How to Deal with Nulled WordPress Plugins and Themes (and Their Users)

Nulled WordPress plugins and themes are bad news.

You’ve invested time, effort, and resources into designing and building, and then people opt for nulled versions instead of legitimate copies. For you, that means loss of potential earnings, the additional burden of users of nulled software asking for support, and possibly a damaged reputation. Not to mention legal and ethical concerns and the sustainability of the industry as a whole!

Is there a way to battle the “nullers” and users of these cracked plugins and themes? And does it pay off or is it just fighting windmills?

We unpack this issue in detail below.

What Do People Gain from Nulling WordPress Plugins & Themes?

If you don’t need this (brief) explanation, feel free to skip ahead.

WordPress’s version of piracy (minus the swashbuckling adventure)

Nulled WordPress plugins and themes are versions with code removed to restrict functionality.

Consider a product with paid features: if something in the code stops the plugin from running specific features, then nulling it means eliminating the parts of the code to block that specific logic.

So, users get all of the functionality of a paid product without paying a cent.

It’s true, though, that since most developers tie product updates to license validation, nulled version users won’t receive updates unless they can access a license key.

Does this concern illegal distributors? Not really.

In this scenario, and due to the nature of open-source, nulling a product could be as simple as removing an admin notice that informs the user they need a license key to get updates. So, the product license owner gets to carry on illegally distributing, and the nulled-version user gets to keep using.

For people who null products, motivation probably comes down to being cash-strapped, cheap, or young and rebellious. Remember the adrenaline you felt as a youngster burning CDs for friends? I don’t. I was an angel.

Teen spirit aside, there is a commercial incentive for distributing nulled WordPress plugins and themes, whether for ad traffic or profit through membership. And in WordPress terms, it’s very similar to distributing cracked software on the internet, right down to the danger of malware.

An Invitation Into GPL Marketplaces for Nulled WordPress Versions

You can easily find a nulled version of almost any product in the WordPress space.

Some GPL marketplaces offer their catalogs for free, while the more clever charge a small membership fee for up-to-date plugins and themes. But how do these websites survive if we know that nulling a paid product strips out the automatic updates for most of them?

Free GPL marketplaces

In these cases, there’s a good chance the code carries malware — like PHP code that dynamically adds backlinks to third-party websites to manipulate search rankings.

Popular nulled WordPress plugins can be installed on thousands of websites, each containing a hidden link that redirects to a client’s website or the SEO company (aka black hat SEO).

This way, GPL marketplace owners still make money despite distributing nulled WordPress plugins and themes for free.

GPL marketplaces with subscribers

Distributors abuse money-back guarantees by purchasing products, asking for refunds, and re-purchasing from different email and IP addresses when new versions are published.

This way, GPL marketplace owners can upload the latest versions for their subscribers (who’ve probably paid a minimal fee).

Is it illegal? Yes, but not because the code is being distributed (that’s open-source software for you). The practice is illegal because it infringes on copyright and trademark laws — many of these websites promote the products as legitimate versions. For example, a nulled version of the WP Rocket plugin will not be stripped of its branding and renamed. It will be billed as a legit version of WP Rocket.

If these websites infringe on copyright/trademark laws, why aren’t more of them being swiftly taken down?

How Nulled Version Websites Get Away With Copyright Infringement

GPL marketplace owners use servers in countries where it’s too complex or problematic to take legal action against copyright/trademark infringement. They cunningly find loopholes that help them abuse worldwide regulations without facing the consequences of profiting from someone else’s hard work.

And even if a GPL marketplace does get taken down, what stops the owner from starting another one?

‘On to the next one’

Illegalities and ethics aside, there are also dangers for end-users that make the practice even more wretched:

  • Security breaches
  • Incompatibility issues
  • Zero updates and troubleshooting
  • Lower SEO ranking
  • Bad user experience
  • No support

Whether the user knows the product is nulled or not is another matter. If their website breaks or is breached, who are they going to call (for support)?

Yep — the product maker.

Should Developers Offer Support for Nulled WordPress Plugins and Themes?

Let’s get this out of the way—no, developers shouldn’t feel obligated to offer support for nulled WordPress products. However, they should try to educate users who contact them and are willing to listen.

And what about the belligerent, rude ones?

Don’t feed the trolls—they’re in no position to make demands anyway. What recourse do they have besides leaving a one-star review that can easily be discredited in public?

Because nulled WordPress plugins and themes are prevalent in our ecosystem, users looking for support are never far away and scenarios differ from the two I’ve described above.

For a more nuanced take, here’s how product makers (some Freemius partners, some not) deal with support for nulled WordPress products.

How to Contact Suspected Nulled WordPress Product Users

Guns blazing and on the attack isn’t how to deal with the situation. There’s a chance there’s been a misunderstanding, and a “lost customer” could be turned into a paying one. Carlos Moreira of Interactive Geo Maps explains how he approaches suspected nulled version users:

It doesn’t happen to me very often. It’s very rare. Usually, when I can’t find their license, I ask users to confirm which email they used to purchase the license, or if they can confirm what is their license. In most cases, they do manage to confirm a different email or provide proof. Maybe some don’t reply. And usually, I write something along the lines that I can only open a proper support ticket in our platform with the license key, not only [to find out if it’s nulled] but also to confirm the user is entitled to support.

Actually, in the +2 years of using Freemius, I never had a user without a license “demand” support.

(That makes me proud to hear!)

Responding to Nulled Version Users Who Request Support

If you don’t offer support for the free version of your plugin/theme, then nulled version users can be identified if they request support and have no license key. Alan Fuller of Fullworks Plugins laid out his response process:

As my plugins have a free version, I have a stock reply. Basically, you appear to be a free user — if I’m wrong, send me the proof of purchase, if not please go to WP.org forums. Obviously, that deals with both free users and nulled users, but to date, I have not yet identified a nulled user asking for support. In fact, I have only identified one nulled instance, which was the premium version still operating after the trial.

Founder and CEO of Advanced Ads Thomas Maier describes a similar process:

We at Advanced Ads are not using Freemius, but became pretty good at finding the license attached to a nulled version. It happens regularly that a user who doesn’t have a valid license reaches out via email — but more often via the WP.org forum. We politely ask them to verify the license before they get support. If they reached out via WP.org, we can also ask them to reach out directly, since WP.org is not the place to get premium support.

What we found out is that many sites that share nulled versions get it from the same source. So if you can identify that single purchase, you stop most of them from getting plugin updates. At least for a while. They tend to make a new purchase to get a new license key after a while (more on this later). Sometimes, they reached out to our support complaining about being blocked. Of course, they always deny having shared the license.

And what about the benefit of the doubt or second chances? Thomas continues:

Only in one case in the past have we given a user another chance. I would say it was a gut feeling from their communication after we told them about disabling their license. I have been 15 once upon a time when it felt normal to share floppy discs with software on the schoolyard. I believe that there are a few people who simply don’t know the harm they are causing. They think this is a good thing they do for others if they share their license.

The above interactions seem calm from an outsider’s perspective (mine 😁), but what about when an irrationally irate person demands support and won’t back down?

How to Respond to Angry Nulled WordPress Plugin and Theme Users

Our VP of Engineering Swashata Ghosh shared a memorable story from his bootstrapping days as CEO of WPQuark:

A user asked (actually demanded) that I do some customization because they purchased. I asked them to share the license code and they responded it was for a client and couldn’t provide it due to an NDA, etc. and that they don’t have access to the licensor’s website. Sure…

I responded that they could hire us for a customization fee. They replied angrily that they’d rate us one-star and badmouth us. I called their bluff and asked: If you don’t have access to the licensor’s website, how can you give a one-star rating?

No further emails were forthcoming, of course. I then asked Swas what he did when confronted with the opposite end of the spectrum, like those who genuinely did not know they purchased illegally.

I created a system that has an automatic license verification, which means the user needs to provide their license key to get support. When I get such emails, I simply redirect them to the system, asking them to use their license key. Legit users don’t mind. Nulled users usually don’t reply … well, sometimes they do, but I don’t entertain them anymore because it’s a colossal waste of time.

It’s common for developers to brush off nulled version users and go about their day, but what if the damage being done warrants action to stop it from getting worse?

Is There Any Recourse Against Nulled WordPress Plugins and Themes?

