Whenever you sell a digital product (or any product that can be transmitted digitally), you expose yourself to certain realities of the online world. And one of these realities is that of piracy – having a paid-for product distributed for free via various means.
It wasn’t long after we made HeroMenu available on CodeCanyon that we came face-to-face with this particular reality too – free versions of the plugin surfaced very quickly on a quite a number of websites.
As a company who develops premium plugins, you could say we have a vested interest in encouraging users to pay for them, but that is not what this post is about. What we want to do here is to educate users about the risks involved.
In my previous post I mentioned a few things that WordPress owners need to be aware about, and many of these revolve around keeping your website safe and secure. But you risk tossing all that knowledge and awareness out the window the minute you decide to grab a copy of that shiny plugin you saw on CodeCanyon from somewhere else.
Saving the money by grabbing a free or nulled premium plugin sounds like a great idea in practice, but doing so puts yourself and – possibly – other websites sharing your server along with your users at risk. When Sucuri gets tasked with cleaning up infected websites – they find quite a few installed premium plugins with malicious code added – in simplified terms, the examples listed in the aforementioned post allowed the creation of administrator accounts which give the perpetrators a clear route into the CMS with which they could accomplish pretty much anything they felt like doing.
This includes injecting hidden links into the site’s code, adding malicious payloads that are downloaded onto a user’s computer when visiting the website, or just straightforward defacing of a website and its contents.
All of these plugins were downloaded off sites that offered free downloads of premium plugins. The owners of said sites are very likely not providing these free downloads out of the goodness of their hearts. Many of them exist to distribute plugins with malicious coded added, which unsuspecting website owners then install on sites that might otherwise have been secure. Indeed, this particular vector is incredibly popular, and don’t fool yourself for a minute into believing that it’s a WordPress only issue. According to a later post by Sucuri, the same problem extends to any other CMS you care to mention.
So when you find a plugin that does exactly what you need on CodeCanyon (or any other reputable site) and you do a few searches in Google to find free versions, consider the following:
- Even if you save a few dollars on that plugin, will you be happy to shoulder the costs associated with cleaning up malware on your site?
- Are you willing to risk your site or brand’s reputation on the off-chance that your site ends up downloading malicious code onto a device owned by a customer or client?
- What will it cost you in revenue, should your site be defaced or taken offline for a couple of days?
If any of the questions above make you hesitate even for a moment, rather head back over and pay the asking price. Apart from dismissing most of the risks involved in using pirated plugins, consider what you gain.
Most of the authors on CodeCanyon are more than willing to support their product, should you have any problems with installing or using the plugin (as a matter of fact we earn many of our 5-star ratings because of our outstanding support). As a buyer you also have access to all future updates and improvements made to the plugin.
So keep away from free premium plugins. It’s not ethical, and it’s dangerous to both you and your users. If you really are averse to spending money on a plugin, search the WordPress repository for a free alternative which has already passed their quality checks.
Stay safe out there.