy of Wordfence Premium at a discounted price or for free from a third party and not directly through the Wordfence website, you are using a nulled version. Although the plugin dashboard may indicate that you have Wordfence Premium activated, these installations do not include a valid license key needed to activate premium features and are not fully functional.

Sites running a nulled copy of Wordfence are still only receiving freely available signatures and firewall rules, which are delayed by 30 days, and these sites do not receive the real-time data that Wordfence Premium receives. Additionally, sites using nulled Wordfence plugins do not have access to the Real-Time IP Blocklist.

What are some of the risks of using nulled plugins and themes?

Nulled plugins and themes frequently contain backdoors and other malware that is used to distribute SEO spam, perform attacks on other websites, steal sensitive information, and redirect site visitors to malvertising websites, all of which can put your site visitors at risk and ruin your website reputation.

Many nulled plugins and themes also inject hidden administrator users into your site’s database, effectively allowing malicious actors to take over control of your WordPress site. In reviewing the terms of service for nulled plugin distribution sites, several include provisions stating that, by downloading and installing one of their nulled plugins, you agree to let them modify your site whenever they want.

Although nulled versions of the Wordfence plugin might not include malware, we’ve found that sites running a nulled version of Wordfence are more than twice as likely to have unrelated infections compared to the average site running the free version of Wordfence.

Do all nulled plugins contain malware?

No. In fact, we’ve seen a recent shift away from malware distribution and towards subscriptions and paid downloads as a primary business model on websites that offer nulled WordPress plugins and themes.

Despite this fact, malware is still extremely prevalent in nulled plugins and themes distributed for free via forums and social media groups, and infections from nulled plugins and themes are still incredibly common.

Bear in mind that, by installing a nulled plugin, you are effectively giving that plugin complete control over your website. While this is true of any software, plugins and themes distributed via the WordPress directory are vetted for malicious code, while those distributed by nulled sites, on forums, and in social media groups are not.

Regardless of whether they contain malware, the vast majority of nulled plugins and themes fail to deliver the premium features they appear to provide, and may actually offer reduced functionality compared to legitimate versions freely available on the WordPress plugin directory.

What about discounted plugins?

We’re seeing an increasing number of nulled plugins being distributed via “discount” sites that charge a monthly subscription fee, or that offer “premium” versions of plugins for a reduced price. While these plugins and themes are less likely to contain malware than nulled software offered for “free”, they still do not offer full premium features, and in many cases are simply repackaged or slightly modified versions of code that is freely available on the WordPress directory.

Many premium plugins, including Wordfence Premium, include SaaS (Software as a Service) functionality. This means that the most critical Wordfence Premium features, including the Real-Time IP Blocklist, immediate firewall rule updates, and up-to-date malware signatures, cannot be made available to a nulled plugin since they rely on having a valid Wordfence license that authorizes Wordfence to send the latest data to your site.

It is trivial to modify the code of most plugins so that they appear to be fully licensed, but these modifications rarely unlock the full functionality of a plugin and can have real negative impacts while providing a false sense of security.

What about free versions of GPL-Licensed premium plugins?

The GPL (General Public License) license allows other developers to fork a plugin, modify the code and redistribute it to others under the same terms. Trouble arises when a plugin is forked and the new developer doesn’t change the name or logo. Customers think they’re getting the same plugin from the same source, but that is not the case, and it violates the original developer’s trademark on their name and logo.

Another issue arises when the redistributable code is licensed under GPL, but the plugin contains Software as a Service (SaaS) technology that is proprietary. Wordfence is an example of this, where the Wordfence plugin receives proprietary data from our servers and those servers also contain proprietary code that performs additional computation. Accessing this data and capability requires a paid license. It is not possible to redistribute a plugin that contains this functionality without purchasing a Wordfence license from us. Buying a nulled Wordfence plugin results in a customer paying for the plugin and getting the free version of Wordfence.

