How to Handle Nulled WordPress Plugins and Themes (and Their Users)

Like cracked software is to the internet at large, so too are nulled WordPress plugins and themes to devs and users in the WP space — a nuisance, a danger, a badge of honor.

Wait, what? A badge of honor?

Unique to WordPress, having your first product ‘nulled’ is something of an achievement, a kind of confirmation that you’ve ‘made it’ in the ecosystem. But I bet once the first one’s down, the rest become increasingly irritating — and even infuriating — as invalid support requests come in and more GPL marketplaces pick up and promote your brand as their own.

With so many facets to discuss (and a fair amount of differing opinions on the actions to take), I enlisted the help of several product makers in the ecosystem — from business owners to bootstrappers — to get some form of consensus on nulled WordPress plugins and themes.

But before we unpack their thoughts, a bit of background to lay the foundation:

What Does a Nulled WordPress Version Mean?

If you don’t need this (brief) explanation, feel free to skip ahead.

WordPress’s version of piracy (minus the swashbuckling adventure)

Nulled versions are WordPress plugins and themes with code removed to restrict functionality. Consider a product with paid features: if something in the code stops the plugin from running specific features, then nulling it means eliminating the parts of the code to block that specific logic. So, users get all of the functionality of a paid product without having to pay a cent.

In most cases, however, people who get their hands on a paid version can use the product in its entirety without having to null it (even without a license key). Unless the developer is using a subscriptions platform like Freemius, there’s simply no protective layer to guard against it.

But there are more ways than one to skin a cat (or null a product, in this case).

Since most developers tie product updates to license validation, nulled version users won’t receive updates unless they’ve access to a license key. Does this concern illegal distributors? Not really. In this scenario and due to the nature of open-source, nulling a product could be as simple as removing an admin notice that informs the user they need a license key to get updates. So, the website owner gets to carry on illegally distributing, and the user gets to keep on using.

This brings me to the ‘why’.

What’s to Be Gained from Nulling a WordPress Plugin or Theme?

It would be far more interesting to tell you that a grand clandestine force is working from the shadows to bring down WordPress by nulling every plugin and theme.

While nowhere near as catastrophic, ‘nullers’ do work in the shadows, but it’s for something less world-altering: personal gain (with some cash thrown in to sweeten the illegal deal).

For people that null products, motivation probably comes down to being cash-strapped, cheap, or young and rebellious. Remember the rush of adrenaline you felt as a youngster who stuck it to authority and gamed the system by burning CDs for friends? I don’t … I was an angel 👼

Teen spirit aside, there is a commercial incentive for distributing nulled WordPress plugins and themes, whether it’s for ads traffic or profit through membership. And in WordPress terms, it’s very similar to distributing cracked software on the internet, right down to the danger of malware.

An Invitation Into GPL Marketplaces for Nulled WordPress Versions

If you know where to look, you can easily find a nulled version of almost any product in the WordPress space.

Some GPL marketplaces offer their catalogs for free, while the more clever will charge a comparatively small membership fee for up-to-date plugins and themes. But how do these websites survive if we know that nulling a paid product strips out the automatic updates for most of them?

Free GPL marketplaces:

In these cases, there’s a good chance that the code is carrying malware — like PHP code that dynamically adds backlinks to third-party websites to manipulate search rankings. Popular nulled WordPress plugins can potentially be installed on thousands of websites, each containing a hidden link that redirects back to a client’s website or the SEO company itself (aka black hat SEO). In this way, GPL marketplace owners are still making money, despite distributing nulled WordPress plugins and themes for free.

GPL marketplaces with subscribers:

Distributors abuse money-back guarantees by purchasing products, asking for refunds, and then re-purchasing from different email and IP addresses when new versions are published. Rinse and repeat. This way, GPL marketplace owners can upload the latest versions for their subscribers (who’ve probably paid a minimal fee).

Is it illegal? Yes, but not because the code is being distributed (that’s open-source software for you). The practice is illegal because it’s infringing on copyright and trademark laws — many of these websites promote the products as legitimate versions. For example, a nulled version of the WP Rocket plugin will not be stripped of its branding and renamed. It will be billed as a legit version of WP Rocket.

If these websites are infringing on copyright/trademark laws, why aren’t more of them being swiftly taken down?

