Action Scheduler Warning: WooCommerce Black Friday Disaster Avoided
- •
- 4 min read
One of the best things about WordPress is its publishing flexibility; namely through plugins and themes. Plugins add function, themes add design. Sometimes there is an intersection between the two but that’s the basic distinction between WordPress plugins and themes. WordPress is one of the largest open source CMS in existence with a multitude of extensions – themes, paid and free, and plugins, paid, and free.
Sometimes we run across a type of WordPress plugin or WordPress theme being used by one of our customers: nulled plugins and themes. Those are a giant no-no from a security standpoint and an ethical one, too.
Before anyone thinks I’m criticizing people in this post about using nulled themes and plugins, the truth is most don’t even know they’re doing it. For those that are fully aware of it, the lure of free is powerful.
My personal ‘nulled’ story is a cautionary tale. I knew what I was doing and willing to take the risk of using a nulled theme and plugins!
A few years back between jobs, I was looking to start up a hobby blog (and maybe even make some money from it). I had a ton of spare time and I wasn’t making a paycheck… Why not?
It always starts with picking a great domain and then immediately go theme hunting before you start the process of designing everything.
I knew that I didn’t have tons of money kicking around to spend on a new hobby site that likely wasn’t going to make me rich, but I started looking at other similar sites and noticed a few that looked fabulous.
Figuring out what themes they used, I went to find out that it was going to cost me probably around $70 (USD) for the theme. I live in Toronto, and after dealing with the currency conversion it was going to be outside of my budget ($0) at that time at least.
Determined to have that theme, I Googled nulled versions instead with the thought that I could always go back and buy the official version at some point down the road.
I had to sign up for some program, can’t remember exactly now — but that’s what I needed to do in exchange to get my coveted theme for free.
Everything went incredibly smooth without incident, I was able to install everything and all the premium plugins were also included for free. My site looked exactly how I wanted it, life was good and I was thrilled with my newly designed blog.
Until things started getting weird. I would notice things out of the normal when checking Google Search Console as there were traces of content that I couldn’t figure out why it was there. I didn’t see any evidence of it on my end at the beginning, but there was a hidden backdoor that was running malware behind the scenes the entire time.
I tried cleaning things up, but it kept coming back. My hosting company at the time had to remove everything and I ended up abandoning the site a few weeks later.
Despite knowing better and thinking I got a great steal of a deal, you can see the dangers of using nulled WordPress themes and plugins. Just don’t do it.
For these reasons and more, we prohibit all nulled WordPress themes and plugins. Neither are allowed to exist for all websites hosted on the Rocket.net platform. For those who’d like more information, we’re presenting our case.
Also, for brevity, we’re using the term “WordPress plugin” or “WordPress plugins” to also include themes.
Before talking about nulled WordPress products, we need to understand how the ecosystem works. In order for plugins and themes to be distributed on the dot org directory, they need to adopt the General Public License. This policy allows users (including you) to freely use and distribute software.
“Free software can come with a price tag. In other words, you can create a GPL theme and sell it for $50, and it would still be free software. Why? Because the user is free to run, modify, and distribute the software or any modifications of that software.”
WordPress.org
Because the code is open and can be studied and improved upon, WordPress plugins are quickly created and ready for use. For example, the famous donation plugin GiveWP was forked from Easy Digital Downloads in about 6 months, co-Founder Devin Walker says in his WordCamp Los Angeles talk. But GiveWP isn’t a nulled plugin.
Fantastic! Fork a plugin and sell it? Sounds Good.
Then what are nulled plugins and why are they bad?
Nulled Plugins are exact copies of existing plugins and present security and ethical issues just like any other pirated software. Because of this, they are not allowed to be listed on the official WordPress Plugin Directory.
“While the GPL and it’s compatible licenses allow for forking, we have an ‘above and beyond’ rule for hosting here, that means your plugin must be a substantial change of the original. We do not allow direct copies of other plugins to be re-listed under somebody else’s name, we allow changed forks.”
Mika Epstein
Even though the code can be open, the support and updates may not be free. Generally, the core version of a WordPress Plugin (or theme, for the rest of this article) the freemium model thrives. Meaning, there are more features available for a yearly licensing fee.
So, you can download Beaver Builder, fork it for yourself, and use it even commercially. But that doesn’t mean that you or your customers are getting security patches and updates. That’s the security risk for using a nulled plugin.
Nulled WordPress Plugins, especially when they inject malware, can hurt your core web vitals and overall performance. This is a major SEO issue. Meaning, your site can be potentially removed from SERPS.
“You will not know that is what is going on until Google simply removes your website from the search results because it is ‘unsafe.’”
Michael Wells
If you’re feeling confident that your nulled WordPress plugin doesn’t have malware, then consider the performance issues. Nulled plugins and themes aren’t updated. That’s essentially what you’re paying for when you support a developer by purchasing a license.
WordPress Core changes so frequently, it’s important to choose professionally-created WordPress themes and plugins that are continuously tested and updated.
Look for the “tested with” designation that shows a plugin or theme is compatible with the current version of WordPress. This is shown in the Official WordPress directory with over 60,000 plugins. Otherwise, go straight to customer reviews. Read the good ones and the bad ones.
We know this since we often work directly with theme and plugin providers to find solutions to customer issues and seamless integrations. Official WordPress Plugins help us help you.
Don’t go to Fiverr for your website build, hire a WordPress developer who has been vetted.
We don’t have anything against Fiverr, they have thousands of really talented people that offer gigs there.
Back when I was running a Core Web Vitals agency, I saw far too often people that hired people from Fiverr to optimize their site with the hook of including premium caching plugins like WP-Rocket for free as part of the gig. The problem was that those ‘free’ premium plugins were actually nulled and presented huge security issues or eventually broke the sites. These same issues will often come up with ‘too good to be true’ site redesign gigs where premium themes and plugins also turn out be offering nulled versions, and people have absolutely no idea that’s the case…
I would have to explain that they were using a fake copy of their caching plugin and that they would need to buy the official version before my team could start working on it. I sure as heck wasn’t going to fix things down the road for them, I refused to improve performance on any website until they were using licensed themes and plugins.
When someone offers you to optimize your website for Core Web Vitals and they charge $100 to get the job done — run the other way, because they’ll likely hurt your site more than help it. Good optimizers generally charge an absolute minimum of $500 to do it right, but that’s another post for another day.
If you don’t know a good resource, check out he largest marketplace for developers: Codeable.io. Just like potentially expired milk in your fridge: when in doubt, throw it out.
Supporting developers for their work is the ethical and responsible way to make WordPress sustainable. And, since your business depends upon WordPress working properly and performantly for your business to succeed online, it’s well worth the money spent.
SaaS subscriptions add up, it’s true. You must be willing to invest in your website if you expect to gain leads online. No pain, no gain.
Let us do a FREE test migration for you so you can see the difference yourself on a temporary URL, without updating any domain settings! It’s time to change your WordPress hosting company right now and experience the difference the Rocket.net Platform means to your business.