In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem.
Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that a nulled plugin is installed on their site.
During our recent investigation into the prevalence of nulled plugins, we found that over 23,000 sites are running nulled versions of the Wordfence plugin. Site owners with these installations may not be aware that their Wordfence installation is a nulled plugin, so we will be alerting these site owners of the risks, and to take action to protect their sites.
Wordfence is not alone. Our investigation shows that numerous popular plugins, both paid and freemium, are often nulled and redistributed, often with malware included. In order to elevate awareness of this troubling trend, we have compiled a list of frequently asked questions about nulled plugins and themes.
What is a nulled plugin?
A nulled plugin is a copy of a paid premium plugin that has been modified to provide some degree of premium functionality without paying for a license. In most cases, nulled plugins and themes fail to provide full premium functionality and often contain backdoors and other malware.
Nulled plugins usually retain the same brand name and logo as the original, creating the impression that the customer is receiving a paid version of the original plugin. However, when the customer opens a support request with the original vendor, they discover the vendor has no idea who they are.
How do I know if I’m using a nulled version of Wordfence?
If you have purchased a “lifetime license” or a copy of Wordfence Premium at a discounted price or for free from a third party and not directly through the Wordfence website, you are using a nulled version. Although the plugin dashboard may indicate that you have Wordfence Premium activated, these installations do not include a valid license key needed to activate premium features and are not fully functional.
Sites running a nulled copy of Wordfence are still only receiving freely available signatures and firewall rules, which are delayed by 30 days, and these sites do not receive the real-time data that Wordfence Premium receives. Additionally, sites using nulled Wordfence plugins do not have access to the Real-Time IP Blocklist.
What are some of the risks of using nulled plugins and themes?
Nulled plugins and themes frequently contain backdoors and other malware that is used to distribute SEO spam, perform attacks on other websites, steal sensitive information, and redirect site visitors to malvertising websites, all of which can put your site visitors at risk and ruin your website reputation.
Many nulled plugins and themes also inject hidden administrator users into your site’s database, effectively allowing malicious actors to take over control of your WordPress site. In reviewing the terms of service for nulled plugin distribution sites, several include provisions stating that, by downloading and installing one of their nulled plugins, you agree to let them modify your site whenever they want.
Although nulled versions of the Wordfence plugin might not include malware, we’ve found that sites running a nulled version of Wordfence are more than twice as likely to have unrelated infections compared to the average site running the free version of Wordfence.
Do all nulled plugins contain malware?
No. In fact, we’ve seen a recent shift away from malware distribution and towards subscriptions and paid downloads as a primary business model on websites that offer nulled WordPress plugins and themes.
Despite this fact, malware is still extremely prevalent in nulled plugins and themes distributed for free via forums and social media groups, and infections from nulled plugins and themes are still incredibly common.
Bear in mind that, by installing a nulled plugin, you are effectively giving that plugin complete control over your website. While this is true of any software, plugins and themes distributed via the WordPress directory are vetted for malicious code, while those distributed by nulled sites, on forums, and in social media groups are not.
Regardless of whether they contain malware, the vast majority of nulled plugins and themes fail to deliver the premium features they appear to provide, and may actually offer reduced functionality compared to legitimate versions freely available on the WordPress plugin directory.
What about discounted plugins?
We’re seeing an increasing number of nulled plugins being distributed via “discount” sites that charge a monthly subscription fee, or that offer “premium” versions of plugins for a reduced price. While these plugins and themes are less likely to contain malware than nulled software offered for “free”, they still do not offer full premium features, and in many cases are simply repackaged or slightly modified versions of code that is freely available on the WordPress directory.
Many premium plugins, including Wordfence Premium, include SaaS (Software as a Service) functionality. This means that the most critical Wordfence Premium features, including the Real-Time IP Blocklist, immediate firewall rule updates, and up-to-date malware signatures, cannot be made available to a nulled plugin since they rely on having a valid Wordfence license that authorizes Wordfence to send the latest data to your site.
It is trivial to modify the code of most plugins so that they appear to be fully licensed, but these modifications rarely unlock the full functionality of a plugin and can have real negative impacts while providing a false sense of security.
What about free versions of GPL-Licensed premium plugins?
The GPL (General Public License) license allows other developers to fork a plugin, modify the code and redistribute it to others under the same terms. Trouble arises when a plugin is forked and the new developer doesn’t change the name or logo. Customers think they’re getting the same plugin from the same source, but that is not the case, and it violates the original developer’s trademark on their name and logo.
Another issue arises when the redistributable code is licensed under GPL, but the plugin contains Software as a Service (SaaS) technology that is proprietary. Wordfence is an example of this, where the Wordfence plugin receives proprietary data from our servers and those servers also contain proprietary code that performs additional computation. Accessing this data and capability requires a paid license. It is not possible to redistribute a plugin that contains this functionality without purchasing a Wordfence license from us. Buying a nulled Wordfence plugin results in a customer paying for the plugin and getting the free version of Wordfence.
The GPL is truly amazing because it helps foster innovation by making code available to others for reuse. It also allows the examination of source code by others, like security researchers, which helps us identify vulnerabilities and make the web safer. But abusing it to pretend that you are someone you are not while omitting functionality that a customer expects to get, is not what the GPL was intended for.
Can I get support for nulled plugins and themes?
Plugin and theme publishers that offer support to their paid customers will not provide support to customers who did not pay them and paid another vendor instead. This can leave customers confused when they open a support ticket and the vendor has no idea who the customer is.
Additionally, the unpredictable and frequently malicious modifications made to nulled plugins make them impossible to support even for publishers that offer support to their free users.
What should I do if I have a nulled plugin or theme installed?
If you find that you have a nulled plugin or theme installed, we recommend deleting it immediately. Then, we recommend scanning your site with Wordfence, either the free version available on the WordPress plugin directory, or Wordfence Premium, which provides additional functionality that is unlocked by entering a license key into the free version, rather than via a separate download.
We also recommend checking your database for unauthorized administrator users, since these are frequently added by nulled plugins and themes and can be hidden from other administrators. If you are not comfortable cleaning your own site, or if it continues to show symptoms of infection even after you have removed any nulled plugins or themes, the Wordfence Site Cleaning team will be happy to help.
In today’s article, we covered some frequently asked questions about nulled WordPress plugins and themes, including some of the risks involved, common misunderstandings, and what to do if you have a nulled plugin or theme installed on your site.
Using nulled plugins always has a cost, whether it’s the trust of your users when your site is hacked, or simply the monetary cost of a discounted copy that fails to deliver on its promises.
At Wordfence, we work hard to make sure that even the free version of Wordfence provides best-in-class protection for WordPress sites. We’d like to thank all of our Premium users for making this possible and for helping to protect the WordPress community as a whole with their support.