What Is A GPL Club?
WordPress themes and plugins can cost you thousands of dollars per year.
For many online businesses this can be a considerable expense and bottleneck to growth.
One of the ways in which business owners attempt to save money on these products is by signing up to a so called “GPL club”.
These clubs resell WordPress plugins and themes for a tiny fraction of the price.
Heck, we’re a member of one ourselves—GPLVault.
It sounds like a no brainer, right?
Well as you might expect, there are some caveats…
What is GPL?
GPL is a type of software license that allows anybody to download the software, modify it, fork it, and distribute it.
- Anyone can download and run the software
- Anyone can modify it
- Anyone can redistribute free copies of the software
- Anyone can distribute modified versions of the software.
Many WordPress developers sell their plugins and themes for a yearly fee yet release them under a “General Public License”, or GPL (also sometimes called GNU GPL).
If this WordPress software is free under GPL, what the deuce are these developers charging you for…?
The answer is: support.
You don’t buy a GPL plugin per se.
You buy the right to submit support requests to the author and get help, plus access to future updates and releases.
Even the WordPress CRM itself is released under the GPL license.
This means that WordPress is open-source software that can be used, modified, and extended by anyone.
Are GPL Plugins Legal and Ethical?
Modifying and redistributing a WordPress plugin or theme released under GPL is perfectly legal.
However, some consider it to be unethical.
As the GPL license allows you to modify and redistribute other developers’ work under your own name, it can also invite certain types of abuse.
GPL Clubs in particular are often fingered as the most flagrant abusers of GPL’s open source spirit.
The ostensible reason why these stores exist is that people can’t always afford (or simply don’t want to pay for) dozens of expensive WordPress themes and plugins.
This is fair enough if you don’t know whether or not a particular product will meet your needs.
So you can consider the GPL vault type sites to be “try before you buy” stores.
Using a GPL club subscription you can quickly test many competing plugins to decide which one best suits your project.
As GPL Clubs concern themselves with aggregating software and “nulling” it (removing their licensing restrictions), they can sell these products at a greatly reduced cost than if you were to purchase them from the original developer.
Again, while it is totally legal to obtain a copy of plugins and themes from these stores, some state that is not ethical to do so as you deprive the original developers of their ability to earn a living from their hard work.
Vic’s note:
As a plugin vendor myself, I don’t believe this to be a huge concern.
The people who want to pay you will pay you and the people who don’t won’t.
My philosophy is to concern yourself with your paying customers, create the best possible product for them, and provide such excellent support that it encourages people to buy directly from you.
Otherwise, don’t release your work under GPL and keep a lawyer on retainer. 🙂
Are GPL or Nulled Plugins Safe and Secure?
Aside from the ethical concerns, there are security concerns with GPL plugins and themes.
GPL Clubs typically hire a developer to “null” or essentially hack software in order to remove restrictions based on licensing put in by the original developers.
They also attempt to make the products updatable from a remote source so that you can get the new versions updated directly in WordPress via API.
Perhaps the biggest concern is that these clubs can insert additional malicious code into their software, including so called “back doors” which can give hackers access to your site.
In our work using GPLVault we’ve seen no security issues or hacks.
That doesn’t mean that they haven’t happened, it just means that we haven’t seen them.
You would need to conduct a thorough security and code audit of GPLVault’s updater plugin and perhaps some of the more popular plugin and theme files in order to determine which vulnerabilities exist, if any.
Interestingly, the single biggest source of hacks (over 95%) that we’ve fixed for our customers comes from a membership plugin called Digital Access Pass, which is not GPL and therefore not subject to the audit and security patches that an open source piece of code would be.
As another example, LastPass—our previous password management solution for many years—is not open source.
LastPass has been hacked multiple times.
We switched over to an open source solution called BitWarden, whose code is in the public domain, and yet has never been hacked.
Are you noticing a pattern here…?
Obfuscated code is a provocation to crafty unethical hackers and an impediment to equally crafty ethical hackers.
Is GPLVault.com The Best GPL Site?
After trying many GPL sites I’ve found GPLVault to be by far the best.
