WordPress plugin risk

Are You Putting Your WordPress Site at Risk?

WordPress plugins play a big part in adding features to your website. Without plugins your site would be like having a TV that only gets the basic free channels. If you wanted to, for example, be able to watch movies on HBO or Showtime, or have the ability to stream videos, you would need to add those features to your cable service.

The same concept applies to adding plugins to your website. You’ll want to add a few plugins to your WordPress site, such as one for added security, a full backup of your site, and possibly a contact form. In fact, some WordPress themes require additional plugins to be installed in order to be able to use some of the theme functionality. The vast majority of free plugins will have limited features available. The more robust plugins (premium plugins) will come with either a one-time charge, or may require you to pay an annual fee in order to get future upgrades to the plugin.

Currently there are 43,810 plugins available for download in the official WordPress plugin directory with 1,224,260,298 downloads. That is a massive selection of plug and play software and doesn’t include plugins NOT listed in the official directory.

BUT… just because you CAN install a plugin doesn’t mean that you SHOULD install it. You need to be very careful with your selection of plugins. With all the benefits plugins offer they are also the biggest risk to your site when it comes to getting hacked. Plugin vulnerabilities represent approximately 60% of the known entry points of hackers, so the more plugins you have the greater the risk.

WordPress Plugin Tips & Best Practices

Keep your plugins updated.

I’ve yet to have a day go by when I haven’t had to do plugin upgrades. Especially following a WordPress core update. Whenever there’s an updated version of WordPress released it’s a sure bet that plugin developers are going to be updating their plugins to be compatible with the latest version of WordPress. Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping your plugins up to date you’re able to benefit from the fixes before attackers can exploit them.

One of the most common things I see happen is that once a new site is launched it often goes ignored for months on end. As mentioned, I’ve yet to have an upgrade-free day go by. But then again, doing website maintenance is part of my daily routine and I manage many sites with many plugins. Some sites have far too many plugins. You need not check your site on a daily basis but DO check for updates at least once a week. If you have Wordfence installed on your site (and you should), pay attention to your email alerts.

Ignore abandoned plugins.

BEFORE you download and install any plugin, make sure that it is up to date, compatible with the latest version of WordPress, is being maintained on a regular basis, and there aren’t legions of people posting complaints on their support forums. I make it a habit to look over the plugin developers support forum to see what the complaints are and how well the developer is responding to the complaints. Since you did not develop the plugin yourself, you’re relying on the developer to insure their code is free of vulnerabilities.

For plugins you have already installed and haven’t seen an update pushed out in over 3 months, check up on it to make sure the plugin hasn’t been abandoned by the author.

Getting plugins from sources other than the official WordPress repository.

This can be a bit tricky since one of the easiest ways for attackers to compromise your website is to get you to load the malware yourself. How is that possible? By using the ol’ Smoke and Mirrors technique. The website you’re downloading the plugin from looks legitimate — at first glance. But before you download that plugin, take a closer look at the website.

  • Is the site itself professionally designed and uses clear language to describe the plugin? Poor grammar and fragmented sentences are your first clue to leave the site. (By the way, this rule also applies to “important looking” emails you receive — especially during tax season when there are a LOT of IRS email scams going around.)
  • Does the site provide contact information?
  • Do they respond to emails and/or phone calls?
  • Do they have a tech support forum that you can freely read?
  • Google the domain name in quotes e.g. “example.com“. Look for any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the domain name and search again.
  • Google search for the name of the plugin and see if any malicious activity is being reported.
  • Google the name of the plugin or the vendor name. This will help you find out if any vulnerabilities have been reported. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible developer and actively maintaining their plugin(s).

Keeping everything up-to-date is essential. At the moment, there are no serious known vulnerabilities in the current version of WordPress core. There are however, a large number of known vulnerabilities in older WordPress versions; keeping WordPress core up-to-date is very important. The WordPress team responds quickly when an issue is reported and so should you.

Also: Remember to delete plugins you’re no longer using and don’t install more than you absolutely need.