The GPL is truly amazing because it helps foster innovation by making code available to others for reuse. It also allows the examination of source code by others, like security researchers, which helps us identify vulnerabilities and make the web safer. But abusing it to pretend that you are someone you are not while omitting functionality that a customer expects to get, is not what the GPL was intended for.

Can I get support for nulled plugins and themes?

Plugin and theme publishers that offer support to their paid customers will not provide support to customers who did not pay them and paid another vendor instead. This can leave customers confused when they open a support ticket and the vendor has no idea who the customer is.

Additionally, the unpredictable and frequently malicious modifications made to nulled plugins make them impossible to support even for publishers that offer support to their free users.

What should I do if I have a nulled plugin or theme installed?

If you find that you have a nulled plugin or theme installed, we recommend deleting it immediately.  Then, we recommend scanning your site with Wordfence, either the free version available on the WordPress plugin directory, or Wordfence Premium, which provides additional functionality that is unlocked by entering a license key into the free version, rather than via a separate download.

We also recommend checking your database for unauthorized administrator users, since these are frequently added by nulled plugins and themes and can be hidden from other administrators. If you are not comfortable cleaning your own site, or if it continues to show symptoms of infection even after you have removed any nulled plugins or themes, the Wordfence Site Cleaning team will be happy to help.

Conclusion

In today’s article, we covered some frequently asked questions about nulled WordPress plugins and themes, including some of the risks involved, common misunderstandings, and what to do if you have a nulled plugin or theme installed on your site.

Using nulled plugins always has a cost, whether it’s the trust of your users when your site is hacked, or simply the monetary cost of a discounted copy that fails to deliver on its promises.

At Wordfence, we work hard to make sure that even the free version of Wordfence provides best-in-class protection for WordPress sites. We’d like to thank all of our Premium users for making this possible and for helping to protect the WordPress community as a whole with their support.

Did you enjoy this post? Share it!

Comments

12 Comments
  • I'm interested what tooling there is to identify nulled plugins? A couple of times when I've taken over management of an existing site I've been weary of not knowing where plugins and themes have come from.

    • Hi Graham. We've released signatures in Wordfence that specifically identify nulled plugins and will alert you, and we will be releasing more over the coming weeks.

      • Hi, Will this be available in the FREE version of Wordfence as I am keen to scan my sites for any nulled plugins.

        • Hi Wayne,

          The malware detection signature for nulled copies of Wordfence was made available to free users shortly after this post was published. We have a number of other signatures to detect malware that is prevalent in other nulled plugins as well that are already available to free Wordfence users. All of our malware signatures become available to sites running the free version of Wordfence 30 days after they are released.

  • I can understand both sides of this.

    1. I understand developers should be paid for their work and for ongoing updates and maintenance of their products. I got that.

    2. Plugin "A" does not offer a free trial version or a money-back offer - or the terms are overly restrictive.

    3. Plugin "B" is a package, for example, but that ONE feature you are looking for and will be the only feature you really need, will cost $69/year. Now you notice that feature doesn't work with your other plugins, or doesn't even work as it was advertised. Hopefully, the money back policy, if there is one, is not that restrictive.

    Side note, as I've run into this one myself: "Well, we provide a demo on our own site for you to try our plugin." Yes, your site is plain with no other Wordpress plugins...of course it is going to work for you. That's $119 I'll never get back. You're welcome.

    4. Plugin "C", for what it does, is just overpriced. But, who sets that price and, if it is too expensive, just find something else, right? Does the market set the price or a greedy developer?

    5. Plugin "D" can be used only on one site domain. You cannot use it for your staging/duplicate site, even if it is a subdomain/test URL on the same server and domain. Do you pay another $100 to continue using it for a staging site or find an "alternative" offer?

    To some, the light at the end of this financial tunnel is to seek these discounted sites and take the risk. I don't think most site developers seek out these discounted or "nulled" plugins for malicious reasons or to hurt the industry. I believe it is because of affordability. Someone just starting out or experimenting with site design and building. Is that a justifiable excuse? Of course not. But to fully understand the proliferation of nulled or discounted plugins that are out there, you also have to understand the user base and their reasons, all while you are protecting your assets and business income from it. Stealing is stealing and it is hurting the industry. But if you are offering a simple solution for an outrageous cost, don't expect the "alternatives" to go away.

    It seems like the GPL license has sort of opened up these "nulled" plugins and themes and some users are taking advantage of it. I don't agree with their actions, but I can almost understand why.

    • You're missing the point that it's outright fraud. It is not possible to provide a nulled version of Wordfence. What you're paying for is data that you get from our servers and computation that our severs perform. Without a valid paid license, you can't access that, no matter what someone does to our plugin or claims. So the claim that you're getting the paid version of Wordfence at a discount is bogus. It's just the free version of Wordfence you're being tricked into paying for. Same applies to many other plugins.

      Second issue is trademark and copyright infringement. If you want to fork it under the GPL, go for it, but don't abuse our (or anyone else's) trademark to claim that you are us. GPL does not provide the right to commit trademark infringement or copyright infringement.

      Third issue is making modifications to the code, then selling that code pretending it's the same product with the same name and a paid version of such, which violates the GPL because that code should be released free and open source under the same license terms, as per the GPL.

      Fourth issue is that those customers come to the original vendor for premium support, when they paid someone else, and are running a plugin that someone else's modified and distributed. That someone else took the money and ran and the original vendor is stuck with the support load and non-confirming code to support.

      Fifth issue is that many nulled plugins are actually malware.

      I could go on. There's no middle ground here. Nulling plugins and selling them is unethical, violates trademark, violates copyright, sells goods under false pretences and puts customers at risk for malware infection.

      • It is to me very clear that nulled plugins are outright wrong, without a question.
        Even worse then that, they open websites to full unfiltered third-party access! This is a nightmare scenario.

        And I can only thank Wordfence for working on identifying these, and notifying site admins!  🙏

  • We recently purchased a pro version of WP MEGA MENU after trying their free one obtained from Wordpress library. We hoped to gain extra settings.
    Surprising us, we were diverted to Code Canyon to complete the purchase, and were charge a surcharge by them, But more alarming, after purchase they sent us a DOWNLOAD LINK - with instructions on how to upload the files to our server.
    Against our better judgement, we uploaded the files to give them a go, and found heaps more settings, But the pro version did not display correctly on the website. This took us to instigate a ticket which resulted in a back and forth exchange with wp@access-keys.com who tried, unsuccessfuly, to resolve the issue. This lead to Access requesting our login details to take a look at the site's backend. That was the last straw. We immdeiately deleted all their files, then restored a backup to before this event began.
    We will never know if the code was corrupt, but pass this on, so others in the wordpress community can see how easy it is to tumble into a compromising situation.

    Cheers from downunder

    • Actually, codecanyon (Envato) is the official sales channel of plugin. They don't offer nulled themes, they just offer plugin and theme developers a platform to sell there stuff.

      Stuff like mega menu's are very dependent on the theme/design your site already has. It's not wierd if that needs finetuning.

      It's also not uncommon at all for support to ask for admin access. Often they need that to be able to debug a problem or fix settings. You could give access but before you do, make sure you create a backup and log the changes. And delete the admin account once they are done.

  • why 'nulled'? what a strange term.

    • Derived from 'null' (lacking any legal or binding force e.g. null and void).

  • Agree 100% with your article. I recently took over an existing site that was having problems and the site kept getting hacked. They paid a lot of money to have the site built, but when I started going through it, I noticed that most of the plugins and the theme were premium versions, but none were licensed. Didn't take long to fix the issues buy installing the proper paid versions of the theme and plugins. The site has had no more hacking or malware issues since the cleanup.

    I have seen this a lot where "web developers" use these nulled themes/plugins, and charge the client the full license fees and most clients don't even know they have been scammed and ripped off. In other cases I actually wonder if people making websites for $100 are actually using them to build in backdoor malware sites. Just a thought.