Nulled WordPress themes and nulled plugins appear as one of the biggest threats to WordPress security nowadays.
One of the key features that have led to the success of WordPress is the wide range of available themes and plugins.
There are tens of thousands of free WordPress plugins and themes to choose from. And an active community producing premium (paid) WordPress themes and plugins rapidly.
In the darker regions of the WordPress world, nulled themes and nulled WordPress plugins lurk. These can be a real threat to your site’s security.
What are nulled WordPress themes and plugins?
Perhaps the terms ‘pirated’ and ‘cracked’ may be more familiar to you. These are premium themes and premium plugins that have had their copy protection removed by a third party.
They are offered on professional-looking, but shortlived websites for free. These sites may look legitimate and their offerings safe and secure, but this is often far from reality.
So what’s the problem with nulled themes and plugins?
Aside from the fact that somebody has spent time and effort producing a premium product that you are downloading for free, nulled WordPress theme and nulled WordPress plugin can be a serious security threat to your website or even worse to your e-commerce site.
Support and updates
You are not going to be able to receive instant support for your WordPress theme or plugin. You won’t be eligible for updates.
WordPress releases a new version every 34 months. WordPress security releases come out even more frequently.
Your WordPress theme or plugin may soon become out of date. An outdated WordPress plugin or theme poses a potential security issue.
Somebody has altered the original code to remove licensing and copy protection. This modification of the original code may have been executed by someone who knows what they are doing.
It may just be a dirty hack, resulting in an unstable, unreliable, and insecure product.
The real killer malicious code
Somebody has gone to the trouble of reprogramming a theme or plugin to remove the copy protection software. They have published it on a somewhat professional-looking platform for you to download for nothing.
It’s often a concerted attempt by an individual or group of persons to get you to install malicious software on your WordPress site. The authors of many nulled themes and plugins make a good living out of exploiting WordPress sites.
The dangers of nulled WordPress themes and plugins
The biggest concern if you install a nulled theme or plugin, is that it has been modified to compromise your WordPress site intentionally.
Nulled themes and plugins often have backdoors designed into them. These backdoors will allow third-party access to your site and database.
They may even contain malicious code that will turn your site into a remotely operated zombie. Some of the biggest WordPress hacks over the last few years related to nulled WordPress plugins or themes.
In 2014, over 23,000 sites were affected by the CryptoPHP backdoor. Software with this code is distributed over the many sites publishing ‘free’ premium products for WordPress, Drupal, and Joomla.
The code allowed third parties to take control of the webserver. Draining SEO traffic to their chosen sites and injecting content and code into targetted sites.
Another common exploit in nulled products is code that will convert your site into a SPAM generator. Hidden code in the plugin or theme generates thousands of SPAM emails from your server.
It’s not going to last for long. Soon your site host or Google is going to spot the problem. By then it is going to be too late.
Your site will be probably taken offline and blacklisted by Google. A quick Google search will tell you how difficult it can be to get your site whitelisted again. It’s hard to get your website’s SEO rankings back. You and your reputation are going to take a big hit.
Unwanted ads and backlinks
Another group of exploits will show ads to your site visitors. Some of them will add backlinks to 3rd party sites to drain your website traffic.
You may not even notice this is happening, but your site visitors will. Onpage ads, e-commerce popups for all kinds of unsavory products. It will damage your credibility. Your hardearned website SEO rankings are going to suffer.
If you are running an e-commerce site or storing personal data about users, then things can get even worse.
Many of the exploits injected by nulled software will give third parties administrator-level access to your site. That means the personal information of your site users and customers could be at risk.
So what is the solution?
According to a security survey published last year, 25% of the responders have seen a hacked website in the past month prior to participating in the survey. This gives us a good understanding of the magnitude of the problem.
Even if you are not concerned about the ethics of downloading somebody’s premium product for free, then be concerned about your reputation. Think about the time and credibility that you will lose if someone hacks your website.
Organized groups are publishing malicious nulled WordPress plugins and themes. They offer them on quite convincing sites.
These same individuals will often also be the ones providing positive comments about the quality of their malicious offerings.
WordPress security is a real and current issue for all site owners and admins. Don’t be fooled.
What you should do?
- Always download free or premium themes from reputable sources. WordPress.org has strict rules for the quality of plugins and themes uploaded to its site. Sites such as ThemeForest are a reliable source for a premium plugin.
- Never install nulled themes or plugins on your sites.
- Always keep your WordPress install, themes, and plugins updated to the latest stable release. Pay particular attention to the security patches or virtual patching.
- Support theme and plugin developers. Most premium products will cost you small amounts of money and a lot less than recovering your site and reputation from a major attack. Don’t be tempted by free links. Search out the developer’s site and download your themes and plugins from there.
What is a nulled plugin?
A nulled plugin is usually a premium plugin that has been hacked or contains modified code. These can be installed from third-party sites, not from original developers, and do not have a license key or developer support.
What is a nulled theme?
A nulled theme is usually a premium theme that has been hacked or contains modified code. These can be installed from third-party sites, not from original developers, and do not have a license key or developer support.
Are nulled plugins and nulled themes safe?
No, nulled WordPress themes and nulled WordPress plugins are usually not safe. They often have backdoors in them which can allow third-party access to your site and database. They may also contain malware. Some of the biggest WordPress hacks over the last few years related to nulled WordPress plugins or themes.
What does nulled mean?
Nulled in the context of WordPress plugins and themes means when premium themes and premium plugins have had their copy protection removed by a third party. You can also call these “pirated” or “cracked” plugins and themes.