How Nulled Version Websites Get Away With Copyright Infringement

GPL marketplace owners use servers in countries where it’s too complex or problematic to take legal action against copyright/trademark infringement. They’re cunning and maybe even clever, having found loopholes that help them abuse worldwide regulations without having to face any consequences for profiting from someone else’s hard work. And even if a GPL marketplace does get taken down, what’s to stop the owner from starting another one?

‘On to the next one’

Putting aside the illegalities and ethics of nulling products, there are dangers for end-users that make the practice even more wretched:

  • Security breaches
  • Incompatibility issues
  • Zero updates and troubleshooting
  • Lower SEO ranking
  • Bad user experience
  • No support

Whether the user knows the product is nulled or not is another matter. If their website breaks or is breached, who are they going to call (for support)?

Yep — the product maker.

Should Developers Offer Support for Nulled WordPress Plugins and Themes?

Let’s get it out of the way — no, developers shouldn’t feel obligated to offer support for nulled WordPress products. But they should try and educate users who contact them and are willing to listen.

And what about the belligerent, rude ones?

Don’t feed the trolls — they’re in no position to make demands anyway. What recourse do they have besides leaving a one-star review which can easily be discredited in public?

Because nulled WordPress plugins and themes are prevalent in our ecosystem, users looking for support are never far away and scenarios differ from the two I’ve described above.

For a more nuanced take on the matter, here’s how product makers (some Freemius partners, some not) deal with support for nulled WordPress products.

How to Contact Suspected Nulled WordPress Product Users

Guns blazing and on the attack isn’t the way to deal with the situation. There’s a chance there’s been a misunderstanding and a ‘lost customer’ could be turned into a bona fide paying one. Carlos Moreira of Interactive Geo Maps explains how he goes about approaching suspected nulled version users:

It doesn’t happen to me very often. It’s very rare. Usually, when I can’t find their license, I ask users to confirm which email they used to purchase the license, or if they can confirm what is their license. In most cases, they do manage to confirm a different email or provide proof. Maybe some don’t reply. And usually, I write something along the lines that I can only open a proper support ticket in our platform with the license key, not only [to find out if it’s nulled] but also to confirm the user is entitled to support.

Actually, in the +2 years of using Freemius, I never had a user without a license “demand” support.

(That makes me proud to hear!)

Responding to Nulled Version Users Who Request Support

If you don’t offer support for the free version of your plugin/theme, then nulled version users can be identified if they request support and have no license key. Alan Fuller of Fullworks Plugins laid out his response process:

As my plugins have a free version, I have a stock reply. Basically, you appear to be a free user — if I’m wrong, send me the proof of purchase, if not please go to WP.org forums. Obviously, that deals with both free users and nulled users, but to date, I have not yet identified a nulled user asking for support. In fact, I have only identified one nulled instance, which was the premium version still operating after the trial.

Founder and CEO of Advanced Ads Thomas Maier describes a similar process:

We at Advanced Ads are not using Freemius, but became pretty good at finding the license attached to a nulled version. It happens regularly that a user who doesn’t have a valid license reaches out via email — but more often via the WP.org forum. We politely ask them to verify the license before they get support. If they reached out via WP.org, we can also ask them to reach out directly, since WP.org is not the place to get premium support.

What we found out is that many sites that share nulled versions get it from the same source. So if you can identify that single purchase, you stop most of them from getting plugin updates. At least for a while. They tend to make a new purchase to get a new license key after a while (more on this later). Sometimes, they reached out to our support complaining about being blocked. Of course, they always deny having shared the license.

And what about the benefit of the doubt or second chances? Thomas continues:

Only in one case in the past have we given a user another chance. I would say it was a gut feeling from their communication after we told them about disabling their license. I have been 15 once upon a time when it felt normal to share floppy discs with software on the schoolyard. I believe that there are a few people who simply don’t know the harm they are causing. They think this is a good thing they do for others if they share their license.

The above interactions seem calm from an outsider’s perspective (mine 😁), but what about when an irrationally irate person demands support and won’t back down?

How to Respond to Angry Nulled WordPress Plugin and Theme Users

Our very own VP of Engineering Swashata Ghosh shared a memorable story from his bootstrapping days as CEO of WPQuark:

A user asked (actually demanded) that I do some customization because they purchased. I asked them to share the license code and they responded it was for a client and couldn’t provide it due to an NDA, etc. and that they don’t have access to the licensor’s website. Sure…

I responded that they could hire us for a customization fee. They replied angrily that they’d rate us one-star and badmouth us. I called their bluff and asked: If you don’t have access to the licensor’s website, how can you give a one-star rating?

