The ugly truth about nulled themes/plugins/scripts

[King Kong]

@slvrsteele very well written and thank you again for being very helpful for helping us with your nulling efforts constantly along with others who are master of their coding art.
Indeed Babiato means super important to my work life just as my Facebook is to my personal life. I cannot imagine how much I would borrowed and spent if it was not for this lovely forum. Borrowed as I might not be making so much to spend so much for all the required Themes and Plugins.

I try to buy as and when I can Firstly to support some developers (who's scripts arent available here on babito), Secondly when they cannot be nulled for what ever the reasons and Thirdly and most importantly to give back some droplets to this amazing ocean and to the Den of Bothers - All of whom I might never know personally or get to meet and say thank you helping me in various ways.

To add a just two cents : When we buy script from CodeCanyon / ThemeForest I feel the company must be taking their sweet time to evaluate the scripts before launching them for sales. As many developers there state that their sales get approved after certain checks.

this place since been here - the professional conduct maintained is top notch. Much appreciation to @Babak who started this place and look where we all are

 

[samoaste]

I agree with the bottom line, if you the code helped you, support the developer

 

[Skrikii]

As the title says this is the Ugly truth about nulled themes/plugins/scripts or what greedy developers hide from you.

We all hear or read that nulled scripts are full of viruses, backdoors and so on. Here's a quote from a plugin developer

without even mentioning that in most of the cases that malware is added by developers themselves.

Apparently fear of viruses and backdoors infiltrated so deep in everyone's mind that nulled is always associated with virus.
SO WRONG!!

What "nulled" actually mean?
Nulled mean equaled with null, zeroed and it refers to communication mechanism between the script and licensing server being zeroed or removed.

Why is it necessary?
Developers want to control the spread of their scripts and make sure no one uses it without paying. Pretty hard task though. So they come with protection mechanism like licensing, auto-deletion, auto-removal and even backdoors that allows them access to sites that they consider having installed their scripts without a license.
While licensing mechanism is relatively inoffensive the others are even worse than hackers trying to access your site. Why? Because of the following 2 reasons:
1 - they don't respect you as future clients and your privacy. I personally wouldn't want to deal with a dev that included a backdoor in his script.
2 - they open holes for hackers for easier access to your server. Developers never thought of that, they only think they can control from distance and all solved. But basically they expose you and their clients to easy hacking.

So why is necessary? Because you want to fully try all the aspects of the script before you put your money on it and without being forced to buy a license and then go trough a painful process of asking for refund. Try before you actually buy.

I often hear this question: "Is it safe to use it on live server?"
Answer does not belong to yes/no group. It depends. It depends on how evil is the developer and how much he wants to hurt so called infringers that didn't buy his script officially.
There are scripts that can be used safely on live servers after nulling. With remote calls to dev server removed they don't have another way of communication.
There are scripts that cannot be used on live servers. Those are the scripts that contains hidden by their own developers tools of remote control.
NO NULLER will thoroughly check an entire script to discover hidden eggs. They will only null communication and that's all. If the communication is 2 way it can be easily discovered and removed so the remote control tools are made useless. If there's also 1 way com from dev to your site hidden somewhere in the code that usually goes unnoticed and it won't be removed.

Well, I cannot post this thread without admitting that there are malevolent third parties that intentionally alter developer's scripts to include above mentioned tools of control.
But here at Babiato we are doing our best to keep everyone safe from third party inclusions. We cannot check thoroughly every script provided but our nulling team is a very responsible one with priority to security of the scripts and our members.
Although we do not endorse the use of nulled scripts on production servers we do encourage "try before you buy" ideology. Why? Because we have seen so many cases of greedy developers that praised their scripts and after they were bought and verified that they don't do what was promoted developers refused to refund.
If you ever download from Babiato a script containing third party remote control code that doesn't appear in original script from developer site please do announce us ASAP so we can eliminate the threat and disrespectful user from our community.

Long story short:
Q: are nulled scripts safe for use?
A: 90% yes but for many It depends from where they were taken of. For others it depends if the developer intentionally added and hide (encoded or not) tools of remote control in his original script.

Bottom line: It is your choice of using nulled scripts or not. We do strongly recommend you that if you like a nulled script you tested and was fit for your needs to buy a legal license from developer to help him/them with future development of the script.

Quite an eye opener. Thanks for going to great lengths to shed light on nulled scripts. Makes me appreciate babiato and the amazing community!!

 

[Jaffa]

Thanks for the post. Great insight.

 

[Eden Genesis]

Regarding this matter, I have a question. When the "Theme" is "nulled," and as a result, any connection between the script and the license server becomes non-functional. If the creator discovers our page and notices their Theme, couldn't they realize that the theme has been nulled and potentially report us or take similar action? This is a concern that likely worries many people and requires an answer so that everyone can use these themes with peace of mind.

