Nulled Themes and Fake Plugins: Malware You Install Yourself

By · Updated · 6 min read

A nulled theme is a paid theme or plugin that someone stripped of its licensing and put up for free download — and in most cases, that someone also added malware before uploading it. When you install one, you're not being hacked through a vulnerability. You're running the attacker's code yourself, as an administrator, on purpose. It's the one infection route where the malware doesn't have to break in, because you carried it through the front door.

I clean up after nulled themes constantly, and the conversation is always a little awkward, because the answer to "how did they get in?" is sitting in the site's theme folder. No judgment here. The sites offering these downloads look legitimate, the files work exactly as advertised, and the malware is written to stay quiet. Here's what's really inside them, and what to do if you've already installed one.

What "nulled" actually means

Commercial themes and plugins check a license key before enabling updates and support. "Nulling" is editing that check out, so the product runs without a purchase. The GPL license most WordPress code uses makes redistributing it legally murkier than people assume but not the real issue. The real issue is that the person doing the nulling controls every line of the copy you download, and free distribution is their delivery system. They aren't running those download sites out of generosity. The download is the bait; your hosting account is the catch.

The malware is rarely visible in a casual look. It hides in an encoded blob inside a licensing file, or in a class file with a plausible name, and it often waits before doing anything, so the theme works beautifully for weeks first. By the time symptoms show, nobody suspects the theme.

WP-VCD: the classic nulled-theme infection

If you want one name for this whole category, it's WP-VCD. It spread for years almost entirely through nulled themes and plugins, and I still find its descendants on sites today. The pattern: you install the theme, and buried in its files is a loader that creates wp-vcd.php and wp-tmp.php inside wp-includes, then injects a line into the functions.php of every theme on the site — not just the one you installed. It phones home, serves spam links to search engines, creates admin users on request, and reinstalls itself from whichever copy you missed.

That last part is what makes it miserable to remove by hand. Delete the files in wp-includes and the infected functions.php regenerates them. Clean the active theme and an infected inactive theme reinfects it overnight. Every copy has to go in one pass, which is a version of the whack-a-mole I describe in why sites keep getting reinfected.

Fake plugins: the quiet cousins

Related trick, different wrapper. On compromised sites I regularly find plugins that were never installed by any human. They sit in wp-content/plugins under generic, forgettable folder names — things shaped like wp-base-helper or core-engine — and a few lines of code make sure they never appear on the Plugins screen. Some arrive bundled inside nulled downloads; others get planted after a break-in as a persistence mechanism.

The lookalike variant targets your trust in familiar names: a folder named one letter off from a plugin you actually use, holding a file or two of loader code. Skimming an FTP listing, your eye slides right past it. I found one last winter only because the real plugin and the impostor sat two lines apart in the directory listing and the duplication looked odd.

The check that works: compare the plugin folders on disk against what the Plugins screen shows. Anything on disk that the dashboard doesn't list needs explaining — the same visibility trick I cover in hidden admin users, applied to plugins. My indicators checklist has the fuller version of this audit.

The economics, plainly

A quality theme costs maybe $60. A hosting account with clean reputation, mail-sending ability, decent search rankings, and a payment page is worth far more than $60 to the people who run nulled-download sites — and they collect it from thousands of installs at once. Spam links rented out on your pages, redirects sold by the visitor, phishing kits hosted in your uploads folder, your outbound mail used for spam runs. You paid with something more expensive than money; you just didn't see the invoice. When the blacklists catch up, you'll see it clearly enough — that's usually when my blacklist removal phone rings.

What about the "GPL club" sites?

Somewhere between the official developer and the shady nulled-download forum sits a category that markets itself as legitimate: subscription sites selling access to thousands of premium themes and plugins for a few dollars a month, usually with "GPL" featured prominently in the name. Their legal argument is real as far as it goes — the GPL does permit redistribution. Whether a given site's copies are tampered with is a separate question from whether distributing them is allowed, and it's the only question that matters for your security.

My honest read after years of cleanups: some of these sites distribute untouched copies, some don't, and from the outside you cannot tell which you're getting. You're trusting an anonymous middleman's supply chain to save $50. Even in the best case — a genuinely clean copy — you've bought yourself a product with no license key, which means no automatic updates. Six months later you're running a version with published vulnerabilities, and the attacker doesn't need a poisoned download anymore; the outdated code is the way in. Several cleanups on my bench started exactly that way, with a clean-but-frozen GPL-club plugin that aged into a hole.

If budget is genuinely the obstacle, the honest alternatives are free themes and plugins from the official WordPress directory. They're reviewed on the way in, they update, and the good ones are better than people expect. Boring advice. It's also the advice that keeps you off my cleaning bench.

If you've already installed one

Assume compromise rather than hoping for the best. Delete the nulled theme or plugin completely, but don't stop there, because the loader has usually spread beyond its original folder by the time you act. Check functions.php in every theme on the site, look for wp-vcd.php and wp-tmp.php in wp-includes, review users and application passwords, and compare disk against dashboard for plugins. Then buy the real license. The legitimate copy gets security updates, which the nulled copy never did — nulled software also can't update, so even a "clean" null turns into a vulnerability collection over time.

If that list reads like a lost weekend, my free scanner will give you a first opinion in about a minute, and my cleaning service exists for exactly this situation. I've pulled WP-VCD and its relatives out of more sites than I can count, and I know where the copies hide.

Going forward, the rule is short: install themes and plugins only from the official WordPress directory or directly from the developer. My guide to security best practices covers the rest of the habits, but this single rule would have prevented the majority of the nulled-software cleanups I've ever done. The $60 theme was always the cheaper option. It just took a hack to prove it.

Common questions

Are nulled WordPress themes safe if I scan them first?

No. The malware in nulled themes is usually encoded, split across files, or set to activate later, so a pre-install scan proving it clean doesn't mean much. Signature scanners miss fresh variants routinely. The only safe assumption is that a nulled download is hostile, because distributing infected copies is how these sites make money.

What is WP-VCD malware?

WP-VCD is a malware family that spread mainly through nulled themes and plugins. It plants wp-vcd.php and wp-tmp.php in wp-includes, injects loader code into functions.php of every theme on the site, serves spam to search engines, and can create admin users. It reinstalls itself from any copy you miss, which makes partial cleanups fail.

How do I find fake plugins on my WordPress site?

Compare the folders inside wp-content/plugins on disk against what your Plugins screen lists. Fake plugins hide themselves from the dashboard, so anything on disk that the screen doesn't show needs investigating. Watch for generic names you don't remember installing and for folders named one letter off from plugins you actually use.

My site got infected from a nulled theme. Is deleting the theme enough?

Almost never. By the time you delete it, the loader has typically spread — injected into other themes' functions.php, dropped files into wp-includes, sometimes added users or application passwords. Every copy has to be removed in the same pass or the survivors reinstall the rest. Treat it as a full site cleanup, not an uninstall.

Why do people put malware in nulled themes?

Because it's profitable and you do the installing for them. A compromised site earns money through rented spam links, paid redirects, hosted phishing pages, and spam email, all billed against your domain's reputation. Giving away a $60 theme to collect thousands of hosting accounts is simply a good trade for them.