No further emails were forthcoming, of course. I then asked Swas what he did when confronted with the opposite end of the spectrum. I.E. those who genuinely did not know they purchased illegally.

I created a system that has an automatic license verification, which means the user needs to provide their license key to get support. When I get such emails, I simply redirect them to the system, asking them to use their license key. Legit users don’t mind. Nulled users usually don’t reply … well, sometimes they do, but I don’t entertain them anymore because it’s a colossal waste of time.

It’s common for developers to brush off nulled version users and go about their day, but what if the damage being done warrants action to stop it from getting worse?

Is There Any Recourse Against Nulled WordPress Plugins and Themes?

There are several actions developers can take, but to be honest, the odds of having a website taken down are slim. For the reasons mentioned, GPL marketplace owners who null products are savvy and have workarounds that mitigate the chances of legal action.

But in the spirit of thoroughness, here’s what you can do if you’re a victim of copyright or trademark infringement through nulling:

(We cover this more in-depth in our article about fighting GPL license trolls)

What to Do If a Nulled WordPress Plugin or Theme Is a Trademark Infringement

Due to the GPL/open-source nature of WordPress plugins and themes, there is a low success rate in getting these sites taken down without enlisting legal help.

But theoretically, you can contact Google and report the website or approach the hosting company and ask them to take the site down. Another course of action is to contact an attorney to see what your options are. This may be the better choice considering they’ll be armed with deeper legal experience/knowledge and will fight for you (hopefully).

A simpler way would be to approach the owner directly to resolve the matter one on one. However, this may be more troublesome than it initially seems, which we’ll explore in the next section.

What to Do If a Nulled WordPress Product Is a Copyright Infringement

Again, the easiest method is to contact the website owner directly and inform them you’ll be taking legal action should your work not be taken down. Here’s why this method is both easy and frustrating/rage-inducing:

Well, After multiple request across multiple platforms and 24 hours my content hasn’t been removed from the site stealing and reselling my course without permission — a site owned by a WordPress plugin company

- Jennifer Bourn (@jenniferbourn) April 29, 2022

Though not a plugin or theme, a recent Twitter thread by Jennifer Bourn — a popular brand-builder and course creator — illustrates that some website owners who distribute illegal content aren’t so willing to remove it. The website wasn’t just listing her courses illegally, it was also using her name and associating her brand with the site as a perceived endorsement.

After multiple requests to remove the content and calling them out on Twitter, her courses were still up after 24 hours. ‘They say they know it’s not legal and they don’t care’ is what Jennifer posts further down in the thread. She was forced to file a DMCA against the website.

If you find yourself in this situation, here’s how to file one:

  • First, generate a notice. There are tons of generators online that can do this.
  • Next, send the notice to the website owner, hosting company, and ISP. You can go one step further and notify search engines to remove the site from their results.
  • This site will help you identify the hosting company and this one will help with the ISP.
  • To file the DMCA at the relevant link, Google ISP_NAME / HOSTING_NAME + DMCA.

Swashata offers a lighthearted take on the above:

Truth be told, when I realized my plugin was being “pirated”, I was actually happy because it meant to me that “okay, I have produced a great piece of software that people are willing to pirate”. But yeah, I did send DMCA notices to sites that were selling those nulled versions for a lower price.

Humor aside, people who consciously buy nulled WordPress plugins and themes are doing so because they’re unwilling to pay full price. And as a solopreneur trying to make a career by selling WordPress products, it’s not worth your while (or resources) to deal with cheap customers. This is why prevention — as they say — is better than the cure…

What Measures Can Developers Take to Protect Themselves Against Nulled WordPress Products?

As mentioned, most plugins and themes don’t have any protection against nulling — you get the plugin, you use it, and if you’re devious you distribute it illegally.

For paid products, however, eCommerce software services like Freemius afford a measure of protection against nulling with a set of helper licensing functions offered through a WordPress SDK. I can’t speak for other solutions, so I’ll explain how we do it.

