There are over 56,000 plugins in the WordPress directory at the moment, but does it mean that each plugin is a potential security threat for your WordPress website? Not to scare you right from the start, but WordPress is the most hacked content management system, and a lot of WordPress vulnerabilities come from plugins. In fact, WPScan Vulnerability Database shows that out of all WordPress vulnerabilities, the ones caused by plugins add up to 23% (while themes take up only 3%). Security is one of the most important things you should take care of once you start building a website. There are plenty of things to worry about, but are WordPress plugins one of them?
Let’s dive in deeper to investigate if plugins can make your site vulnerable.
What Can Make a Site Vulnerable?
First thing in the road of making your WordPress site safe is to identify what can make it vulnerable in the first place to know what risks to eliminate. So let’s have a quick look at some of the most common factors that can cause vulnerability:
- Weak password – The most common passwords of 2017 were ‘123456’ and ‘password’, so creating a strong (at least 8 characters, with numbers and symbols, one for each account etc.) password, should be to be the nr.1 rule of security.
- Poor coding – Sometimes with the lack of skills, experience, time, testing or many other factors, any developer can make mistakes while coding or just not concentrate on the security as much as functionality.
- Missing updates – Updates usually provide some security patches, fixes mistakes and gives you the (potentially) best current version out there, so out of date installations are more prone to attacks.
- Insecure plugins and themes – Plugins and themes are some of the leading components of WordPress vulnerabilities. They can cause vulnerabilities in many ways – by being out of date; built by inexperienced developers; not compatible with the latest WordPress version and many more.
How to Tell If a Plugin Is Safe?
As plugins can be the cause of vulnerabilities, it is important to find the ones that won’t serve as a gateway for the big bad hackers. As stated before, the WordPress plugin directory currently has over 50,000 plugins, and even more available everywhere around the web, so how to know which ones are safe to use? I’ve created a checklist of thing you should pay attention to before using a new plugin.
It is important to download plugins only from sources that are trustworthy. Example: Visit popular and reliable resources like WPMayor to discover reputable plugins.
If a lot of people have installed the plugin, it is a good indicator of its popularity and in combination with other points in the checklist, for overall satisfaction with it. Example: The most popular WordPress SEO plugin Yoast SEO has over 5 million active installations at the moment.
A high rating means that people who install the plugin actually enjoy it and it probably didn’t cause serious issues. Just to be extra sure, you can always check the comment section (if there is one) to see what exactly people like and don’t like. Example: Slider Revolution is one of the best selling WordPress plugins with an average rating of 4.79 which makes it a good choice.
Always check if updates are released regularly and the latest update is released recently. There are several ways to check this, but usually, there is a section on the website of the particular plugin where you can see all the releases, the date and other important information. Example: Caldera Forms posts articles after their updates describing the new features, fixes and general information about the plugin in its current version.
Compatibility with the Latest WordPress Version
The plugin should be compatible with the latest version of WordPress. One way of checking that is in wordpress.org if your plugin of interest is found there. Example: WooCommerce plugin is compatible with WordPress versions 4.7 and higher and it is tested up to version 4.9.8 (which is the current version).
It is crucial to check if there’s a support channel for the plugin available, as it is a huge indication of the fact, that the plugin developers care what the users think and want to help. Example: BlogVault has a ticket system that is easy to find and use in their website as well as broad documentation.
Make sure that the plugin doesn’t cause conflicts with other plugins. You can check the comments or user review to see if there have been complaints. Plugin authors name the compatible plugins quite often as well. All compatibility issues can be a serious obstacle to having the site that you want. Example: WPML has a compatibility team that ensures that WPML is fully compatible with various WordPress themes and plugins.
This usually contains a detailed explanation (and tutorials) of the features, release notes and other important information about the plugin that can be useful. Example: Visual Composer has one of the most appreciated documentations and video tutorials for beginners as well as developers and that are updated on a regular basis.
If you’re really unsure, try to run it through a security scan. Example: One of the best WordPress security plugin is MalCare. It detects malware, out of date software, blacklist status, help you clean the site and take site hardening measures.
What Plugins to Lookout For?
Apart from the checklist, there are some specific plugins that have been labelled as unsafe or having vulnerabilities. The plugins might be outdated or have a version that has a lot of vulnerabilities, so there are some websites you can visit to see the latest information about safety in the WordPress environment including unsafe plugin lists, specific vulnerabilities and their status (if they’ve been fixed or not), the versions of plugins that contain critical vulnerabilities and more important information.
Here’s a list of the resources to check out:
- exploit-db – The Exploit Database is “an archive of public exploits and corresponding vulnerable software”.
- cvedetails – Security vulnerability database.
- pluginvulnerabilities – A service that protects you against plugin vulnerabilities in multiple ways.
How to Secure Your Data?
As safe you think your site is, there’s always a chance that the attacker is smarter or found a new way to mess with your data. To prevent that there are a couple of important things you should consider doing – update regularly and make backups. Consider this the WordPress security mantra as it’s the least you can do to protect your site.
In 2017 39.3% of hacked WordPress websites had an outdated version of it so you can see that an out of date installation can make your site extra vulnerable. To make you feel better (or safer) in 2016 it was 61%, but that doesn’t mean you should prolong the time WordPress is out of date.
WordPress core is not the only one that might have vulnerabilities. As stated before, a big part of hacks occur because of vulnerabilities in plugins and themes, so if there’s an update available, it might be because a security vulnerability has been found and the developers have eliminated it in the next release. Missing the update would mean giving attackers an opportunity to exploit the vulnerability and hack your site.
Unfortunately, most people don’t think of backups unless they’ve experienced a situation when they have lost their data and have no way to retrieve it. There are many reasons you should always back up your site – issues with hosting, update complication, common hack attacks, and, many more.
It is not uncommon that people lose all of their data thanks to any of these reasons and restoring it can be a long and tedious process if it’s even possible. One of the best solutions to always be sure that you don’t lose data and it can easily be restored is regular backups, obviously.
Making regular backups might seem like a time-consuming thing at first, considering that it is advised to make backups frequently (as often as once a day), but there are services that make the process substantially easier and quicker.
So, Are Plugins Safe?
Ultimately, your WordPress site is as secure as you make it. There are many things that can make your WordPress site vulnerable, and yes, plugins are one of them, but it all comes down to the decisions you make while choosing a WordPress security plugin and dealing with the security of your site in general. There are simple steps you can take to really secure your website, so if you choose the plugins that are safe, update all installations and backup regularly, there is nothing to worry about.
Have you ever faced security issues on your WordPress installation that were related to plugins? Let us know in the comments!
Author of the Post: Irma Edite Girupniece is a video making machine who still believes she’s going to be an astronaut one day.