 

[kalios]

Regarding this matter, I have a question. When the "Theme" is "nulled," and as a result, any connection between the script and the license server becomes non-functional. If the creator discovers our page and notices their Theme, couldn't they realize that the theme has been nulled and potentially report us or take similar action? This is a concern that likely worries many people and requires an answer so that everyone can use these themes with peace of mind.

Wordpress (the actual software "engine") is provided under a free GPL license.

It is a condition of Wordpress that ALL plugins & themes which connect to Wordpress must ALSO be provided under GPL license too.

To quote from Wordpress:

In theory, WordPress’ GPL licensing means two things for those who seek to create ‘derivative’ products (i.e. plugins & themes):

• Anyone is free to utilize, modify and distribute your products without restriction.
• The only value you can offer is premium support and automatic updates.

So, anyone can use "premium" plugins & themes without problem. The only things a developer can do are:

• making their plugin download key files directly from the developer's server, and
• only provide support to paying customers

 

[Eden Genesis]

Wordpress (the actual software "engine") is provided under a free GPL license.

It is a condition of Wordpress that ALL plugins & themes which connect to Wordpress must ALSO be provided under GPL license too.

To quote from Wordpress:



So, anyone can use "premium" plugins & themes without problem. The only things a developer can do are:

• making their plugin download key files directly from the developer's server, and
• only provide support to paying customers

I completely understand your perspective and the importance of adhering to the GPL license, which is fundamental to WordPress and the spirit of open-source. It’s true that WordPress, along with any derivative products including themes and plugins, must be distributed under the GPL license. This ensures the freedom to use, modify, and redistribute the software, which is fantastic for the community.

However, it's also important to recognize that the GPL license does not prohibit the sale of themes or plugins. What the GPL does is allow the sale of the product while granting the buyer the same freedoms that were initially provided, including the ability to modify and redistribute the software. The common practice among developers to sell themes and plugins is based on the concept that they are offering not just the software but also added services, such as premium support and automatic updates, which require time and resources to provide.

The distinction here is subtle but significant: paying for a GPL-licensed theme or plugin does not contravene the principles of the license, as long as the buyer is granted the same rights provided by the GPL. This approach enables developers to sustain their work and innovate, all while respecting the spirit of the GPL license.

I hope this explanation helps to clarify things a bit. I firmly believe our community can benefit from a shared, respectful understanding of open-source principles, while also acknowledging the effort and creativity of developers. It’s in this balance that the true beauty of WordPress and its ecosystem lies.

This is precisely why I was wondering if there's any risk if the creators of the themes notice that we are using a nulled version of their theme.

 

[slvrsteele]

@Eden Genesis there are a few things developers can do regarding that:
1 - Do absolutely nothing cause of the GPL license
2 - use their own programmed RC snippets/backdoors to deface/destroy your site (which is a common practice but not any single one of them knows that is an illegal practice actually punished by online laws)
3 - fill a DMCA complaint to your hosting company where they say their software is used without rights. And again illegal because if hosting company takes actions against you based on DMCA complaint you can counter-sue the developer and ask for punitive damages based on free distribution of a GPL-licensed script.

Of course there are flaws and loopholes with all these but main idea is that the developer can't do anything legally once you use its GPL-licensed software (no matter the way of acquisition).

 

[Eden Genesis]

@Eden Genesis there are a few things developers can do regarding that:
1 - Do absolutely nothing cause of the GPL license
2 - use their own programmed RC snippets/backdoors to deface/destroy your site (which is a common practice but not any single one of them knows that is an illegal practice actually punished by online laws)
3 - fill a DMCA complaint to your hosting company where they say their software is used without rights. And again illegal because if hosting company takes actions against you based on DMCA complaint you can counter-sue the developer and ask for punitive damages based on free distribution of a GPL-licensed script.

Of course there are flaws and loopholes with all these but main idea is that the developer can't do anything legally once you use its GPL-licensed software (no matter the way of acquisition).

Thank you for the clarification. I sincerely hope they don't take the extreme step of reaching out to my web hosting provider.

Up to this point, I've ensured that all my resources are purchased. However, due to financial limitations, some themes have become prohibitively expensive, so I'm considering using them temporarily before making an official purchase.

My intention is purely to avoid any disruption or infringement.

 

[SpyCraft3r]

I have just finished cleaning 100s of files affected with Malware. My entire Server was effected, the hose scanned my server and found over 2000 files, many were .htaccess files that were actually uploaded or made. Many index.php files were infected with 5 lines of code that shouldn't have be there and there were other files created called in1dex.php or similar name.

It took me over a week to go through these files and correct them.

I am now malware free,

You should also know, that ALL my websites also use "Cloudflare" which appeared to be 100% useless.

