Security Weekly

Why You Should Avoid Nulled WordPress Plugins

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 21

Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium WordPress plugins for a fraction of the original price. While these marketplaces are not illegal, they are clearly unethical.

When people talk about the risks of nulled plugins, they mostly refer to the malware that is baked into it. However, it’s not the only issue. I’ve seen people even talk about “trusted GPL clubs” who supposedly never inject malware to “their” nulled plugins.

Today, let’s cover all risks that come with nulled WordPress plugins and why you should avoid using them at all costs.

Complete lack of trust & ethics

Even before looking inside the nulled plugins at all, we already have a glaring issue with the ethics of this entire ecosystem. These marketplaces never disclose who is behind them, so even though having disclaimers on their websites calling it “legal” – they seem to understand that what they do is unethical and therefore try to avoid personal accountability.

GPL Clubs often claim that they are having paid subscriptions with all of the premium plugins they offer, then they just download the zips and redistribute them as GPL. Most premium plugins are built to connect to the original developer infrastructure so “nulling” is required to remove licensing & and any functions that rely on the connection to a service.

When licensing is removed, some of the GPL Clubs add in their own update managers. GPLzone for example is known for also advertising it on websites that have their nulled plugins installed by placing “Auto Updater by Gplzone” to the footer. Just put that into Google search, and you’ll find all kinds of professional websites powered by nulled plugins.

In general, there is a clear lack of trust & ethics, everything mentioned above can be considered a reason on its own why to avoid nulled plugins in the first place.

Unreliable & comes without support

Nulled plugins have all features removed which are delivered via the connection to the service. This usually includes licensing (which also removes ability to get updates), all kinds of services via APIs, etc.

A great example for that is products that entirely rely on an external data feed, such as security plugins which constantly send new rules to the website. With such functionality being removed or turned off – the product is rendered essentially useless. Meanwhile, GPL marketplaces still advertise them as fully functional nulled versions.

With the functional inconsistencies things don’t work as intended, which introduces bugs and many other issues. Without the real license to the software, you’re not only missing out on some of the important features, but you’ll also have no support from the original developer when ever you need any help.

You also either get no updates at all, or get them with a significant delay after the GPL marketplace has nulled the new version and makes it available to its users. You never know if you’ll get the new version at all, or with how big of a delay, or what’s baked in during the nulling process – it’s a complete security nightmare.

Commonly used to distribute malware

The most talked about risk that comes with nulled software is malware. Many people search for “download premium X for free” and end up on websites such as the GPL marketplaces that offer otherwise paid products for free.

It’s a common tactic used by hackers to take control over the victims websites and use them for a wide range of criminal activities. One of the most known group was called WP-VCD, who had tens of different “download sites” that offered free nulled plugins and themes to those who were looking to save some money.

The sites that install these plugins may continue working as intended, but on the background they are connected to the hackers Command & Control server, which connects the site to a larger botnet. Hackers can then choose what to do with the hacked websites: attack other sites, host malware, host phishing pages, redirect traffic, inject SEO spam, etc.

Conclusion

Nulled plugins are a security nightmare! While all WordPress plugins are GPL licensed and therefore even the premium versions are in legal terms “free software” – the way how GPL Clubs modify & redistribute the software is clearly unethical.

If you want to have a secure website, then support the developers who build the software that you’re using. This gets you better software, better support and allows the developers to work on the project full-time.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 25

Getting Started with Access Management (Password Managers)

One of the most basic security related question I’m constantly being asked is “What password manager …

Week 24

How to Deal with Incoming Security Reports

Sometimes developers and security researchers find bugs accidentally or when intentionally testing software security. If they …

Week 23

Are Your WordPress Sites Really Isolated From Each Other?

We’ve touched the topic of site isolation in February on an episode covering server level security. …