If you do an internet search for “nulled scripts”, “nulled themes”, nulled plugins” or “nulled [insert name of theme, plugin or other script here]”, you’ll find a plethora of websites that are repositories for nulled scripts. But you are putting your website, web server and your site visitors’ data in jeopardy if you install any of these on your website site. I just found out the hard way (on purpose).
For those that don’t know, a nulled script is a script you use to put up a website or install a theme or plugin for WordPress or Joomla or similar content management system (CMS). basically, a nulled script is a stolen script because it has been modified to work even though you never bought it.
You always hear from script authors to stay away from nulled script because you risk getting your site hacked and losing your hosting account. But you think, “Meh, just say that because they lose money every time someone uses a nulled version of their script instead of buy it”. But they aren’t lying.
So I did a search for free web hosting and opened up a free web hosting account with the first company that I found and installed WordPress on an old domain I have that I’ll never use. Then I went to a popular nulled script repository and downloaded a nulled WordPress plugin that I actually own and paid for. Then I installed it on the new free hosting account and checked that the plugin was working right, and it worked just fine. In fact, an update was immediately available and it updated just fine without asking me for my license key. Nothing seemed amiss in the slightest and the plugin still worked fine.
But then I installed and activated Wordfence (a popular WordPress Security Suite plugin). After I set it up, I performed a scan.
Welp! Sure enough, the scan revealed that…
- a couple of the plugin’s original files were modified from their original to include known, malicious code,
- the functions.php file on all 3 themes on my WordPress install (twenty-sixteen, twenty-seventeen and twenty-nineteen) were all modified to include known, malicious code,
- a core WordPress file (wp-includes/post.php) was modified from it’s original to include known, malicious code,
- 2 files that came with the nulled plugin were added that contain known, malicious code (they were both named class.plugin-modules.php but placed in different folders),
- the functions.php file of the original plugin was modified to contain known, malicious code, and
- and a new file was placed in with other WordPress core files, which is not a file that is distributed with wordpress. The name of the file is wp-vcd.php and it is placed in the wp-includes folder.
Regarding the wp-vcd.php file – I was most-curious about that one because that file was not one of the files among the files distributed with the nulled script zip file. So after some investigation, I found out that this file is created upon installation of the nulled script (very sneaky).
And upon further investigation of all the malicious code Wordfence detected, it is apparent that this code is designed to “call home” to a and put your site on a database (or 3 or 10 or 100) where malicious bots and hackers can then find and access you site to do whatever they want, including hacking your site to be unusable and even inject malware that will be transferred to your visitors’ devices. And worse, probably steal private, sensitive information about your visitors!
So if you think you’re just going to go and download and install a nulled script and everything will be just fine, or if you are running a site with a nulled script, theme or plugin and you see nothing wrong, think again. Most likely your site is compromised and so is your data and that of your visitors. And depending on what a bot or hacker does when it/they get access to your site, you risk getting your web hosting account suspended. Is that what you really want?
And if you don’t believe me, do it your self. Get a free hosting account somewhere and install WordPress with a nulled plugin or theme. Then install Wordfence (or some other security plugin) and see what the results are. Don’t believe everything you read, actually try it for yourself.