Stop stealing Wordpress add-ons

WordPress is the most popular CRM in current use, and while I believe that most people don't need the vast majority of functionality that you get from WordPress and would be happier with both the ease of use of a static site generator and the much-reduced hosting requirements and costs associated with not needing PHP and a database, it's likely to remain the #1 option because it's generated a large ecosystem of people who can administrate it as well as the large selection of various themes and plugins.

Unfortunately, one of the major issues I repeatedly saw while working at a public cloud provider was the aforementioned administrators using the aforementioned add-ons but deciding that paying for someone else's work is silly and that they should simply pirate whatever they'd like to add to their WordPress site. I mean, it's on the Internet and you can download it for free, so you might as well save a few bucks on your new school project or business or whatever.

Except, of course, you're downloading some PHP code you don't understand from someone you really shouldn't trust: after all, what's the motive for someone providing stolen content if you're not directly paying them?

The answer is, in more than a few cases, was that the site the nulled theme was downloaded from was doing something less-than-legitimate and that your theme or whatever came with some value-added bonus malware.

And, even if the download wasn't compromised by the place you got it from, stolen software doesn't usually get updates, and WordPress themes are hardly an exception so even if the person you're getting stolen software from is legitimately doing it because they love helping people save money, you still shouldn't trust that the version you get is updated, secure, and not a popped WordPress site waiting to happen.

This routinely ended up with compromised hosts doing all sorts of fun things from the pretty typical and generic WordPress XMLRPC brute forcing, to phishing, to defaced pages, to hosting various malware droppers and C2s all of which led to working with befuddled customers who couldn't possibly figure out how in the world this could have possibly happened because everything they had was up to date (if, you know, stolen).

This situation was often made worse because the initial admin who set up the site was contracted to create and deploy the site, but had no skin in the game afterward; this would lead to situations where there isn't actually any negative impact for them using nulled themes as they can either under-bid someone who is using legitimate versions or simply pocket the extra cash and by the time it turns into an issue they've been paid and are basically gone back into the various contractor sites, never to be seen again or be required to clean up the mess their shortcut caused.

You'd get angry site owners being told they're responsible for fixing the problem, and it's a very delicate conversation to have with someone about how to fix it, and that the reason they're popped and having to deal with me is that someone put stolen software on their site and that there's essentially very little we could do, as we didn't have access to any customer systems or data.

Fixing these issues was often too complex for some of our users and you'd end up having to walk them through first identifying and removing any suspect nulled themes and then trying to figure out the date of compromise (usually by simply looking at any abuse reports and estimating when they started coming in) and using something find with mtime to look up changes in the last X days (15, in the following example:

find /wordpress/install/directory -type f -mtime -15

Of course, this wasn't always successful, and often had a little bit of trial and error, especially on live sites where SOME of the files are malicious and SOME of the new files are supposed to be there and thus you get to sort through the modified files and hope you manage to catch all the malicious content.

The success rate was probably about 50%, maybe, and this was often repeated a few times because the cleanups weren't always comprehensive enough to fix every hole, and of course, it's not like anyone ever had any backups of their very important business sites they could simply restore from and remove the nulled stuff BEFORE it gets compromised.

And, for anyone who happens to come across this, because they're compromised, there are a few more steps:

  • Check your databases for any added tables or data
  • Check your logins and all users for any that are being accessed from places they shouldn't, or ones you don't recognize
  • Rotate all your passwords from ALL users
  • Make sure your filesystem permissions weren't chmod 777'd during installation when something didn't immediately work correctly by whoever did the install
  • Don't install stolen software

I'd also recommend that, if you're planning just a simple blog or another site that doesn't need extensive interactive content to be dynamically generated (which, honestly, unless you're doing some sort of online sales, you almost certainly don't) that you simply use a static site generator: there's quite a lot of them, including some that are nifty GUI apps that require very little setup or technical knowledge (this site is generated by Publii which is one of those lovely easy-to-use GUI options).

And, once you've found a static site generator you need, your hosting costs can be extremely low, if not free: numerous options exist for free hosting for static sites, depending on your needs: Netlify, DigitalOcean Static Sites, Cloudflare Pages are just three examples which have zero-to-low costs, especially compared to the requirements for a full LAMP stack for WordPress.

So, please, stop stealing WordPress add-ons, and you can stop using it entirely if a static site generator meets your needs because a static site is much easier to maintain, much easier to modify, and essentially guaranteed secure because you're hosting content that can't be modified on a server that someone else is paid to manage and all you need to do is come up with the lovely content (or shitposts, if that's your thing) you want to share with the world.