They are really professional and take feature requests seriously (albeit a bit slowly).
In fact, GPLVault is the only GPL Club we use which is why we chose to review it!
They use the same principle as most GPL Club platforms, buying the latest plugins or using their own licenses, and then re-selling to the end-user, as GPL license allows them to do so.
While we believe in purchasing software from the developer we also take advantage of GPL software for various use cases—mostly for testing.
GPL Vault pricing
The monthly plan is 14.97 USD per month and the yearly plan is 87 USD per year, and they included a 50% discount.
Both plans include their database of plugins and themes you can download.
Does GPL Vault Provide Support?
Like most GPL Clubs, GPLVault.com doesn’t offer support for the plugins or themes that are listed on their website, as they are re-distributing the content.
So, if a user wants to deal with the potential troubleshooting, he should reach developers of that product, which often is not free, as they are supporting customers who bought from them directly.
GPLVault.com Features
There is a restriction of a maximum of 20 user downloads per day as a fair use policy.
The way plugins are updated through their API.
A user will basically enter API keys in the Updater plugin and every time there is an update, the user will get a notification in WordPress back-end, and they will get an opportunity to perform a one-click update.
There is a restriction of 30 installs of the updater plugin which keeps all of the plugins up to date via API.
Do I need several GPLVault licenses?
We sent the question if we are limited to 30 Updater plugins, and what in the case we need i.e 50 Updater plugins.
Here is the confirmation from their support:
Yes, that is correct.
As it currently stands you would need to buy 2 separate subscriptions.
Although we would be happy to negotiate a price if this is how you wanted to proceed.
Also please note that the license can be deactivated on one site and then activated on another site.
So if perhaps you have sites that don’t require updating too often it is possible to move the license around.
We had a guy who had I think 33 sites and it made more sense for him to do this than buy an extra license but of course it’s a little more work.
What Should I Know About GPLVault.com?
1 – The Updater plugin is not yet multisite compatible.
2 – Based on the research they will provide a new version of a plugin or theme as soon as possible, once developers release them, but there can be a concern if there is a security update that fixes some major flaws and GPLVault.com doesn’t react fast and release that new update through the platform, as it would be the case with the original product.
So, this gap time could potentially allow bots or exploit scanners to target vulnerable websites until they are patched
3 – Plugins and themes that are downloaded from GPLVault.com are communicating with an API, related to the updates and such.
If GPLVault.com is hacked or there is a security breach on their API level, they could potentially put all the sites in danger.
4 – Based on our research, we couldn’t find any cases where GPLVault.com used plugins or themes to insert malicious code as they tend to be a responsible and professional company.
However, we should be aware that they are not original developers of our downloaded software and definitely we need to track their changelogs, reviews from other users, and sense mainly potential security issues that could affect our clients.
Is it Ethical to use GPL / nulled plugins and themes?
Leave a comment and share WHY or WHY NOT below…
I have been at neaot(dot)com, the best. There are no Trojans in their plugins.
Note to readers: We have absolutely no way to verify that what this person says is true without doing a series of tests. If you check their site, they provide no proof or even evidence that their plugins are “trojan free”, just claims. The same is the case for GPLVault but at least we’ve personally been using GPLVault for over a year on dozens of sites with zero security issues in that time that can be traced back to GPLVault. Ironically, the only hacks we’ve seen recently have come from vulnerabilities of legit plugins sold directly from the developers! e.g.… Read more »
I actually don’t like that GPL Vault only has a subscription model. There are in my opinion better sites like GPL Love or nobuna.com which lets you choose between subscription and sigle purchase with lifetime updates. But I guess it depends on the use case.
An issue I see with those sites is they claim to offer “original not nulled/cracked” themes and plugins but what’s the point in having that when you can’t use the item without a valid license or if it hasn’t been nulled? Have you ever used gplcellar? You can’t buy single items like you can in the sites you mentioned, but it’s a WordPress plugin that install on your WP site to manage. I do agree with Vic that nulled plugins can be safe if you know who is providing them. I have used gplvault in the past on some project… Read more »