The Difference Between GPL And Nulled WordPress Plugins (And Why You Should Care)

In managing as many websites as I do in the Concierge program, there’s something I occasionally come across. That is WordPress plugins that are outdated, but it doesn’t say they’re outdated.

These are usually premium plugins that cost money. Ones I happen to hold licenses to and work with all the time and I can clearly see in the version number that is outdated. Yet, there’s no ability to update it. Why is this?

This is often a sign of a nulled plugin.

As a WordPress user, it is important that you know what a nulled plugin is and why it is best to avoid them. You also need to be weary of sites and services that distribute nulled plugins and themes.

GPL Versus Nulled – What’s The Difference?

I find a lot of people actually don’t know the difference. Even people who’ve worked with WordPress for awhile sometimes don’t understand this.

I did a writeup (and video) about GPL awhile back when I talked about so-called “GPL Clubs”.

GPL stands for General Public License. And the most common license out there is called the GNU General Public License. It is the software license that WordPress is released under. It stipulates certain points:

• You can run the software for any purpose you wish.
• You are free to modify it any way you wish.
• You can redistribute the original software.
• Any derivative work can also be redistributed, but must remain GPL.

Plugins and themes for WordPress are mostly distributed under this GPL license. As such, people can do pretty much anything they want with it. That includes changing the code.

That brings us to the idea of a “nulled” plugin.

To NULL a plugin or theme means to modify or alter the original source code in order to remove or redirect the licensing mechanism. It could mean things such as:

• Removing the licensing mechanism altogether
• “Hard wiring” a set license code into it so that it passes all license checks
• Redirecting the update requests from the developer’s server to someplace else

How does this compare to simply re-distributing GPL licensed software? Well, you can grab a ZIP file for a theme or plugin and send it anywhere you want and even allow other people to use it. As GPL states, you can redistribute original software. But, NULLING it means that it isn’t original software any longer. It is being modified specifically to de-couple it from it’s original developer.

Is nulling legal? Technically, yes. Since the GPL license allows anybody to modify the code for any reason they wish, no law is being broken to null a WordPress plugin or theme.

But, it is still a pretty douchey thing to do and there are risks that you need to be aware of if you’re using nulled plugins.

Risks Of Running Nulled Themes and Plugins

When you have a developer or company that puts out a licensed plugin for WordPress, they have every incentive in the world to ensure that that plugin works well and has no security issues. In fact, it can be quite a public embarrassment if your plugin makes news because of a huge security vulnerability.

For this reason, you are always way better off to receive updates for your themes and plugins directly from the developer. Not only will you receive updates as soon as they’re released, but getting it right from the source is the most trusted way to get your software.

Nulled plugins are hacked specifically so that this no longer happens.

Updates may be delayed. You may not even know there IS an update because WordPress may not even notify you. If the nulled plugin is cutting off the update server, there’s no way for WordPress to even check if an update is available. If the nulled plugin is checking the wrong source, then that opens up yet more issues.

If the nulled plugin was hacked to check for updates someplace else, how do you know that’s a trusted source? What if the source of that nulled update uses it to slip in security backdoors and other security vulnerabilities into your site? You’d literally have no way to know, unless you’re using an outside security scanning service that could detect it.

Be Careful Where You Get Plugins From

This isn’t something where you need to run around paranoid. The truth is that most nulled plugins and themes are harmless and were only nulled in order to allow people to use them for free. However…

If the security risks are there, it is best to avoid nulled plugins. For that reason, you need to know where they mostly come from:

GPL Clubs and Sites Re-Distributing Plugins

They’re out there. GPL Vault is one of them, among many others. I have nothing against such sites and, in fact, use GPL Vault myself in some instances.

However, be aware that some things you find there are nulled. For instance, some of the Awesome Motive plugins (like MemberPress and AffiliateWP) are coded with lockout mechanisms if the license is invalid. This is most definitely a tactic I hate and one of the many reasons I recommend against their plugins. However, those plugins ARE available on GPL Vault and the license code is literally right there on the website. If you look in the source code of the plugin as downloaded from GPL Vault, that license code is hard-wired right into the code.

Now, GPL Vault isn’t re-routing update requests. There’s nothing they’re doing that would be a security issue. But, it is still nulled.

That’s a pretty innocent case of nulling and that’s because GPL Vault is actually rather legit. But, there are many other sites out there that do this kind of thing and many aren’t quite so trustworthy.

This is just something to understand, be aware of, and use your best judgement.

Services & Agencies

The other big source I’ve seen are agencies and service providers in the WordPress space that re-distribute or install nulled plugins on the sites of their clients/customers.

As somebody who works in the business, this one particularly yanks my chain. 🤬 I usually see it come about like this:

• The client might have hired somebody on a freelancing site in the past to do some work for them and that person installed nulled plugins. In many cases, the site owner doesn’t even know about it.
• The client worked with a service where one of the main selling points is access to a plethora of premium themes and plugins for one set price, or included in the service.

It is almost a guarantee of a problem if you are told to install a proprietary plugin from a service provider in order to access other plugins and install them. If that’s the case, you can pretty much guarantee they are redirecting update requests from those plugins to direct all access to updates to THEM instead of the original developers of that software. In other words, they’re distributing nulled software.

