What Are Nulled WP Themes and Plugins and Are They Safe?
One of the biggest reasons why WordPress has such a significant part of the internet market share is how broadly flexible it is. With millions of themes and plugins to choose from, you can take the core framework of WordPress and turn it into pretty much anything you could possibly want. And, if there isn't an out-of-the-box theme or plugin to do what you want, you can have one custom-made for you.
The trouble that a lot of people run into is that this isn't necessarily free.
WordPress itself is free, sure, but that's just part of it:
- Themes run the gamut. Some of them are free, but the more customized, the better-designed, and the most unique and interesting themes are not. WordPress themes can run from $15 to over $100, and that's usually a per-year fee for ongoing updates as WordPress itself updates beneath it.
- Plugins can range from one-time fees of $20 or less to ongoing subscriptions of $5 per month to hundreds of dollars per month (or more for huge enterprise sites and massive, fully-featured plugins.)
How many new startups, individual entrepreneurs, hobbyists, or enthusiasts can afford these kinds of fees for a site that has no returns and might not for years, if ever? Not many, right? I personally pay hundreds of dollars per month for various plugins. These range from SEO plugins to caching, image optimization, content delivery network, spam prevention, security, code opimization, and more. It all adds up!
Well, whenever there are people who want a thing that costs money but don't have the money to pay for it, some segment of that group turns to the time-honored tradition of piracy.
30 Second Summary
30 Second SummaryWordPress is highly flexible with tons of themes and plugins, but many are pricey. Nulled themes and plugins are pirated versions offering premium features for free. They're risky and often include malware, legal troubles, and can damage your SEO. While they seem attractive, they're not safe, moral, or worth the risk. Always prioritize legitimate, free alternatives or budget for premium versions to ensure site security and ethical practices.
What are Nulled Themes and Plugins?
This is where the concept of "nulling" a theme or a plugin comes into play. Let's talk a bit about how they work, and then get into whether or not they're safe and what options you may have.
To start, we need to talk about how premium themes and plugins work. Generally, there are a few ways that these themes and plugins validate that the person who is using them has paid for them. They might be downloads that are only accessible once you are sent a receipt, for example. Alternatively, they might have code that phones home, and to activate, you need to plug in a license key you get by paying; if the license key is duplicated or invalid, the theme or plugin stops working or loses access to premium features. And, of course, there are also methods like the use of API keys, which can be restricted in other ways.
It's the middle option that is most common. A simple license key system is easy to implement and has been common in software for decades. The problem, though, is when people find ways to get rid of the code and activate premium features without it.
For most software, this is called cracking. Hacker groups crack the encryption or obfuscation on a piece of software and provide a way to dummy out or remove the checks that would invalidate a piece of software. These cracks circulate as their own little apps and are common with everything from video games to Microsoft Windows itself.
With smaller and more discrete, self-contained code like WordPress themes and plugins, it's generally a lot easier to identify the small block of code that phones home and dummy it out. In this case, since the core codebase is small, the hacker groups will simply dummy out this code in a process called nulling. They might remove it entirely or just add whatever characters are necessary to make it a comment in the code. Then, the hacker group will often replace the copyright information in the plugin with their own (more on why in a moment) and circulate it as a "Free" version of the plugin or theme.
So, when you download a nulled theme or plugin, you're getting the premium copy without the phone home code, so you effectively don't have to pay for something that normally costs money.
Isn't This Just Stealing?
Yes and no. This is where it gets tricky, and there's a reason why it continues, unlike things like cracked video games or Windows, which tend to result in legal action against hacker groups. Or, rather, there are a few reasons.
One of the smaller reasons is that most themes and plugins are made by individuals or small teams, many of which aren't making much in the way of profits from their code. They might make a small living, or they might make enough that they can reinvest and grow, but you're not getting a company on the same scale as Microsoft or Activision-Blizzard here. Lawsuits cost money, and when you don't have much money, it's hard to pursue legal action, even if it's clear that you're in the right.
The second reason is the justification that the hackers use to hide their activities – and the reason why they frequently put their own copyright information on the code they circulate.
Have you ever heard of the GPL? The GPL is the GNU General Public License, and it's one of the biggest go-to licenses in open-source coding. The GPL has a lot of legal language, but in part, it specifies that anything licensed under the GPL must allow derivative works.
WordPress is licensed under the GPL, and they believe that WordPress themes and plugins constitute derivative works. The hacker groups then take this to mean that they are perfectly free to take those derivative works and make their own derivatives of them, with the phone home code dummied out, and publish them as their own.
There's a ton of nuance and detail to this.
- The GPL doesn't say the code has to be free.
- WordPress specifies that only the PHP and derived HTML code are derivative; a plugin's CSS and other scripts are not.
- Often, what you pay for with a plugin/theme goes beyond just the code.
I wrote about this whole issue in much greater detail here, so if you want a deep dive into what the GPL means for WordPress themes and plugins, give that a read.
At the end of the day, though, the reason I'm using the term "hacker groups" rather than developers or another more neutral term is simply that these are people willfully ignoring precedent and copyright, and using a very thin justification to effectively just steal code and prevent the original developers from making money from their work.
Are Nulled Plugins and Themes Legal?
Questionably.
For a full discussion, check out this post. The TL;DR is that the GPL is a lot more limited than a lot of people think, and the justification for nulling and redistributing plugins is pretty thin at best. The main reason it still happens is just that no one has gone through the tricky legal process of identifying the people responsible, suing them, and then defending all of the intricacies of the GPL in court. It's all very tricky, and it could even technically be legal, but until such a court case happens, there's no firm ruling.
Are Nulled Plugins and Themes Moral?
Not really.
Imagine that you've done a ton of work to create something unique, and you're selling it for $15 a year so you can make a little money from your efforts. Then someone comes along and says, "Hey, because of the way you did this, I can just take it and release it for free with my name on it." Doesn't feel good, right?
That's effectively what's happening with nulled themes and plugins. It also happens to a lot of other people. Photographers have their images stolen and reused (most recently by AI), and writers face the same; it's a constant reality of theft out there. Some forms of creation have stronger protections than others, but that doesn't make it any less of a dick move to do.
We create blog content that converts - not just for ourselves, but for our clients, too.
We pick blog topics like hedge funds pick stocks. Then, we create articles that are 10x better to earn the top spot.
Content marketing has two ingredients - content and marketing. We've earned our black belts in both.
And let's be real here; the majority of the plugins and themes out there are not made by some big faceless business. Most of them are made by individual enthusiasts or entrepreneurs looking to make a little money on the side. There's a big difference between stealing from Microsoft or Walmart versus stealing from your neighbor.
Are Nulled Plugins and Themes Safe?
No.
This is where we get to the crux of the issue.
Nulled themes and plugins are, at best, exactly as safe as the plugin or theme they were when they were originally released.
But that's not really what you're paying for when you buy a theme or plugin. You're paying for the code, sure, but you're also paying for the updates and support that come along with it. That's why so many of these systems use an annual license. If a year elapses and you still want to keep using the plugin, you can, but you need to pay again if you want another year of support and updates.
This isn't an empty benefit, either. WordPress updates several times every year with security updates. And, since WordPress is one of the largest internet surfaces out there, it's constantly under attack by people who want to find security holes they can use to exploit and compromise WordPress sites.
The older a plugin is, the more likely it is to have some kind of gap in security. This is why plugins that haven't been updated to match the most recent few versions of WordPress tend to have big warnings even on the free plugin directory.
And that's in the best-case scenario. There are other reasons why nulled themes and plugins might be unsafe, too.
The nulling group can include their own malware and you'd never know.
One of the biggest risks is that you're dealing with a known unethical group or individual. It's not just possible, but even likely, that instead of just nulling out the phone-home code or license requirement for a plugin, they also inject code of their own.
Maybe it's logging your passwords.
Maybe it's tracking and stealing user information.
Maybe it's injecting invisible ads, redirects, or other things that benefit the null-maker over you.
Maybe it's injecting malicious code into other plugins, or core WordPress files, so even if you remove the plugin later, the malicious code stays.
Maybe it doesn't do anything yet, but when the hacker group gets enough market saturation, they activate it and deliver a payload that compromises your site or holds your site for ransom.
Unless you're able to dig into the code of the plugin yourself and know what's going on, you have no way of knowing if any of this is happening. How much do you trust a pirate to not be self-serving?
They can get you in legal trouble.
It's one thing for a plugin developer or theme maker to go after a hacker group. Hackers tend to hide their activity pretty well to avoid the legal repercussions of what they're doing. You, though, if you're using an unauthorized copy of their code? They can go after you.
The GPL protection, even if it's true, still only protects part of the code of a plugin or theme. The rest is still copyrighted to the developer. If you're using it without authorization, that's a violation of their rights. They can send a cease and desist to you, and if you don't comply, they can pursue legal action against you. And you, generally, will be a much easier target than the people releasing the nulled code.
Is it likely to happen? Who knows. There are tens of thousands of developers out there, and not all of them view the issue the same way. But it's a risk you need to know before you base your site on stolen code.
You can take an SEO hit.
There are two ways that nulled themes and plugins can hurt your site's SEO.
The first is the most obvious; if the nulled code ends up having a malicious payload and that payload goes off, Google will flag your site as malicious and remove you from the search results. It can be very hard to recover from this, and it can take months or years before you regain trust.
The second is more insidious; if there's tracking code or something else in the plugin or theme feeding back to the null group, it can slow down your site. Since site speed is a critical metric, that can hurt your SEO over time, and you might not ever identify the culprit.
That's not all.
There are other reasons not to use nulled code.
- If the null provider doesn't keep up with updated copies to null, your plugin or theme will eventually fall out of compatibility, and you're left with either changing it out or buying it.
- Some web hosts will scan the sites they host for anything illegal, questionably legal, or potentially malicious and cancel your subscription if they find it. Sometimes, nulled plugins and themes can count.
- You don't get support. If something goes wrong with your nulled plugin or theme, good luck fixing it.
When it comes right down to it, nulled WordPress themes and plugins aren't ethical or moral, probably aren't safe, and can get you in trouble in multiple ways. They just aren't worth it, especially when there's a pretty damn good chance you can just find a legit free option to do what you need. Just don't risk it.
James Parsons is the founder and CEO of Content Powered, a premier content marketing agency that leverages nearly two decades of his experience in content marketing to drive business growth. Renowned for founding and scaling multi-million dollar eCommerce businesses through strategic content marketing, James has become a trusted voice in the industry, sharing his insights in Search Engine Watch, Search Engine Journal, Forbes, Entrepreneur, Inc, and other leading publications. His background encompasses key roles across various agencies, contributing to the content strategies of major brands like eBay and Expedia. James's expertise spans SEO, conversion rate optimization, and effective content strategies, making him a pivotal figure in the industry.
Comments