The ugly truth about nulled themes/plugins/scripts

[slvrsteele]

You can't afford it to have stolen sensitive info from your website.

Nulled or with a license if the developer has a poor understanding of security this will either way happen.

You really don't understand that nulled is exactly the same script without licensing mechanism. If from trusted source like Babiato it doesn't affect full script functionality.

It's not nullers fault for script flaws that opens your website for hacking or leaking sensitive info.

 

[maminight]

I've never read anything more accurate in my life.

 

[DEBAKID]

Houston, we may have a problem.

If a Babia.to admin or moderator gets his hands on a script straight from a developer, null it. That script should be 100% safe with no hidden codes.

I know this is not a paid service, but If that is not the case, We really need to kill some germs in Babia.

if A=B and B=C, then A=C

Bring on that Dettol bottle

 

[slvrsteele]

Houston, we may have a problem.

If a Babia.to admin or moderator gets his hands on a script straight from a developer, null it. That script should be 100% safe with no hidden codes.

I know this is not a paid service, but If that is not the case, We really need to kill some germs in Babia.

if A=B and B=C, then A=C

Bring on that Dettol bottle

There are many members sending or uploading untouched scripts that have been verified from multiple sources (more than 90%).
There are uploads directly on threads from different users.
We cannot verify and kill everything like Dettol. As you said: it's not a paid service. Everyone is doing its job in his own free time.

And let me give you a live example of developers asking for too much data from you (emulated a dev license callback to see data transmitted)

$how = $this->how();
        $headers = [
            "Authorization: Basic $pid",
            "www: $how"

And this is the output of how() function (I censored some sensitive data)

string(3049) "{
"$_SERVER['USER']":"www-data",
"$_SERVER['HOME']":"\/var\/www",
"$_SERVER['HTTP_CF_IPCOUNTRY']":"--",
"$_SERVER['HTTP_CF_CONNECTING_IP']":"-------------",
"$_SERVER['HTTP_CDN_LOOP']":"cloudflare",
"$_SERVER['HTTP_PRIORITY']":"u=0, i",
"$_SERVER['HTTP_COOKIE']":"SHR_E_ENC=---------------------",
"$_SERVER['HTTP_ACCEPT_LANGUAGE']":"en-US,en;q=0.9",
"$_SERVER['HTTP_SEC_FETCH_DEST']":"document",
"$_SERVER['HTTP_SEC_FETCH_USER']":"?1",
"$_SERVER['HTTP_SEC_FETCH_MODE']":"navigate",
"$_SERVER['HTTP_SEC_FETCH_SITE']":"none",
"$_SERVER['HTTP_ACCEPT']":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7",
"$_SERVER['HTTP_USER_AGENT']":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/115.0.0.0 Safari\/537.36",
"$_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']":"1",
"$_SERVER['HTTP_DNT']":"1",
"$_SERVER['HTTP_SEC_CH_UA_PLATFORM']":""Windows"",
"$_SERVER['HTTP_SEC_CH_UA_MOBILE']":"?0",
"$_SERVER['HTTP_SEC_CH_UA']":""Not\/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"",
"$_SERVER['HTTP_CACHE_CONTROL']":"max-age=0",
"$_SERVER['HTTP_CF_VISITOR']":"{"scheme":"https"}",
"$_SERVER['HTTP_X_FORWARDED_PROTO']":"https",
"$_SERVER['HTTP_CF_RAY']":"----------",
"$_SERVER['HTTP_X_FORWARDED_FOR']":"--------------",
"$_SERVER['HTTP_ACCEPT_ENCODING']":"gzip",
"$_SERVER['HTTP_CONNECTION']":"Keep-Alive",
"$_SERVER['HTTP_HOST']":"------------",
"$_SERVER['REDIRECT_STATUS']":"200",
"$_SERVER['SERVER_NAME']":"---------------",
"$_SERVER['SERVER_PORT']":"443",
"$_SERVER['SERVER_ADDR']":"---------------",
"$_SERVER['REMOTE_PORT']":"29712",
"$_SERVER['REMOTE_ADDR']":"---------------",
"$_SERVER['SERVER_SOFTWARE']":"nginx\/1.25.1",
"$_SERVER['GATEWAY_INTERFACE']":"CGI\/1.1",
"$_SERVER['HTTPS']":"on",
"$_SERVER['REQUEST_SCHEME']":"https",
"$_SERVER['SERVER_PROTOCOL']":"HTTP\/1.1",
"$_SERVER['DOCUMENT_ROOT']":"\/var\/www\/---------------",
"$_SERVER['DOCUMENT_URI']":"\/garena.php",
"$_SERVER['REQUEST_URI']":"\/garena.php",
"$_SERVER['SCRIPT_NAME']":"\/garena.php",
"$_SERVER['CONTENT_LENGTH']":"no value",
"$_SERVER['CONTENT_TYPE']":"no value",
"$_SERVER['REQUEST_METHOD']":"GET",
"$_SERVER['QUERY_STRING']":"no value",
"$_SERVER['SCRIPT_FILENAME']":"\/var\/www\/----------\/garena.php",
"$_SERVER['FCGI_ROLE']":"RESPONDER",
"$_SERVER['PHP_SELF']":"\/garena.php",
"$_SERVER['REQUEST_TIME_FLOAT']":"1691785875.6117",
"$_SERVER['REQUEST_TIME']":"1691785875"
}"

