Thanks to its ease of use and customizability, WordPress is the most popular open source CMS platform in the world. However, the plugins that allow users to easily add features also carry a risk: Sites with 20 or more plugins were nearly three times more likely to have malware. Malware attacks can damage your site’s reputation and cost you money, especially if your site is taken offline or removed from search results. Knowing how to evaluate plugins effectively and use them safely allows you to maintain the functionality of your site without sacrificing security.
The risks of using WordPress plugins
Did you know both legitimate and fake WordPress plugins carry security risks?
Legitimate plugins may contain vulnerabilities, which occur when the plugin has an unpatched or undetected security issue that can grant a cybercriminal access to the site or inject malware.
Fake plugins are created by cybercriminals who steal code from legitimate plugins, such as WordPress SEO Tools, to create a malicious version, like WP-Base-SEO. Unsuspecting site owners then find the plugin on third-party WordPress sites and install it, not realizing that they’ve installed something malicious.
Fortunately, you can mitigate these risks and use plugins safely by implementing some WordPress best practices.
Reviewing a WordPress plugin for safety
A little time and research is all it takes to check the legitimacy and safety of a WordPress plugin.
Install plugins only from trusted developers. If you aren’t familiar with a specific plugin developer, do your research first to confirm the developer’s legitimacy by searching for forum posts discussing known issues, or find the developer’s contact information. To find these posts, try searching for the developer or plugin’s name, “[plugin name] security” or “[plugin name] issues.” The developer’s contact info will likely be found on their own website or on their wordpress.org profile.
Be cautious with free plugins. Malicious plugins often disguise themselves as pirated or “free” versions of premium plugins. If you’re looking to save on plugins, only install free plugins from the WordPress plugins repository. Otherwise, purchasing a premium plugin ensures that you’re getting the real thing.
Check how frequently the plugin is updated. Out of date plugins are a common source of vulnerabilities. Even if the plugin seems trustworthy, don’t install it if it hasn’t received an update within the last six months, at least.
Review the comments and ratings. An inordinate number of low ratings and negative comments can give insight into potential security issues.
After installing, make sure everything is still normal. If you’ve done your research and decide to install the plugin, check the live site for unusual or malicious activity once installed.
Once you’ve installed a safe plugin, you’ll need to ensure it stays safe.
How to use WordPress plugins safely
Mitigating the risks of plugins doesn’t stop once you’ve installed the plugin.
Install updates as soon as they are available. The update may contain a patch for a vulnerability, which could be exploited by cybercriminals if not patched in a timely manner.
Keep only what you use. Fully remove any plugins that you haven’t used, or that haven’t received updates, in six months. It’s best to remove the plugin entirely, rather than disabling it, as disabling a plugin still leaves the vulnerable files on your site where a cybercriminal could take advantage of them.
Prepare for the unexpected. Use a website scanner that looks for malware and vulnerabilities daily so that you’ll know if any issues occur and can act immediately to circumvent them.
Despite the risks, you can use WordPress plugins safely by following these best practices to avoid potential vulnerabilities. Knowing what to look for when choosing plugins will help you to easily determine what’s real and what’s malicious. A website scanner from SiteLock will keep an eye out for any malware or vulnerabilities, so you’ll still be protected if you missed anything. Just ask Amanda Naor, an independent photographer who got her WordPress site back online after a cyberattack. If you’re ready to ensure this doesn’t happen to you, check out our plans or call 855.378.6200.