 

[kariuki]

I have just finished cleaning 100s of files affected with Malware. My entire Server was effected, the hose scanned my server and found over 2000 files, many were .htaccess files that were actually uploaded or made. Many index.php files were infected with 5 lines of code that shouldn't have be there and there were other files created called in1dex.php or similar name.

It took me over a week to go through these files and correct them.

I am now malware free,

You should also know, that ALL my websites also use "Cloudflare" which appeared to be 100% useless.

I think Cloudflare's primary function entails safeguarding websites against malicious activities perpetrated by external threats, including hackers and spammers. It is important to note that Cloudflare does not provide protection against potentially harmful scripts uploaded by the website owner themselves. Therefore, prior to uploading any scripts onto one's server, it is advisable to conduct a comprehensive normalization process, which may involve employing reputable virus detection tools such as the well-known VirusTotal platform.

 

[Akera]

I have just finished cleaning 100s of files affected with Malware. My entire Server was effected, the hose scanned my server and found over 2000 files, many were .htaccess files that were actually uploaded or made. Many index.php files were infected with 5 lines of code that shouldn't have be there and there were other files created called in1dex.php or similar name.

It took me over a week to go through these files and correct them.

I am now malware free,

You should also know, that ALL my websites also use "Cloudflare" which appeared to be 100% useless.

EXACTLY i've faced same issues. i'm being only using Babiato Nulled Plugins since last 2 years on a BLUE HOST SERVER and faced no CONNECTION TIME OUT Issues.

It all happends on 28 March 2024 to 06 April 2024 was the worst of all. All of my Website were down. Blue Host has ran Site LOCK Scan and found over 2500 + .htaccess files + php backdoors + random scripts which wasn't buddled with WORDPRESS Installation.

Attackers PENETRATED to my BLUE HOST Main Account & added a NEW DOMAIN without my knowledge being used for their Redirection & Activities. Even BLUE HOST guys didn't replied me back about who manages to add a new spam domain in the account without user's knowledge.

I'M still cleaning it 1 by 1

My website were luckly working but they still had DIRTY stuff.

I had WORDFENCE Nulled Firewall + WP HIDE PRO with Max Settings BUT still .....

 

[kalios]

EXACTLY i've faced same issues. i'm being only using Babiato Nulled Plugins since last 2 years on a BLUE HOST SERVER and faced no CONNECTION TIME OUT Issues.

It all happends on 28 March 2024 to 06 April 2024 was the worst of all. All of my Website were down. Blue Host has ran Site LOCK Scan and found over 2500 + .htaccess files + php backdoors + random scripts which wasn't buddled with WORDPRESS Installation.

Attackers PENETRATED to my BLUE HOST Main Account & added a NEW DOMAIN without my knowledge being used for their Redirection & Activities. Even BLUE HOST guys didn't replied me back about who manages to add a new spam domain in the account without user's knowledge.

I'M still cleaning it 1 by 1

My website were luckly working but they still had DIRTY stuff.

I had WORDFENCE Nulled Firewall + WP HIDE PRO with Max Settings BUT still .....

If Blue Host allowed your account to be compromised, the first thing you should do is CHANGE hosts.

Blue Host is owned by Newfold Digital (formerly known as EIG). Newfold buys up well known Internet businesses and milks customers for every penny. The usual model is to cram as many customers onto each box as possible & provide very little customer support. That's probably why you got hacked.

Here are some of the brands Newfold Digital now owns: Bluehost, CrazyDomains, HostGator, Network Solutions, Register.com, Web.com, Yoast

More interesting info on Newfold (and why to avoid their companies) here:

https://www.reddit.com/r/webdev/comments/tag6sg/beware_of_newfold_digital_eig_if_you_are_buying

 

[Akera]

If Blue Host allowed your account to be compromised, the first thing you should do is CHANGE hosts.

Blue Host is owned by Newfold Digital (formerly known as EIG). Newfold buys up well known Internet businesses and milks customers for every penny. The usual model is to cram as many customers onto each box as possible & provide very little customer support. That's probably why you got hacked.

Here are some of the brands Newfold Digital now owns: Bluehost, CrazyDomains, HostGator, Network Solutions, Register.com, Web.com, Yoast

More interesting info on Newfold (and why to avoid their companies) here:

https://www.reddit.com/r/webdev/comments/tag6sg/beware_of_newfold_digital_eig_if_you_are_buying

Dear @kalios

Thanks for further clearing the matter. You are right they have forced me to BUY Site Lock Service Expert Service who can help me clean up my entire account.

if any plugin can be compromised max damage would be inside PUBLIC_html Folder.

Recently their UPTIME isn't reliable. I came to know due to Website Monitoring Tools else I wouldn't know when the website was offline for how long? and what the core issue