There are several actions developers can take, but to be honest, the odds of having a website taken down are slim. For the reasons mentioned, GPL marketplace owners who null products are savvy and have workarounds that mitigate the chances of legal action.

But in the spirit of thoroughness, here’s what you can do if you’re a victim of copyright or trademark infringement through nulling:

(We cover this more in-depth in our article about fighting GPL license trolls)

What to Do If a Nulled WordPress Plugin or Theme Is a Trademark Infringement

Due to the GPL/open-source nature of WordPress plugins and themes, there is a low success rate in getting these sites taken down without enlisting legal help.

Here are your options:

  • In theory, you can contact Google and report the website or approach the hosting company and ask them to take it down
  • Contact an attorney to see your options, which may be the better choice, considering they’ll be armed with deeper legal experience and will fight for you (hopefully)
  • Approach the owner directly to resolve the matter one-on-one, which may be more troublesome than it initially seems.

What to Do If a Nulled WordPress Product Is a Copyright Infringement

The easiest method is to contact the website owner directly and inform them you’ll be taking legal action should your work not be taken down.

Here’s why this method is both easy and frustrating/rage-inducing:


Though not a plugin or theme, a recent Twitter thread by Jennifer Bourn — a popular brand-builder and course creator — illustrates that some website owners who distribute illegal content aren’t so willing to remove it. The website wasn’t just listing her courses illegally; it was also using her name and associating her brand with the site as a perceived endorsement.

After multiple requests to remove the content and calling them out on Twitter, her courses were still up after 24 hours. ‘They say they know it’s not legal and they don’t care’ is what Jennifer posts further down in the thread. She was forced to file a DMCA against the website.

If you find yourself in this situation, here’s how to file one:

  • First, generate a notice. There are tons of generators online that can do this, or you can use ChatGPT.
  • Next, send the notice to the website owner, hosting company, and ISP. You can go one step further and notify search engines to remove the site from their results.
  • This site will help you identify the hosting company and this one will help you with the ISP.
  • To file the DMCA at the relevant link, Google ISP_NAME / HOSTING_NAME + DMCA.

Swashata offers a lighthearted take on the above:

Truth be told, when I realized my plugin was being “pirated”, I was actually happy because it meant to me that “okay, I have produced a great piece of software that people are willing to pirate”. But yeah, I did send DMCA notices to sites that were selling those nulled versions for a lower price.

Humor aside, people who consciously buy nulled WordPress plugins and themes do so because they’re unwilling to pay full price. As a solopreneur trying to make a career by selling WordPress products, dealing with cheap customers is not worth your while (or resources). This is why prevention is better than the cure.

What Measures Can Developers Take to Protect Themselves Against Nulled WordPress Products?

As mentioned, most plugins and themes don’t have any protection against nulling — you get the plugin, you use it, and if you’re devious, you distribute it illegally.

For paid products, however, eCommerce software services like Freemius offer protection against nulling with a set of helper licensing functions provided through a WordPress SDK. I can’t speak for other solutions, so I’ll explain how we do it.

If a license key isn’t present, what was flagged as paid functionality is simply not going to work, plus the product settings aren’t available because a license activation screen overrides them.

For most plugins, a license key exists to receive updates and there are no restrictions on the code itself. However, The Freemius WordPress SDK connects the customer’s state and license through an API (which acts as the real data source). This allows developers to determine/control the code’s execution based on the customer’s state and license.

Yes, tech-savvy people can remove the licensing conditions that help developers stop nulling attempts. Still, it’s significantly harder and the functionality acts as a deterrent against the practice in the first place.

Okay, enough promotion 😅 — let’s move into advanced territory, courtesy of Freemius CEO Vova Feldman (and yours truly for not being content with a high-level/layman’s explanation of the below):

Encrypted Token or Hidden ID in the Product Zip Download

When two users download the same version of a plugin or theme, the codebase in the ZIP folder is identical.

But what happens if it isn’t?

Let’s say the developer is savvy enough to have implemented a mechanism that generates an encrypted token or unique ID for each product download. Whenever a specific plugin searches for new updates, it sends requests with a unique ID.

By implementing this, the developer can monitor and identify illegal versions.