Often, what these services are doing is downloading GPL software from sites like GPL Vault, uploading them to their own repository they control, then using their plugin as a gateway to ensure their clients get the updates through them instead of the original developers. In many cases, they aren’t actually paying the original developers for licenses but are turning around and charging their clients for it. Essentially, reselling other people’s plugins.

Like I said, it is a douchey thing to do. While technically legal.

But, you as a site owner need to be aware of the risks. This practice doesn’t mean that that service provider or agency is bad or trying to do anything unethical, however it does mean they’ve gone out of their way to separate you from the people who built the software your site runs on.

Signs You May Have Nulled Plugins On Your Site

In many cases, it simply isn’t obvious that you are running nulled plugins. If you’re not familiar with this stuff, you could have nulled plugins on your site and be blissfully unaware of it.

I’ve seen this on several sites that I bring on as clients.

The typical sign of a nulled plugin is that… it does’t update normally while also not telling you that your license expired.

See, most developers of licensed plugins are going to code some kind of notice into their software if the license has expired. In most cases, the software will continue to work just fine, but you will not be able to update it and usually there’s some kind of notice within the software that the license needs to be renewed. Unfortunately, some software really nags the hell out of you about it. 🤪

But, when the plugin won’t update yet there are no nag notices anywhere to be found, that’s a sign you might be running a nulled plugin.

Often, this flies under the radar because there’s no notice inside WordPress that there’s even an update available. The only way to know would be to check the developer’s website manually and compare their most recent version to the one you’re running.

Another sign I’ve found of nulled plugins is that the license code seems to be pre-filled out in the licensing screen of the plugin. I recently found this on a client’s site with Elementor Pro installed. The licensing screen would not disconnect from Elementor.com so that I could enter my own license code, but instead would just keep looping back to the same screen with the same code preset. She was running a nulled version of Elementor Pro. For me to fix this, I had to go download Elementor Pro, manually update the plugin by overwriting it, then I was able to activate it properly using an actual license.

So, those are the two main signs I’ve seen of nulled plugins:

• Plugin will not update and shows no updates available, while simultaneously not nagging you about a license.
• Plugin has the license code seemingly programmed right into the plugin. Because, it likely is since it is nulled.

How I Handle Premium Plugins For Concierge

Now, up above, I mentioned how one of the big sources of nulled plugins being installed on WordPress sites is service providers and agencies. Obviously, I offer the Concierge service and one of the benefits of that is access to the premium plugins of the Concierge Toolkit.

I am a big believer in maintaining licenses with the original developers of the software that I install on client websites. This is for 2 main reasons:

• If I am making money myself and one of the benefits of my service is software developed by somebody else, it is my moral obligation to ensure the developer has the compensation they’ve asked for.
• I want to have good relationships with the developers of the plugins I use on my client sites. Not only is this just good karma, but it actually means I can deliver better service to my clients. I can directly contact developers for help if needed.
• Because I am a license holder of the plugins I offer to clients, I actually DO have direct lines of support for the software I use in the Toolkit. This means I can get help on behalf of my clients if necessary.

In more than a few instances, I found minor bugs in the plugins in the Concierge Toolkit. It would come up on a client’s site and, after my due diligence, I find that it is a legitmate bug. Because I have direct lines of contact with the developer or at least access to support, I was able to get the help needed directly from the developer. In a few cases, I even was able to get a fix for my client’s site before that fix was even released to the general public.

Simply put, I wouldn’t be much of a Concierge if I couldn’t directly access updates to the Toolkit plugins and be able to bring in their developers and support people if needed.

Every plugin within the Toolkit except for WooCommerce Subscriptions is fully licensed and I pay for those licenses. The only reason Woo Subscriptions isn’t is because (a) it is incredibly cost prohibitive for me since the paid license is per-site, and (b) I literally never need their support. So, for that one, I take advantage of the GPL license. It is most certainly NOT nulled. There are plugins not in the Toolkit that I can update on behalf of clients manually by way of GPL. I do my best to ensure they’re not nulled.

But, any plugin I list in the Toolkit itself is fully licensed. When I install them on client sites, I enter license codes that I have purchased. If I run out of license slots, I buy more. As such, I spend a few thousand dollars every year for the plugins in the Toolkit. Some of them are lifetime licenses. And when I add a new tool to the Toolkit, I was either comped a license directly from the developer or I purchased it directly.

Final Thoughts

As a user of WordPress, you should understand what a nulled plugin is and why you are advised to avoid them.

Also, realize that GPL and nulled are not the same thing. However, sites that distribute GPL plugins and themes without paying for them are often a mish-mash of innocent redistribution and nulled. It can be hard to tell what is nulled and what isn’t.

Overall, realize that paying for plugins and themes directly with the developers themselves is ultimately the right thing to do. In my personal opinion, you are being rather douchey and short-sighted to go out of your way to get these plugins for free. The amount of work that goes into developing and supporting quality WordPress software cannot be glossed over. When you pay for a license, you’re not only paying for that effort, but also their support if/when you run into issues.

You’re also less likely to run into issues when you buy licensed plugins directly from the source.

Nulled plugins cut the leash and separate the code from the developer, opening up to malware risks, unfixed security issues, and unreliable update mechanics.