If a license key isn’t present, what was flagged as paid functionality is simply not going to work, plus the product settings aren’t available because they’re overridden by a license activation screen.

For most plugins, a license key exists to receive updates and there are no restrictions in the code itself. The Freemius WordPress SDK, however, connects the state of the customer and their license through an API (which acts as the real source of data). This allows developers to determine/control the execution of the code based on the state of the customer and their license.

Yes, tech-savvy people can remove the licensing conditions that help developers stop nulling attempts, but it’s significantly harder and the functionality acts as a deterrent against the practice in the first place.

Okay, enough promotion 😅 — let’s move into advanced territory, courtesy of Freemius CEO Vova Feldman (and yours truly for not being content with a high-level/layman’s explanation of the below):

Encrypted Token or Hidden ID in the Product Zip Download

When two users download the same version of a plugin or theme, the codebase in the ZIP folder is identical.

But what happens if it isn’t?

Let’s say the developer is savvy enough to have implemented a mechanism that generates an encrypted token or unique ID for each product download. This means that every time a specific plugin searches for new updates, it will be sending requests with a unique ID. By implementing this, the developer can monitor and identify illegal versions. Here’s an example:

In this scenario, the product owner can even trace the illegal distribution back to its source.

The caveat: Are nulled WordPress plugins and themes worth this kind of development hassle if they amount to a very low percentage in the grand scheme of things (we’ll get into this shortly)? To facilitate the above scenario, a unique ID would need to be generated every time a new or returning customer downloads a version of your plugin. When the push and pull of everyday business has you moving in many mission-critical directions, can you afford the time and effort?

The second caveat: Our open source ecosystem makes the above more of a challenge because everyone has access to the code. Theoretically, a tech-savvy person can identify the place that generates the unique ID and remove it from the version. That said, a hidden, unique ID is hard to anticipate and will make it more difficult to null.

Is Trying to Stop Nulling Worth the Blood, Sweat, and Tears?

Nulled versions are part of the game for open-source products. There’s nothing you can do to solve the problem. I lost days in the past trying to put them offline, but for every one removed from Google lists, 10 popped up.

- Luca Montanari of LCweb

For me, this is the crux of the matter. Sure, knowing that your product is being ripped off and sold for profit you’ll never see is frustrating — but is the legal red tape or advanced development worth the precious time you could be devoting elsewhere?

The prevailing opinion in the WordPress ecosystem — especially among solopreneurs and small businesses — seems to be no. I say ‘seems’ because as my guests have illustrated, no circumstance is the same.

First off, let’s unpack the common opinion, backed by insights from Vova.

The common opinion is based on the assumption that most people who get their hands on nulled WordPress versions aren’t going to become customers anyway. Let’s say that out of all your product distributions, 2% are illegal and roughly 90% of those users are never going to buy your product (because that’s why they went looking elsewhere in the first place).

We’re talking about a very small percentage of people who are going to end up as lost customers — approximately 10% of that 2%, which ends up as 0.2%. Also, these websites are like mushrooms: if you manage to take down one, another will pop up soon.

So you just say, okay, 0.2%. That’s internet fraud. That’s the cost of doing business, just like chargebacks, refunds, and everything else that comes with it.

Here are a few examples, spanning the spectrum of the ecosystem and using the freemium business model. I’ll leave it up to you to decide if pursuing legal action or otherwise would be worth it based on the outcomes:

Plugin X (many WordPress plugins fall into this category)

  • Cost of license = $50
  • 20k active installs
  • 5%* conversion rate = 1000 customers
  • 2% nulled versions = 20 illegal licenses
  • 10% unintentionally use illegal versions = 2 licenses
  • Yearly revenue: $50,000
    Versus
  • Loss to business: $100

Plugin Y (successful WordPress business)

  • Cost of license = $50
  • 1 million active installs
  • 5%* conversation rate = 50,000 customers
  • 2% nulled versions = 1000 illegal licenses
  • 10% unintentionally use illegal versions = 100 ‘lost customers’
  • Yearly revenue: $2,500,000
    Versus
  • Loss to business: $5000

Plugin Z (hugely successful WordPress business)

  • Cost of license = $50
  • 10 million active installs
  • 5%* conversation rate = 500,000
  • 2% nulled versions = 10,000 illegal licenses
  • 10% unintentionally use illegal versions = 1000 ‘lost customers’
  • Yearly revenue: $25,000,000
    Versus
  • Loss to business: $50,000

* 5% is double the avg. conversion rate for freemium plugins, so the expected business loss is even lower.