Here’s an example:

  • A person with ill intentions buys and downloads a plugin, nulls it, and then uploads it to their GPL marketplace.They don’t know that the plugin has an encrypted token/unique ID hidden in the package.
  • They distribute it illegally and then ask for their money back, intent on returning once there’s a new version to download (and null).
  • Behind the scenes, the product owner identifies multiple websites requesting updates with an identical ID, alerting them to a distributed nulled version.
  • Said developer takes their power back and hits “cancel” on the license.

In this scenario, the product owner can trace the illegal distribution back to its source.

The caveat: Are nulled WordPress plugins and themes worth this development hassle if they amount to a very low percentage in the grand scheme of things (we’ll get into this shortly)? To facilitate the above scenario, a unique ID would need to be generated every time a new or returning customer downloads a version of your plugin. When the push and pull of everyday business has you moving in many mission-critical directions, can you afford the time and effort?

The second caveat: Our open-source ecosystem makes the above a challenge because everyone has access to the code. Theoretically, a tech-savvy person can identify the place that generates the unique ID and remove it from the version. That said, a hidden, unique ID is hard to anticipate and will make it more difficult to null.


Subscribe and grab a free copy of our WordPress Plugin Business Book

Exactly how to create a prosperous WordPress plugin business in the subscription economy.

The WordPress Plugin Business Book
Name
email

Is Trying to Stop Nulling Worth the Blood, Sweat, and Tears?

Nulled versions are part of the game for open-source products. There’s nothing you can do to solve the problem. I lost days in the past trying to put them offline, but for every one removed from Google lists, 10 popped up.

– Luca Montanari of LCweb

For me, this is the crux of the matter. Sure, knowing that your product is being ripped off and sold for profit you’ll never see is frustrating — but is the legal red tape or advanced development worth the precious time you could be devoting elsewhere?

The prevailing opinion in the WordPress ecosystem — especially among solopreneurs and small businesses — seems to be no. I say “seems” because as my guests have illustrated, no circumstance is the same.

First off, let’s unpack the common opinion, backed by insights from Vova.

The common opinion is based on the assumption that most people who get their hands on nulled WordPress versions aren’t going to become customers anyway. Let’s say that out of all your product distributions, 2% are illegal and roughly 90% of those users are never going to buy your product (because that’s why they went looking elsewhere in the first place).

We’re talking about a very small percentage of people who are going to end up as lost customers — approximately 10% of that 2%, which ends up as 0.2%. Also, these websites are like mushrooms: if you manage to take down one, another will pop up soon.

So you just say, okay, 0.2%. That’s internet fraud. That’s the cost of doing business, just like chargebacks, refunds, and everything else that comes with it.

Here are a few examples, spanning the spectrum of the ecosystem and using the freemium business model. I’ll leave it up to you to decide if pursuing legal action or otherwise would be worth it based on the outcomes:

Plugin X (many WordPress plugins fall into this category)

  • Cost of license = $50
  • 20k active installs
  • 5%* conversion rate = 1000 customers
  • 2% nulled versions = 20 illegal licenses
  • 10% unintentionally use illegal versions = 2 licenses
  • Yearly revenue: $50,000

Versus

  • Loss to business: $100

Plugin Y (successful WordPress business)

  • Cost of license = $50
  • 1 million active installs
  • 5%* conversation rate = 50,000 customers
  • 2% nulled versions = 1000 illegal licenses
  • 10% unintentionally use illegal versions = 100 ‘lost customers’
  • Yearly revenue: $2,500,000

Versus

  • Loss to business: $5000

Plugin Z (hugely successful WordPress business)

  • Cost of license = $50
  • 10 million active installs
  • 5%* conversation rate = 500,000
  • 2% nulled versions = 10,000 illegal licenses
  • 10% unintentionally use illegal versions = 1000 ‘lost customers’
  • Yearly revenue: $25,000,000

Versus

  • Loss to business: $50,000

* 5% is double the avg. conversion rate for freemium plugins, so the expected business loss is even lower.

Vova continued:

If the full 0.2% of lost customers are being distributed from one website and you have a lot of customers — I’m talking in the region of 10 million like the above — then, yes, maybe it’s worth it to take action. Those kinds of losses are meaningful.

