WordPress is among the most commonly used platform for building a website. Unfortunately, it’s got a bad rep for security. In fact, Sucuri’s Hacked Trend Report says over ¾ of the infected sites analyzed were running on WordPress. Half the time, these sites were not being kept up to date with current versions of WordPress. Many times, plugins are to blame.
Over ¾ of hacked sites analyzed by Sucuri’s Hacked Trend Report run on WordPress… are your plugins safe? #WordPress Click To Tweet
Nearly 50,000 plugins are listed in the official repository alone, not to mention the many that are provided solely by 3rd parties… So carefully choosing plugins and staying up to date with plugin vulnerabilities is a big part of ensuring your site is as secure as it can be. And that’s what this guide will help you do.
Note: If you’re trying to up the security of your WordPress site, you might also be interested in our .htaccess security tips for WordPress.
Check for known vulnerabilities before installing a plugin
Many security threats for plugins are publicly listed online. So before you install something, take a minute to see if it’s already known that it has security risk. You can start by searching the WPScan Vulnerability Database, which is sponsored by Sucuri (you can also check your theme here too). Of course, you can always check this list for plugins you’re already running, too.
Before you install a new WordPress plugin, check the WPScan Vulnerability Database to check for known vulnerabilities Click To Tweet
It’s an ever growing list of plugins that have known vulnerabilities and is always changing.
If you find that the plugin you want to use is listed, check what version the alert was listed for. Has there been new versions release since then? If so, check the plugin’s version history to see if was fixed. On the official WordPress repository, you can see how long it’s been since the last update, as well as check the changelog:
And speaking of the last updated tidbit, stay away from plugins that haven’t been updated in a long time. It’s likely the developer has moved on to doing other things and isn’t keeping their plugin updated, which is not good for security. In fact, the official WordPress plugin directory will display a warning banner if a plugin hasn’t been updated in two years or more.
Another good indication of whether a plugin is generally one that can be trusted is to look at how many installs it has. However, if it’s a newer plugin or one that hasn’t received much attention then obviously it may not have many active installs. But if, like WP Super Cache, has hundreds of thousands or millions of active installs then it’s probably a trusted plugin.
One last step you can take is to look at the support section and see how responsive the developer is when someone posts a problem.
Think twice about 3rd party plugins
There’s a plugin out there for just about anything you can think of. Many of which are listed on the official WordPress plugin directory. But that’s definitely not the only place to find them. CodeCanyon has over 5,000 as of this writing, many membership sites have their own plugins and there are plenty of plugins only available from their developer’s sites.
Most developers aren’t out to get you. But don’t think there aren’t some with shady intentions. Be careful and do your research on any plugin that you want to use, especially if they’re solely available from the developer.
Always (try to) use the latest version
One of the main things you should do if you’re using plugins is simply keep them updated. Updates often fix newly discovered security threats that are announced and posted online for everyone to see. And you can bet that would-be hackers aren’t ignoring the news and they know about these security threats.
So if you aren’t staying up to date, it could obviously spell disaster. They devise a plan to go after WordPress sites using this plugin with the version that has the vulnerability… and that includes you if you aren’t updating your plugins when a new version is released.
Some people advise setting your plugins to auto-update when a new version is released. In theory this is the best option. However, there are cases when it could break your site. Sometimes updates won’t be compatible with your theme or something else you’re running.
We recommend using the auto-updates, but with one catch… that is to first make sure you always have current backups, so if something does break you can simply disable the plugin and restore your site.
Disabling plugins with a vulnerability
If you find out that you’re running a plugin with a vulnerability and there isn’t an update available that fixes it, it’s time to disable or delete it. This may be inconvenient if it’s something you rely on. But if you don’t, you’re deliberately putting your site at risk. Find another plugin or something else that will give you the same functionality. There’s really no way around it.
Now you have to decide whether to simply disable it and hope an update is released soon or completely delete and remove it. If you simply disable it, the plugin’s files are still there and hackers can likely still get to them.
But if you completely remove the plugin and any trace of it, then there’s nothing left for them to exploit. If you choose this route, Brad Dalton has an excellent tutorial. It shows you how to remove the leftover files and data that plugins often leave behind when you uninstall them.
Automatic vulnerability alerts
Once you’ve done this, you might want to consider using something that will give you automatic vulnerability alerts or even protect your site from threats in real time. There are several ways you can do this, including Wordfence and the Plugins Vulnerabilities plugin.
Use these tips to reduce the likelihood of your WordPress site getting affected by plugin vulnerabilities.
Have you ever had a site hacked due to a plugin? What did you do? Is there anything else you think people should know about when it comes to plugins and security of WordPress sites?