Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium WordPress plugins for a fraction of the original price. While these marketplaces are not illegal, they are clearly unethical.
When people talk about the risks of nulled plugins, they mostly refer to the malware that is baked into it. However, it’s not the only issue. I’ve seen people even talk about “trusted GPL clubs” who supposedly never inject malware to “their” nulled plugins.
Today, let’s cover all risks that come with nulled WordPress plugins and why you should avoid using them at all costs.
Complete lack of trust & ethics
Even before looking inside the nulled plugins at all, we already have a glaring issue with the ethics of this entire ecosystem. These marketplaces never disclose who is behind them, so even though having disclaimers on their websites calling it “legal” – they seem to understand that what they do is unethical and therefore try to avoid personal accountability.
GPL Clubs often claim that they are having paid subscriptions with all of the premium plugins they offer, then they just download the zips and redistribute them as GPL. Most premium plugins are built to connect to the original developer infrastructure so “nulling” is required to remove licensing & and any functions that rely on the connection to a service.
When licensing is removed, some of the GPL Clubs add in their own update managers. GPLzone for example is known for also advertising it on websites that have their nulled plugins installed by placing “Auto Updater by Gplzone” to the footer. Just put that into Google search, and you’ll find all kinds of professional websites powered by nulled plugins.
In general, there is a clear lack of trust & ethics, everything mentioned above can be considered a reason on its own why to avoid nulled plugins in the first place.
Unreliable & comes without support
Nulled plugins have all features removed which are delivered via the connection to the service. This usually includes licensing (which also removes ability to get updates), all kinds of services via APIs, etc.
A great example for that is products that entirely rely on an external data feed, such as security plugins which constantly send new rules to the website. With such functionality being removed or turned off – the product is rendered essentially useless. Meanwhile, GPL marketplaces still advertise them as fully functional nulled versions.
With the functional inconsistencies things don’t work as intended, which introduces bugs and many other issues. Without the real license to the software, you’re not only missing out on some of the important features, but you’ll also have no support from the original developer when ever you need any help.
You also either get no updates at all, or get them with a significant delay after the GPL marketplace has nulled the new version and makes it available to its users. You never know if you’ll get the new version at all, or with how big of a delay, or what’s baked in during the nulling process – it’s a complete security nightmare.
Commonly used to distribute malware
The most talked about risk that comes with nulled software is malware. Many people search for “download premium X for free” and end up on websites such as the GPL marketplaces that offer otherwise paid products for free.
It’s a common tactic used by hackers to take control over the victims websites and use them for a wide range of criminal activities. One of the most known group was called WP-VCD, who had tens of different “download sites” that offered free nulled plugins and themes to those who were looking to save some money.
The sites that install these plugins may continue working as intended, but on the background they are connected to the hackers Command & Control server, which connects the site to a larger botnet. Hackers can then choose what to do with the hacked websites: attack other sites, host malware, host phishing pages, redirect traffic, inject SEO spam, etc.
Conclusion
Nulled plugins are a security nightmare! While all WordPress plugins are GPL licensed and therefore even the premium versions are in legal terms “free software” – the way how GPL Clubs modify & redistribute the software is clearly unethical.
If you want to have a secure website, then support the developers who build the software that you’re using. This gets you better software, better support and allows the developers to work on the project full-time.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread