Nulled WordPress themes and plugins appear as the biggest threat to WordPress security nowadays. One of the key features that have led to the success of WordPress is the wide range of available themes and plugins. There are tens of thousands of free WordPress plugins and themes to choose. And an active community producing premium (paid) WordPress themes and plugins rapidly.
In the darker regions of the WordPress world, nulled themes and plugins lurk. These can be a real threat to your site security.
What are nulled WordPress themes and plugins?
Perhaps the terms ‘pirated’ and ‘cracked’ maybe more familiar to you. These are Premium themes and plugins which have had their copy protection removed by a third party. They offered by a professional looking, but shortlived websites for free download. These sites may look legitimate and their offerings safe and secure, but this is often far from reality.
So what’s the problem
Aside from the fact that somebody has spent time and effort producing a premium product that you are downloading for free, nulled WordPress themes and plugins can be a serious security threat to your website or even worse to your e-commerce site.
Support and updates
You are not going to be able to receive instant support for your WordPress theme or plugin. You won’t be eligible for updates. WordPress releases a new version every 34 months. WordPress security releases come out even more frequently. Your WordPress theme or plugin may soon become out of date. Outdated WordPress plugin or theme poses a potential security issue.
Somebody has altered the original code to remove licensing and copy protection. This modification of the original code may have executed by someone who knows what they are doing. It may just be a dirty hack, resulting in an unstable, unreliable and insecure product.
The real killer malicious code
Somebody has gone the trouble of reprogramming a theme or plugin to remove the copy protection software. They have published it on a somewhat professional looking platform for you to download for nothing.
It’s often a concerted attempt by an individual or group of persons to get you to install malicious software on your WordPress site. The authors of many nulled themes and plugins make a good living out of exploiting WordPress sites.
The dangers to your WordPress website
The biggest concern if you install a nulled theme or plugin, is that it has been modified to compromise your WordPress site intentionally. Nulled themes and plugins often have backdoors designed into them. These backdoors will allow a third party access to your site and database. They may even contain malicious code that will turn your site into a remotely operated zombie. Some of the biggest WordPress hacks over the last few years related to nulled WordPress plugins or themes.
In 2014, over 23,000 sites were affected by the CryptoPHP backdoor. Software with this code distributed over the many sites publishing ‘free’ premium products for WordPress, Drupal, and Joomla. The code allowed third parties to take control of the web server. Draining SEO traffic to their chosen sites and injecting content and code into targetted sites.
Another common exploit in nulled products is code that will convert your site into a SPAM generator. Hidden code in the plugin or theme generate thousands of SPAM emails from your server. It’s not going to last for long. Soon your site host or Google is going to spot the problem. By then it is going to be too late. Your site will be probably taken offline and blacklisted by Google. A quick Google search will tell you how difficult it can be to get your site whitelisted again. It’s hard to get your website SEO rankings back. You and your reputation are going to take a big hit.
Unwanted ads and backlinks
Another group of exploits will show ads to your site visitors. Some of them will add backlinks to 3rd party sites to drain your website traffic. You may not even notice this is happening, but your site visitors will. Onpage ads, e-commerce popups for all kinds of unsavory products. It will damage your credibility. Your hardearned website SEO rankings are going to suffer.
If you are running an e-commerce site or storing personal data about users, then things can get even worse. Many of the exploits injected by nulled software will give third parties administrator-level access to your site. That means personal information of your site users and customers could be at risk.
So what is the solution
Is it a problem for me?
According to a security survey published this year, nearly 40% of respondents had hacked WordPress websites within the last calendar year.
Even if you not concerned by the ethics of downloading somebody’s premium product for free, then be concerned about your reputation. Think about your time and credibility that you will lose if someone hacks your website.
Organized groups are publishing malicious nulled WordPress plugins and themes. They offer them on quite convincing sites. These same individuals will often also be the ones providing positive comments about the quality of their malicious offerings.
WordPress security is a real and current issue for all site owners and admins. Don’t be fooled.
What you should do
- Always download free or premium themes from reputable sources. WordPress.org has strict rules for the quality of plugins and themes uploaded to its site. Sites such as ThemeForest are a reliable source for a premium plugin.
- Never install nulled themes or plugins on your sites.
- Always keep your WordPress install, themes, and plugins updated to the latest stable release. Pay particular attention to the security patches.
- Support theme and plugin developers. Most premium products will cost you small amounts of money and a lot less than recovering your site and reputation from a major attack. Don’t be tempted by free links. Search out the developer’s site and download your themes and plugins from there.