What is a nulled plugin?

Everyone loves things for free, which is one of the contributing factors which has led to the popularity of WordPress as a Content Management System (CMS). Now commanding over 60% of the CMS market, third party plugins and themes are therefore a booming market as well.

While within WordPress you can automatically search and find many thousands of free plugins and themes, developers often have a “pro” or premium version where they provide additional functionality and features for their paid version. The free versions are often a great way to try the basics of a product and in many instances they offer enough functionality that you may not even require a more comprehensive version.

However, when you do there’s a temptation for some to go and find a “nulled” version of the plugin for free so that you don’t have to pay for it.

What is a “nulled” plugin?

The original term “nulled” used to refer to paid applications where any copyright protection (such as remote license checks) are disabled or bypassed. While it used to be mostly focussed around desktop software, 

This software is illegal.

However, rather than just being altruistic notions to release software for free so that everyone can use it, nearly all nulled WordPress plugins and themes contain malware. This malware will vary in payload, but in nearly all instances will infect your site beyond just the plugin and add hooks into the core and/or other components so that third party entities can upload other malicious code to use your website for illegal means.

This illegal usage could vary from sending spam, conducting phishing campaigns and even be as severe as to delete your data and hold it to ransom through cryptoware. 

Why do I have to pay for some plugins and themes? 

The simple answer is, software is written by humans and humans need to eat. Yes, while many developers may seem advanced and futuristic boffins at times, they still succumb to the rat race of work-eat-sleep. 

In fact, if you get value from the plugin or theme then paying for it is a good way to ensure that the developer can afford to continue to work on it. Given that some CMS platforms in the enterprise world charge upwards of $60,000 per year, paying $99 (for example) is still outstanding value and still one of the cheapest parts of running a business or website.

Should I use a nulled plugin or theme?

NO.

The only reason I have this here so bluntly is so that there is no ambiguity whatsoever. 

While the previous section should clearly articulate why, many don’t heed the warning signs and continue down the path of nulled plugins or nulled themes.

If you require the services of a paid plugin and can’t afford to purchase it, you have three options:

  1. Find an alternative.
  2. Go without it.
  3. Find a way to pay for it.

The great thing about WordPress is the amount of choice you have, so if you find that a plugin is too expensive then there may be alternative out there already.

What sites offer nulled plugins?

If you’re not downloading it directly from the plugin author’s site after paying for it, chances are it’s a nulled plugin. There is only one site to trust for downloads, and that’s wordpress.org

Any other site should be displaying a high degree of caution and you will need to verify the site. There are a few ways to check this:

  1. Is the site linked from a free version within wordpress.org or within the plugin / theme itself?
  2. Does the URL of the site match the website contained within the official social media sites?
  3. Are there any deals on the site which seem “too good to be true” ?
  4. Have you arrived at the site from a trusted link?

If there’s any ambiguity in the above four steps, STOP. Verify the site with your web developer or trusted technical advisor before downloading and before paying any money.

What should I do if I discover I have a nulled plugin?

We recommend you immediately contact your web developer and check what backups you have for your site. Once a nulled plugin or theme has been installed, it may have completely compromised your website and this may require a restoration from backup.

We’d also recommend installing WordFence and running a full scan of your website. This can identify and correct security issues in many instances. While we’ve found that WordFence is the best security tool out there, you shouldn’t ever be 100% reliant on a singular tool to correct any security issues.

You should also contact your hosting provider, as they may have additional tools to scan your website and may be able additional information about the level of compromise to your website.

Website with malware

Lastly, you should check your Google Search Console for any warnings or notifications. If Google has detected that your site has a security compromise amd/or is being used for phishing then it will either display a warning message or completely block access and have a potential SEO impact.

Conclusion

As the saying goes, prevention is better than the cure. The only way to 100% ensure any infection or compromise is removed is to restore the site from a backup prior to the nulled plugin or theme being installed.

We highly recommend that you show your support for your favourite plugins and themes by playing for them. By ensuring that the developers have a sustainable income from the plugins and themes they provide, you’re also ensuring that development continues and it’s highly likely that new features will continue to be released.

Cover photo by Markus Spiske on Unsplash.

Back to the Blog

Tim Butler

With over 20 years experience in IT, I have worked with systems scaling to tens of thousands of simultaneous users. My current role involves providing highly available, high performance web and infrastructure solutions for small businesses through to government departments. NGINX Cookbook author.

  • Conetix
  • Conetix
  • Conetix

We’ve got your back

With over ten years experience providing solutions for design agencies
in Australia, Conetix delivers premium service and performance.

Let’s talk about Agency Hosting plans

Let's Get Started

  • This field is for validation purposes and should be left unchanged.