Search results for:
WordPress is among the most commonly used platform for building a website. Unfortunately, it's got a bad rep for security. Sucuri's Hacked Trend Report says over ¾ of the infected sites analyzed were running on WordPress. Half the time, these sites were not being kept up to date with current versions of WordPress. Many times, plugins are to blame.
Nearly 50,000 plugins are listed in the official repository alone, not to mention the many provided solely by 3rd parties… So carefully choosing plugins and staying up to date with plugin vulnerabilities is a big part of ensuring your site is as secure as it can be. And that's what this guide will help you do.
Note: If you're trying to up the security of your WordPress site, you might also be interested in our .htaccess security tips for WordPress.
Many security threats for plugins are publicly listed online. So before you install something, take a minute to see if it's already known that it has a security risk. You can start by searching the WPScan Vulnerability Database, sponsored by Sucuri (you can check your theme here too). Of course, you can always check this list for plugins you're already running, too.
It's an ever-growing list of plugins that have known vulnerabilities that are constantly changing.
If you find that the plugin you want to use is listed, check what version the alert was listed for. Has there been a new version release since then? If so, check the plugin's version history to see if it was fixed. On the official WordPress repository, you can see how long it's been since the last update, as well as check the changelog:
And speaking of the last updated tidbit, stay away from plugins that haven't been updated in a long time. The developer has likely moved on to doing other things and isn't keeping their plugin updated, which is not suitable for security. The official WordPress plugin directory will display a warning banner if a plugin hasn't been updated in two years or more.
Another good indication of whether a plugin is generally one that can be trusted is to look at how many installs it has. However, suppose it's a newer plugin or one that hasn't received much attention. In that case, it may not have many active installs. But if WP Super Cache has hundreds of thousands or millions of active installs, then it's probably a trusted plugin.
One last step you can take is to look at the support section and see how responsive the developer is when someone posts a problem.
There's a plugin out there for just about anything you can think of. Many of which are listed on the official WordPress plugin directory. But that's not the only place to find them. CodeCanyon has over 5,000 as of this writing. Many membership sites have their plugins, and there are plenty of plugins only available from their developer's sites.
Most developers aren't out to get you. But don't think there aren't some with shady intentions. Be careful and do your research on any plugin that you want to use, especially if they're solely available from the developer.
One of the main things you should do if you're using plugins is kept them updated. Updates often fix newly discovered security threats that are announced and posted online for everyone to see. And you can bet that would-be hackers aren't ignoring the news, and they know about these security threats.
So if you aren't staying up to date, it could spell disaster. They devise a plan to go after WordPress sites using this plugin with the version that has the vulnerability… and that includes you if you aren't updating your plugins when a new version is released.
Some people advise setting your plugins to auto-update when a new version is released. In theory, this is the best option. However, there are cases when it could break your site. Sometimes updates won't be compatible with your theme or something else you're running.
We recommend using the auto-updates, but with one catch… that is first to make sure you always have current backups. If something breaks, you can disable the plugin and restore your site.
Suppose you find out that you're running a plugin with a vulnerability. There isn't an update available that fixes it. It's time to disable or delete it. This may be inconvenient if it's something you rely on. But if you don't, you're deliberately putting your site at risk. Find another plugin or something else that will give you the same functionality. There's no way around it.
Now you have to decide whether to disable it and hope an update is released soon or entirely delete and remove it. If you disable it, the plugin's files are still there, and hackers can likely still get to them.
But if you altogether remove the plugin and any trace of it, then there's nothing left for them to exploit. If you choose this route, Brad Dalton has an excellent tutorial. It shows you how to remove the leftover files and data that plugins often leave behind when you uninstall them.
Once you've done this, you might want to consider using something that will give you automatic vulnerability alerts or even protect your site from threats in real-time. There are several ways you can do this, including Wordfence and the Plugins Vulnerabilities plugin.
Use these tips to reduce the likelihood of your WordPress site getting affected by plugin vulnerabilities.
Have you ever had a site hacked due to a plugin? What did you do? Is there anything else you think people should know about when it comes to plugins and the security of WordPress sites?
Written by Hostwinds Team / April 28, 2017