The Dangers of Unlicensed WordPress Plugins and Themes

One of the greatest things about WordPress is the open source community behind it. Thanks to the multitude of plugins and themes available, even the most basic of users can create and deploy a WordPress site with ease.

Through this beautiful ecosystem that empowers people to build amazing websites, several businesses have also flourished. Premium plugins like Gravity Forms and Easy Digital Downloads have even created niche communities inside the broader WordPress community.

The Benefits and Drawbacks of WordPress’ Open Source Ecosystem

WordPress itself is available under the GPL license. Although hotly debated and rarely enforced, this means that the PHP code inside of any WordPress plugins and themes must also be licensed under the GPL. Because of this, even premium plugins and themes are usually released under the GPL license and can be legally distributed to anyone who wants them. Not only does the license allow someone to give these premium products away for free, but anyone can even resell them without permission.

As an advocate for open source software and someone who has contributed countless hours of his time to giving back to the WordPress community, I love this approach. Almost everyone in the world uses some form of open source software to improve their lives, so why not give back as much as possible to improve someone else’s life?

But inside the WordPress ecosystem (and many other open source platforms), there’s a problem with this approach that can’t be easily solved. Scavengers all over the world abuse the generosity of the open source community by exploiting the freedoms that they’ve been offered. They’re not just impacting those WordPress-based product businesses — they’re hurting the end-user.

3rd-Party WordPress Product Resellers

Reselling 3rd-party WordPress plugins and themes is quite common and easy to do. It’s as simple as getting a copy of the product, setting up a website, then offering 90% off of whatever price that the creator is charging. It takes minimal effort, if really any at all.

If you’re the average small business who built your own WordPress site, you probably wouldn’t even know the difference. Isn’t it still the same plugin?

The important thing to note is that most premium WordPress plugins and themes aren’t selling you their code or access to a download link. They’re selling a license for support, updates, add-ons, and various other perks. When it comes down to it, you’re buying into a guarantee that you’re receiving a quality product from a reputable brand.

Unfortunately, a typical small business wouldn’t notice this distinction. When problems arise, such as compatibility or security concerns, who do they go to? If they received the product from a reseller, is the reseller going to make sure that they’re in good hands? Most certainly not.

Nulled WordPress Plugins and Themes

Even more dangerous than buying a WordPress plugin or theme from a 3rd-party reseller is getting a free or “nulled” copy. For those who might not be aware of what a nulled product is, it’s a premium product that has had its licensing stripped out so that it can be used without any sort of validation that the product has been purchased.

Why would someone go through the trouble of doing something like this? There are somewhat rare instances when it’s done for philosophical reasons, but in the overwhelming majority of situations, it’s to exploit the user.

Sometimes these “nulled” versions will collect some data from you. Other times, they might collect data about your site. Worst of all, they might completely infect your site and users with dangerous malware.

In fact, malware infections are quite common amongst unlicensed premium plugins and themes. For example, the WP-VCD malware has been spread exclusively through nulled plugins and themes. Once a site is infected, the plugin will call home to receive instructions on what to do with its newest victim. Usually, this will include hiding spam links on your site, as well as creating a new admin user. It’s pretty nasty stuff.

To read more, check out Wordfence’s full report.

Limiting Risk and Avoiding Dangerous Software

You’ll never be able to completely prevent 100% of issues as long as you’re running 3rd-party code. Still, you can dramatically reduce your risk by always using reputable plugins and themes that come directly from the author.

In general, evaluating any plugins or themes with the following criteria will dramatically reduce your risk:

  1. Is the product widely used?
  2. Is the product actively maintained? When was the last update?
  3. Have there been any security issues in the past? How quickly were they resolved?
  4. Is the product being purchased and downloaded from the original author?

If you have a developer on staff, it never hurts to have them perform an audit of any changes that happen on your site. If you’re installing a new plugin, it’s always a great idea to take a look through the code that it’s running. If it’s a well-known plugin with a good reputation, you’re almost always safe, but the extra bit of verification can go a long way to keep you secure.

You’ll also want to check with your WordPress hosting provider to make sure that they’re actively protecting you from any known (or even unknown) threats that your site may face. Any reputable web host will have a security staff that is actively protecting your site. Most of the time, they can identify an issue extremely quickly and resolve it before you even knew it existed.

Remember when I mentioned earlier that buying a license for a premium WordPress product was much more about buying support, updates, and a guarantee of quality? Don’t forget to take advantage of those perks! If you have a concern, get in contact with the author for help. After all, that’s what you paid for.

With a bit of honesty, integrity, and knowledge, avoiding dangerous WordPress plugins and themes is quite easy. If you have any questions or tips that would help others, feel free to drop a comment on this post. We’d love to hear your thoughts.

New Posts in your inbox