Vova continued:

If the full 0.2% of lost customers are being distributed from one website and you have a lot of customers — I’m talking in the region of 10 million like the above — then, yes, maybe it’s worth it to take action. Those kinds of losses are meaningful.

Even so, it’s challenging to establish with any certainty where most of those potential customers have downloaded the nulled version from. And as mentioned, putting mechanisms in place with fingerprints and unique IDs is not trivial; it’s highly advanced. And keep in mind that generating a unique ZIP version per customer requires much more processing and storage resources, which can easily grow to hundreds (maybe even thousands) of dollars per year for a plugin business with millions of active installs.

That said, if you’re making $25 million a year, the business probably has a full-time attorney on the payroll and these types of illegalities are part of their ongoing work.

I would say that it’s at this scale where I’m seeing companies start to chase after these distributors and websites … like the Yoasts of this world. They’ve got legal … they’re working with them all the time.

But if it’s a business with 30 team members, I don’t see the value in pursuing. You’re losing 5k a year and you’ll probably spend more on getting legal involved. The math just doesn’t work.

It seems to me that pursuing nulled version users and offending websites is a waste of time for the majority of solopreneurs. But surely there are outlier cases?

Indeed!

Use Case: A Strategy to Turn Nulled Version Users Into Paying Customers

Xaver Birsak of Mailster gives us a unique perspective on dealing with nulled version users because he sells through a marketplace (CodeCanyon).

Xaver was curious to see how many people were using his product without a valid license. When he discovered the number, he actively sought a way to turn them into ‘real’ customers who’d contribute to his bottom line:

At some point, I was curious how many people use my plugin without a valid license, and since the plugin regularly checks for updates, this should be easy to achieve. In March 2021, I started collecting some metrics to get a bigger picture, and in only 48 hours I had collected 7000+ requests. After 15 months, I got between 800 and 1500 new entries each month — roughly 1000 on average. If you compare this with the actual sales it’s 5x to 10x 🤯.

To Xaver, this number was way too high, so he removed all entries that hadn’t been updated in the previous 14 days. The numbers looked more realistic, though they were still sitting at 5x. Next, he set about devising a way to convert users: he’d analyze the offending websites to get an idea of who was using the nulled WordPress versions of his plugin.

There were a lot of ‘strange’ websites on the list and there were also some legit businesses (restaurants, lawyers, bookstores, personal blogs, etc.) which often had a web agency in their imprint. So I thought they may be legit businesses that had no clue about licenses and nulled versions of plugins or even WordPress. So I thought to show them a friendly notice in the backend.

Xaver avoided showing the message upon activation and instead chose to have a 60-day ‘cool down’ period which allowed users to get to grips with his product. With his notice and script in place, he started to collect invalid license codes after 60 days (leaving legit users blissfully unaware that such a notice existed). Here’s how the notice performed in terms of conversion:

  • 24K installs
  • 63% (15k) saw the message
  • 0.011% converted
  • 30–40 new activations every day

Was the effort worth it? From an informational standpoint, definitely. From a revenue perspective, I’m not so sure.

But:

Take Action (or Don’t) by Deciding on What’s Best for You…

… and your business.

There are always exceptions to the rule. In the majority of cases, going above and beyond to take down nulled version users is not realistic or beneficial. Nor is it to try and convert ‘lost customers’ outside educating the ones that contact you.

In others, the effort may be worth the reward, both professionally (and personally). Not all product makers should be painted with the same brush — some shrug nulled WordPress plugins and themes off, others laugh, and some are genuinely hurt or frustrated by having their hard work taken advantage of.

Analyze your numbers, gauge your resources, and be honest about your time. If thwarting (or converting) nulled version distributors/users lowers digits, drains energy, or ticks critical minutes away, then don’t do it. If the negative effect is negligible, then hopefully this article’s given you an idea of what steps to take next.

Have your own story to tell about nulled WordPress plugins and themes? Fire off in the comments below!

Originally published on the Freemius blog on July 27, 2022.

--

--

Monetization & Insights platform for #WordPress #plugin #developers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Freemius

Monetization & Insights platform for #WordPress #plugin #developers.