Even so, it’s challenging to establish where most potential customers have downloaded the nulled version. As mentioned, implementing mechanisms with fingerprints and unique IDs is not trivial; it’s highly advanced. Keep in mind that generating a unique ZIP version per customer requires much more processing and storage resources, which can easily grow to hundreds (maybe even thousands) of dollars per year for a plugin business with millions of active installs.

That said, if you’re making $25 million a year, the business probably has a full-time attorney on the payroll and these types of illegalities are part of their ongoing work.

I would say that it’s at this scale where I’m seeing companies start to chase after these distributors and websites … like the Yoasts of this world. They’ve got legal … they’re working with them all the time.

But if it’s a business with 30 team members, I don’t see the value in pursuing it. You’re losing 5k a year and you’ll probably spend more on getting legal involved. The math just doesn’t work.

It seems that pursuing nulled version users and offending websites is a waste of time for most solopreneurs. But surely there are outlier cases?

Indeed!

Use Case: A Strategy to Turn Nulled Version Users Into Paying Customers

Xaver Birsak of Mailster gives us a unique perspective on dealing with nulled version users because he sells through a marketplace (CodeCanyon).

Xaver was curious to see how many people were using his product without a valid license. When he discovered the number, he actively sought a way to turn them into ‘real’ customers who’d contribute to his bottom line:

At some point, I was curious how many people use my plugin without a valid license, and since the plugin regularly checks for updates, this should be easy to achieve. In March 2021, I started collecting some metrics to get a bigger picture, and in only 48 hours I had collected 7000+ requests. After 15 months, I got between 800 and 1500 new entries each month — roughly 1000 on average. If you compare this with the actual sales it’s 5x to 10x.

To Xaver, this number was way too high, so he removed all entries that hadn’t been updated in the previous 14 days. The numbers looked more realistic, though they were still sitting at 5x. Next, he set about devising a way to convert users: he’d analyze the offending websites to get an idea of who was using the nulled WordPress versions of his plugin.

There were a lot of ‘strange’ websites on the list and there were also some legit businesses (restaurants, lawyers, bookstores, personal blogs, etc.) which often had a web agency in their imprint. So I thought they may be legit businesses that had no clue about licenses and nulled versions of plugins or even WordPress. So I thought to show them a friendly notice in the backend.

A notice to inform users they are using a nulled version of a WordPress plugin.

A notice to inform users they are using a nulled version of a WordPress plugin.

Xaver avoided showing the message upon activation and instead chose to have a 60-day ‘cool down’ period, allowing users to get to grips with his product. With his notice and script in place, he started to collect invalid license codes after 60 days (leaving legit users blissfully unaware that such a notice existed). Here’s how the notice performed in terms of conversion:

  • 24K installs
  • 63% (15k) saw the message
  • 0.011% converted
  • 30-40 new activations every day

Was the effort worth it? From an informational standpoint, definitely. From a revenue perspective, I’m not so sure.

But:

Take Action (or Don’t) by Deciding on What’s Best for You…

… and your business.

There are always exceptions to the rule. In most cases, going above and beyond to take down nulled version users is not realistic or beneficial. Nor is it to try and convert “lost customers” outside of educating those who contact you.

In others, the effort may be worth the reward, both professionally (and personally). Not all product makers should be painted with the same brush — some shrug nulled WordPress plugins and themes off, others laugh, and some are genuinely hurt or frustrated by having their hard work taken advantage of.

Analyze your numbers, gauge your resources, and be honest about your time. If thwarting (or converting) nulled version distributors/users lowers digits, drains energy, or ticks critical minutes away, don’t do it. If the negative effect is negligible, hopefully, this article’s given you an idea of what steps to take next.

Scott Murcott

Published by

An advertising and marketing professional with nearly 8 years' experience, excelled at Superbalist and Digitas Liquorice, creating impactful content for notable brands including Distell, Pioneer, Tiger, Amarula, Scottish Leader, and Crosse & Blackwell.

Josh Pollock

“I’m excited about finding uses for Freemius in my plugins because as a business owner I just need more data than I get from WordPress.org.”

Josh Pollock - Co-Founder at CalderaWP Try Freemius Today

Hand-picked related articles

Comments

2 Comments