Can WordPress Plugins Actually be a Security Risk?

WordPress plugins play a big part in customizing your website. Without plugins your site would be like having a TV that only gets the basic free channels. If you wanted to, for example, be able to watch movies on HBO, or have the ability to stream videos, you would need to add those features to your cable service. WordPress plugins add features and functionality to the basic WordPress website.

When it comes to free WordPress plugins, there are over 58,000 to choose from in the official WordPress plugin directory; not counting the thousands of premium WordPress plugins not listed in the directory. It’s not unusual for a business website to have 20 – 30+ plugins. However, adding too many plugins to your site can become problematic.

In addition to slowing down your website, the more plugins you have on your website, the more time it takes to maintain your website. When adding plugins to your site, quality matters. Not all free plugins are safe to use and could actually be a security risk. In fact, no plugin is 100% safe. The best way to reduce plugin vulnerabilities is by selecting quality plugins before installing them. Select your plugins from reputable sources, such as CodeCanyon and the WordPress plugin repository. Both sources vets each plugin before it’s available to the public, and will remove a plugin when the developer violates their rules and/or the plugin becomes a security risk.

Keep in mind that just because you CAN install a plugin doesn’t mean that you SHOULD install it. You need to be very careful with your selection of plugins. With all the benefits plugins offer they are also the biggest risk to your site when it comes to getting hacked. Plugin vulnerabilities are known entry points for hackers, so the more plugins you have the greater the risk.

You’ll want to add at least two WordPress plugins, such as one for added security (suggested plugin: Wordfence), and one for making a full backup of your site. You may also want one for having a contact form. Some WordPress themes require additional plugins to be installed in order to be able to use some of the theme functionality.

The vast majority of free WordPress plugins will have limited features available. The more robust plugins (premium WordPress plugins) will come with either a one-time charge, or may require you to pay an annual fee in order to get future upgrades to the plugin.

1. Keep your WordPress plugins updated.

I’ve yet to have a day go by when I haven’t had to do plugin upgrades. Especially following a WordPress core update. Whenever there’s an updated version of WordPress released it’s a sure bet that plugin developers are going to be updating their plugins to be compatible with the latest version of WordPress. Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping your plugins up to date you’re able to benefit from the fixes before attackers can exploit them.

One of the most common things I see happen is that once a new site is launched it often goes ignored for months on end. As mentioned, I’ve yet to have an upgrade-free day go by. But then again, doing website maintenance is part of my daily routine and I manage many sites with many plugins. Some sites have far too many plugins. You need not check your site on a daily basis but DO check for updates at least once a week. If you have Wordfence (or any security plugin) installed on your site, pay attention to your email alerts.

2. Ignore abandoned WordPress plugins.

BEFORE you download and install any plugin, make sure that it is up to date, compatible with the latest version of WordPress, is being maintained on a regular basis. Also look at the support forum to make sure there aren’t legions of people posting complaints. I make it a habit to look over the plugin developers support forum to see what the complaints are and how well the developer is responding to the complaints. Since you did not develop the plugin yourself, you’re relying on the developer to insure their code is free of vulnerabilities.

For plugins you have already installed and haven’t seen an update pushed out lately, check up on it to make sure the plugin hasn’t been abandoned by the author. If it has been abandoned, look for an alternative plugin and deactivate then delete the abandoned plugin.

3. Getting WordPress plugins from sources other than the official WordPress repository.

This can be a bit tricky since one of the easiest ways for attackers to compromise your website is to get you to load the malware yourself. How is that possible? By using the ol’ Smoke and Mirrors technique. The website you’re downloading the plugin from looks legitimate — at first glance. But before you download that plugin, take a closer look at the website.

• Does the website use clear language to describe the plugin? Poor grammar and fragmented sentences are your first clue to leave the site. By the way, this rule also applies to “important looking” emails you receive.
• Does the site provide contact information?
• Do they respond to emails and/or phone calls?
• Do they have a tech support forum for their WordPress plugins that you can freely read?
• Google the domain name in quotes e.g. “example.com“. Look for any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the domain name and search again.
• Google search for the names of the WordPress plugins, or the vendor name, and see what’s being reported. This will help you find out if any vulnerabilities have been reported. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible developer and actively maintaining their plugin(s).

Keeping everything up-to-date is essential. The WordPress team responds quickly when an issue is reported and so should you. Remember to delete plugins (and themes) you’re no longer using and don’t install more than you absolutely need.