Can you understand why dev is asking everything about your server? And why he needs your server username script is running under? And absolute path along with other sensitive data about your server?
Is there any guarantee that he doesn't store them on an insecure environment from where they can be extracted from third parties?
Anyone analyzing a script with callbacks and calls to dev server may find a way to extract data from your server if unprotected enough.

 

[DEBAKID]

I think I suggested that a while ago. We should have a forum where we can donate so that trusted admins can buy scripts/themes and null for the community.

Do I get an amen ?

 

[rajaishtiaq6]

Thanks, makes sense

 

[ElioElioElio]

Beautiful words

 

[unusual_research]

Hello,
Here is my opinion and some knowledge I have about all this nulled thing...
The GPL is a free software license, so it allows you to use and even redistribute the software without having to pay anyone a fee for doing so.
WordPress plugins fall under the GPL (General Public License), so you may wonder what you are paying developers for if the software can be used and redistributed freely without a fee.
Despite their GPL status, developers may charge your for additional features and services that they offer with the premium version. So here are some of the things that you might actually be charged for when purchasing such plugin version:

1. Premium Support:
   A user who purchases premium versions usually gets assistance from the developer in troubleshooting and resolving any issues he/she runs into.
2. Additional Services:
   Developers can offer associated services for a fee. These services may include customization, installation assistance, or training, maybe even 3rd party integrations with other services. By paying for these extras, you can receive personalized support and guidance beyond the core functionality of the plugin.
   
   
3. Quality Assurance: They say the premium plugins undergo rigorous testing and quality assurance processes. Supposedly, developers invest time and resources into ensuring that their premium products are reliable, secure, and up-to-date . They also say you can have higher confidence in the product's stability and compatibility with WordPress. This is all bullshit if you ask me
   
   Long story short, they may charge you for updates, support and compatibility reassurances. That's why the premium version file download is almost always offered through a premium subscription on the developer's website. And it's usually either a "Pro" extension of the free version of the plugin, or a stand-alone plugin with more features than the free version. On top of this, the premium features are only unlocked when you input a valid API key is used to check with the developer's server.
   So how untouched plugins work, is that someone downloads the files from a premium account, then the nuller comes and disables the API check and unlocks the "premium" features.
   
   The difference is made here, because some developers have more advanced API credentials validation checks than others. Some of them detect the number of domain installations of their plugin and stuff like that, while others have basic systems. Although I agree there might be some info sent to developer's servers or requested by them even after a plugin has been nulled, I think that the malware problem is more plausible to be linked to the nuller than the developers. The developers usually look for new and unbreakable practices to harden the licensing validation and make their product harder to null.
   
   Except independent developers who sell on Codecanyon & co, I highly doubt that a company would risk getting exposed while doing such practices against their users. If I'm not wrong, it violates GDPR terms and there can be legal consequences for them if someone takes actions.
   
   I used many nulled plugins from Babiato and been doing so for quite long. Never ever had any issue with any of them. I also tried other "providers" of nulled plugins before, and 99% of them had problems which caused strange behaviours when installed.
   
   Honestly, this is the magic of the babiato community and the nullers are doing quite an awesome job with the plugins here. It also largely depends on their coding expertise and the they way they null it.

 

[GambitSteel]

Nulled or with a license if the developer has a poor understanding of security this will either way happen.

You really don't understand that nulled is exactly the same script without licensing mechanism. If from trusted source like Babiato it doesn't affect full script functionality.

It's not nullers fault for script flaws that opens your website for hacking or leaking sensitive info.

Sometimes

Nulled is better
and safer
than the original script

 

[abda53]

Houston, we may have a problem.

If a Babia.to admin or moderator gets his hands on a script straight from a developer, null it. That script should be 100% safe with no hidden codes.

I know this is not a paid service, but If that is not the case, We really need to kill some germs in Babia.

if A=B and B=C, then A=C

Bring on that Dettol bottle

Theoretically, but not necessarily. You don't know what kind of info is being passed back to the original server/author, and you don't know what kind of remote access the developer had put into the script whether or not it is licensed for or not. It's always best to buy directly from the developer especially for commercial sites (and especially in professional settings), but it's also always a good idea to go through the code you get that is nulled or "untouched" because you never know. Most of the scripts on here are verified nulled and good to go, but some bad scripts to get out there.

100% safe is never a guarantee.

 

[BonJoe]

Theoretically, but not necessarily. You don't know what kind of info is being passed back to the original server/author, and you don't know what kind of remote access the developer had put into the script whether or not it is licensed for or not. It's always best to buy directly from the developer especially for commercial sites (and especially in professional settings), but it's also always a good idea to go through the code you get that is nulled or "untouched" because you never know. Most of the scripts on here are verified nulled and good to go, but some bad scripts to get out there.

100% safe is never a guarantee.

This is so absolutely wrong, it almost hurts.

When a nuller, someone from this community for example, looks for licensing mechanisms in retail packages they got directly from the developer, if he does his job well, he will remove all callbacks to the vendors servers.

In the process, because it can be quite tedious, said nuller will be able to spot backdoors planted by the developer. Even if you bought a valid license and the dev does not abuse the backdoor, you have a high chance, once hackers find the vulnerability, that your site will be hacked through exactly this backdoor.

So no, if properly done, a nulled plugin/script is in any case better and more safe than a retail script.

 

[GambitSteel]

Theoretically, but not necessarily. You don't know what kind of info is being passed back to the original server/author, and you don't know what kind of remote access the developer had put into the script whether or not it is licensed for or not. It's always best to buy directly from the developer especially for commercial sites (and especially in professional settings), but it's also always a good idea to go through the code you get that is nulled or "untouched" because you never know. Most of the scripts on here are verified nulled and good to go, but some bad scripts to get out there.

100% safe is never a guarantee.

This is so absolutely wrong, it almost hurts.

When a nuller, someone from this community for example, looks for licensing mechanisms in retail packages they got directly from the developer, if he does his job well, he will remove all callbacks to the vendors servers.

In the process, because it can be quite tedious, said nuller will be able to spot backdoors planted by the developer. Even if you bought a valid license and the dev does not abuse the backdoor, you have a high chance, once hackers find the vulnerability, that your site will be hacked through exactly this backdoor.

So no, if properly done, a nulled plugin/script is in any case better and more safe than a retail script.

Both are right from different angles
And i will add something

Many times use well nulled scripts
It is better and safer than using author release

There is a lot of difference between nulled,
bypass, redirections, activations, etc.

Not all "nulled" scripts are really nulled,
sometimes are just activated

There are many who believe to null is
just running a MySQL query for insert "1"

 

[me7517]

Finallay, someone said it. Great article.

 

[Turkdale]

Nice article @slvrsteele !
There are a lot of cons and pros to use nulled plugins & themes.

Most of the time, I'm buying certain plugins & themes to support the developers and until today, never had to use developer's support and figured it always out by myself. Ofcourse this is different for anyone but as an Web Developer & Business owner for 9 years, I have been seeing a lot of shady stuff going on with Web Developers or Plugin/Theme Developers. It can be a big pain in the butt for a lot of people to rely on these people that control your income/business or whatever.

