Prevent Nulled themes/plugins from "calling home"

[purity]

Hi community,

if I would use nulled themes/plugins in production, how can I detect that they are "phoning home" and how can I avoid it?

Are there certain possibilities or how to protect yourself against it?

Or can that never be prevented?

 

[nesym]

You can check the source code and look for outgoing requests and URLs.

 

[purity]

You can check the source code and look for outgoing requests and URLs.

how exactly can I do that? What do I have to look for?

 

[Masood]

Phoning home ?
Sry cant underestand this part

 

[nesym]

how exactly can I do that? What do I have to look for?

If you are using Linux you can grep through all the files and search for strings like "www" "http" "https" additional queries and so on.

 

[nesym]

Phoning home?
Sry can't understand this part

He is afraid the theme/plugin will send info that it's being used on a website that doesn't have the license for it.

 

[purity]

If you are using Linux you can grep through all the files and search for strings like "www" "http" "https" additional queries and so on.

Okay, many thanks. I'm actually using linux and can try this on various themes/plugins.
Is there actually still the base64 encoding/encryption for themes and plugins?

 

[nesym]

Okay, many thanks. I'm actually using linux and can try this on various themes/plugins.
Is there actually still the base64 encoding/encryption for themes and plugins?

If you see a base64 encoding stay away from these themes/plugins. They are probably with preinstalled malware. Also, don't be too afraid because most themes come with a GPL license because the authors use many many free libraries to build those themes upon. Chill. Don't be to paranoic about it but be paranoid if you see base64 encoding.

 

[sanishan]

Some developers hide calls back URL In base64 or even use hex to hide the URL.
Some are clever enough to hide the actual URL in SVG, JPG, TXT or any other file .. which is very hard to find.

Some use different variable in whole plugin file like $h='http'; somewhere $_B='://"; somewhere else $b='complete.com/url';

And when they want to use they could use base64 with eval to join those variables and call back, this kind of link is very very hard to find.

Thanks,

 

[RealHacker]

Yes i do this myself.

OPTION-1: Via Snitch Plugin-
https://wordpress.org/plugins/snitch/

Plugin will display details (origin code location, http request details, etc) about all outgoing http network calls made by wordpress, plugins, theme, etc and allows you to block those network calls by various ways (url, plugin, etc).

EDIT: You can instead of blocking network call via plugin, comment off the code which make that http network call. You get the location of code in the source code which originates the network call via above plugin.

OPTION-2: Via mentioning whitelisted domains/urls for whole wordress site in wp-config-
With this method you block all outgoing calls except whitelisted domains/urls. Example snippet to be added to wp-config of your wordpress site is as below (make adjustments according to your needs)-

define('WP_HTTP_BLOCK_EXTERNAL', true);
define('WP_ACCESSIBLE_HOSTS','wordpress.org,.wordpress.org,elementor.com,.elementor.com');

If it helped, give a like.