tonyhawk Wrote: Of course some nulled scripts contain backdoors - not so sure about malware - although it is possible.
There are some tools that analyze malware. For Wordpress it can be hit or miss. Because its so widely used, it's honestly one of the highest targeted softwares out there. I recently cleaned a client site that was infected with a botnet payload throughout many of the website core files.
Sucuri offers pretty good products and Wordpress firewall. They have a monthly plan that you can check out. Also Wordfence has been a great plugin for scanning files I've found. It helped me fine a lot of tricky stuff like where they scrolled far over or far down to hide encrypted strings in the php code. But yeah - it's a constant battle. If you want peace of mind, I'd suggest paying. I used to use vbulletin from vbteam for years and never had issues. I guess it depends on the team that is providing the null. Always check to see who is posting and look at their reputation.
Also another tool I highly recommend if you're running a vps or dedicated server is bitninja.io. Their WAF is great, as well as their server firewall and security.