But as everyone knows, time learns us a lot of stuff. Only the good and trustworthy devs/businesses will survive in the long run and that's why I'm very happy to have the same people that trust me and back me for 9 years with my business. The main rule to succeed in any kind of business: Be ALWAYS honest! & ofc work hard

PS. I always analyze scripts/plugins/backdoors just because of interest and once I solve how 'they' did it. It seems very funny and interesting how creative human beings are.

I hope that this information was an good addition to this article. Be good people!

Offtopic: I was suprised today when I saw how the sales are going of the best selling themes on Themeforest, Avada is almost hitting the 1M SALES. Crazy numbers... (Link to best selling themes @ Themeforest)

 

[ZoCrack]

I'm grateful that I found this forum

 

[reminiscence666]

As the title says this is the Ugly truth about nulled themes/plugins/scripts or what greedy developers hide from you.

We all hear or read that nulled scripts are full of viruses, backdoors and so on. Here's a quote from a plugin developer

without even mentioning that in most of the cases that malware is added by developers themselves.

Apparently fear of viruses and backdoors infiltrated so deep in everyone's mind that nulled is always associated with virus.
SO WRONG!!

What "nulled" actually mean?
Nulled mean equaled with null, zeroed and it refers to communication mechanism between the script and licensing server being zeroed or removed.

Why is it necessary?
Developers want to control the spread of their scripts and make sure no one uses it without paying. Pretty hard task though. So they come with protection mechanism like licensing, auto-deletion, auto-removal and even backdoors that allows them access to sites that they consider having installed their scripts without a license.
While licensing mechanism is relatively inoffensive the others are even worse than hackers trying to access your site. Why? Because of the following 2 reasons:
1 - they don't respect you as future clients and your privacy. I personally wouldn't want to deal with a dev that included a backdoor in his script.
2 - they open holes for hackers for easier access to your server. Developers never thought of that, they only think they can control from distance and all solved. But basically they expose you and their clients to easy hacking.

So why is necessary? Because you want to fully try all the aspects of the script before you put your money on it and without being forced to buy a license and then go trough a painful process of asking for refund. Try before you actually buy.

I often hear this question: "Is it safe to use it on live server?"
Answer does not belong to yes/no group. It depends. It depends on how evil is the developer and how much he wants to hurt so called infringers that didn't buy his script officially.
There are scripts that can be used safely on live servers after nulling. With remote calls to dev server removed they don't have another way of communication.
There are scripts that cannot be used on live servers. Those are the scripts that contains hidden by their own developers tools of remote control.
NO NULLER will thoroughly check an entire script to discover hidden eggs. They will only null communication and that's all. If the communication is 2 way it can be easily discovered and removed so the remote control tools are made useless. If there's also 1 way com from dev to your site hidden somewhere in the code that usually goes unnoticed and it won't be removed.

Well, I cannot post this thread without admitting that there are malevolent third parties that intentionally alter developer's scripts to include above mentioned tools of control.
But here at Babiato we are doing our best to keep everyone safe from third party inclusions. We cannot check thoroughly every script provided but our nulling team is a very responsible one with priority to security of the scripts and our members.
Although we do not endorse the use of nulled scripts on production servers we do encourage "try before you buy" ideology. Why? Because we have seen so many cases of greedy developers that praised their scripts and after they were bought and verified that they don't do what was promoted developers refused to refund.
If you ever download from Babiato a script containing third party remote control code that doesn't appear in original script from developer site please do announce us ASAP so we can eliminate the threat and disrespectful user from our community.

Long story short:
Q: are nulled scripts safe for use?
A: 90% yes but for many It depends from where they were taken of. For others it depends if the developer intentionally added and hide (encoded or not) tools of remote control in his original script.

Bottom line: It is your choice of using nulled scripts or not. We do strongly recommend you that if you like a nulled script you tested and was fit for your needs to buy a legal license from developer to help him/them with future development of the script.

extremely well put , most of the time everyone just ask about the risk but this time it feels like a complete explanation

 

[Spreeplaya]

This is just like Apple users thinking iPhone iOS can not be hacked or a icloud locked phone can't be fiddled with.

 

[I'm not a line]

The truth that not everyone is prepared

 

[thszfx]

Kudos to the team for looking out and keeping things secure!

 

[zazzou]

I totally agree. for me nulled is scripts are made to test before buying. As developers ourselves we can't forget the work done and if the script fit to your needs you must pay for it.