Beware of “Nulled” WordPress Plugins: A Hidden Threat to Your Website
Researchers at Wordfence Threat Intelligence have uncovered a large-scale campaign involving the use of so-called “nulled plugins”—pirated copies of premium WordPress extensions that have been tampered with by third parties.
These counterfeit packages have proven to be a convenient weapon for cybercriminals: malicious code is embedded directly into the plugin’s structure, allowing attackers to bypass security mechanisms and maintain persistent access to compromised websites. In essence, site owners unwittingly open the door to attackers by installing infected versions in an attempt to save money on licenses.
The first samples of this malware were submitted to Wordfence on August 26, 2025. By September 2, the company had already released six detection signatures. Analysis revealed that one infected website contained doctored versions of two widely used premium plugins, which served as the initial entry point for the intrusion.
The attackers disguised their malicious plugins as genuine, altering metadata and directory structures. The payload was concealed with atypical obfuscation techniques: strings written in reverse, multiple encoding systems, redundant function calls, and HTML entities—all designed to hinder analysis.
The primary objective of the malware was to circumvent defenses and seize control. In its initial form, it hooked into WordPress initialization, waiting for a special URL parameter. Once triggered, it renamed the Wordfence directory, effectively disabling protection. A more advanced version introduced the ability to modify two arbitrary directories at once, with parameters passed through web requests. This adaptability enabled tailored attacks, making generic detection far more difficult.
The next phase involved creating or modifying administrator accounts. The first variant persistently added a user named “wp_admin_1” or elevated the privileges of an existing account. The second variant introduced dynamic parameters, allowing attackers to define usernames, passwords, and email addresses. However, this version proved less stable and sometimes failed when conflicts arose with pre-existing data. Regardless, the end goal remained the same: persistence and guaranteed control, even after file cleanup.
To mask their presence, attackers injected CSS rules and JavaScript to hide the malicious plugins from the installed plugins list and remove specific Wordfence interface elements. This deception left administrators believing their defenses were intact, while in reality, control had already been ceded. Indicators of compromise included the query string 02jri7rt63uind9j837gew82djh, the rogue administrator “wp_admin_1,” and several malicious file hashes.
Experts stress that the root cause of such compromises lies in the use of pirated plugins and themes. These “nulled” versions are deliberately built with backdoors that activate immediately upon installation. Even when cloaked to resemble legitimate security tools, they grant attackers an avenue for further exploitation—from data theft to skimming payment information in e-commerce sites.
The recommendation is unequivocal: never install nulled versions of WordPress plugins or themes. The illusion of savings inevitably translates into exponentially greater losses, as compromised extensions make administrators unwitting accomplices in attacks against their own sites.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
