WebDesignsbyTerri.com

Mobile Responsive WordPress Websites and Web Maintenance Plans

WordPress Plugins: 3 Tips to Avoid a Security Risk

Think of WordPress plugins as the special features that make your website truly yours, just as adding extra channels makes your TV more fun and versatile. Without these plugins, your site would be like a simple TV with only basic free channels. If you want to enjoy movies on Hulu, Disney, HBO, etc., or stream videos, it’s just a matter of adding those features to your cable service. Likewise, WordPress plugins let you add more features and functionality to a basic WordPress site. Plugins are essential but must be managed.

wordpress plugins

When it comes to free WordPress plugins, there are over 61,000 to choose from in the official WordPress plugin directory, not counting the hundreds of premium WordPress plugins not listed there. It’s not unusual for a business website to have a large number of plugins installed, but adding too many plugins or not carefully selecting them can significantly increase your site’s security risk. This is yet another reason to keep your website’s theme and plugins up to date.

In addition to slowing down your website, the more plugins you have on your website, the more time it takes to maintain your website. When adding plugins to your site, quality matters. Not all free plugins are safe to use and could actually be a security risk.

In reality, no plugin is 100% safe, just as no website is 100% immune to hackers.

The best way to reduce plugin vulnerabilities is by selecting quality plugins before installing them. Select your plugins from reputable sources, such as CodeCanyon and the WordPress plugin repository. Both sources vet each plugin before it’s available to the public, and will remove a plugin when the developer violates their rules and/or the plugin becomes a security risk.

Keep in mind that just because you CAN install a plugin doesn’t mean that you SHOULD install it. You need to be very careful with your selection of plugins.

While plugins offer many benefits, they are also the biggest potential security risks on a site if they’re poorly coded, abandoned or rarely updated by the developer, or come from untrusted sources. They’re not unsafe by default, but they can create vulnerabilities if you’re not careful. Plugin vulnerabilities are known entry points for hackers, so the more plugins you have the greater the risk.

wordpress plugins

You’ll want to add at least two WordPress plugins, such as one for added website security (suggested plugin: Wordfence), and one for making a full backup of your site. You may also want one for having a contact form. Some WordPress themes require additional plugins to be installed in order to be able to use some of the theme functionality.

Free WordPress plugins tend to have limited features available. The more robust plugins (premium WordPress plugins) will come with either a one-time charge, or may require you to pay an annual fee in order to get future upgrades to the plugin.

3 Tips & Best Practices for Using WordPress Plugins

Keep Your WordPress Plugins Updated

WordPress checklist illustration

I’ve yet to have a day go by when I haven’t had to do plugin upgrades. Especially following a WordPress core update. Whenever there’s an updated version of WordPress released it’s a sure bet that plugin developers are going to be updating their plugins to be compatible with the latest version of WordPress. Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping your plugins up to date you’re able to benefit from the fixes before attackers can exploit them.

One of the most common things I see happen is that once a new site is launched it often goes ignored for months on end. As mentioned, I’ve yet to have an upgrade-free day go by. But then again, doing website maintenance is part of my daily routine and I manage many sites with many plugins. Some sites have far too many plugins. You don’t need to check your site on a daily basis but DO check for updates at least once a week.

Ignore Abandoned WordPress Plugins

BEFORE you download and install any plugin, make sure that it is up to date, compatible with the latest version of WordPress, and is being maintained on a regular basis.

Also look at the developer’s support forum to make sure there aren’t legions of people posting complaints. I make it a habit to look over the plugin support forums to see what the complaints are and how well the developer is responding to the complaints. Since you did not develop the plugin yourself, you’re relying on the developer to insure their code is free of vulnerabilities.

For plugins you have already installed and haven’t seen an update pushed out in over a year, check up on it to make sure the plugin hasn’t been abandoned by the author. If it has been abandoned, look for an alternative plugin and deactivate then delete the abandoned plugin.

Plugins From Sources Other Than the Official WordPress Repository

This can be a bit tricky since one of the easiest ways for attackers to compromise your website is to get you to load the malware yourself. How is that possible? By using the ol’ Smoke and Mirrors technique. The website you’re downloading the plugin from looks legitimate — at first glance. But before you download that plugin, take a closer look at the website.

  • Does the site provide contact information?
  • Do they respond to emails and/or phone calls?
  • Do they have a tech support forum for their WordPress plugins that you can freely read?
  • Google the domain name in quotes (e.g. “example.com”). Look for any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the domain name and search again.
  • Does the website use clear language to describe the plugin? Poor grammar and fragmented sentences are your first clue to leave the site. By the way, this rule also applies to “important looking” emails that you receive.
  • Google search for the names of the WordPress plugins, or the vendor name, and see what’s being reported. This will help you find out if any vulnerabilities have been reported. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible developer and actively maintaining their plugin(s).

Keeping everything up-to-date is essential. The WordPress team responds quickly when an issue is reported, so should you. Remember to deactivate and then delete plugins and themes you’re no longer using, and don’t install more plugins than you absolutely need.

Do you have a question about, or need help with, your WordPress website?

ASK!
Category: