WordPress Plugins & Security

WordPress plugins thumbnailThere are currently around 50,000 plugins available for WordPress. The large, diverse selection of plugins is one of the reasons so many businesses decide to build their websites with WordPress. The plugins make it easier to add the features they want to their websites. While the vast majority of plugins are very well built and secure, installing plugins can increase security risks.

Let’s take a look at what a plugin is and how it can be a security risk.

What is a WordPress plugin?

A WordPress plugin is basically a small software application that is built to plug right into WordPress. Plugins have their own built-in functions and make use of features already available in the WordPress core to add new capabilities. Plugins are built by members of the WordPress community and offered on the WordPress plugin directory that can be found here:

https://wordpress.org/plugins/ (Opens in new browser tab)

Examples of functionality that can be added to a site with WordPress plugins would include:

  • SEO tools
  • Website backup and recovery tools
  • Page builders
  • Security and anti-malware tools
  • Forums
  • Custom forms
  • Anti spam tools
  • Video tools
  • Membership managers
  • A whole lot more!

Why Can a WordPress Plugin Be a Security Risk?

The main reason a WordPress plugin can create security risks is poorly written code. The people who use WordPress, and build plugins for it, have widely varying levels of skill when it comes to writing code. If they fail to follow proper protocols when coding out their plugin they could leave access points wide open for malware.

The WordPress core is very secure and a team of individuals monitor it to keep it secure but when you install a plugin the code associated with it isn’t monitored by the team. The plugin code is the responsibility of the person who created the plugin. They have to monitor it and make sure it is secure and remains secure. If they fail to do that, malware can infiltrate your entire site through the door left open by the plugin.

Whenever I try to explain WordPress plugin security risks to someone who isn’t a coder I tell them that it would be like having a house that is fully secure, hiring a contractor to install a new front door and then having them install the lock backwards giving full access to your otherwise secure home. That’s basically what happens when poorly coded plugins leave open access points for malware.

How Does Malware Find Access Through WordPress Plugins?

A lot of malware is automated. Some idiot writes a script that goes out and checks all kinds of websites for various features and when it finds those features, it executes some kind of process to try to exploit them. We refer to these applications as “bots” in the industry, which is short for robots.

There usually isn’t a skilled hacker sitting in front of their computer with lines of code flying by, as shown in movies and on TV, working to find a way into your website. The process is much less dramatic (as is life in-general). It’s usually a software application scanning the Internet looking for a site with a plugin installed that is known to have a hole in it. When it finds a site with that plugin it then tries to exploit the hole.

How Can I Use Plugins and Avoid Problems?

The number one thing you should always do with a website is create regular backups that can be used to restore the site if malware infiltrates it or some technical problem takes it offline. This is the best thing you can do to protect your website. It’s impossible to keep a site from going down but you can ensure it is only down a short time if you have a good backup available.

  1. Check to make sure the plugin isn’t on the list of hacked or vulnerable plugins, which can be found here: https://firstsiteguide.com/tools/free-fsg/hacked-dangerous-vulnerable-wordpress-plugins/ (Opens in new browser tab)
  2. Do a quick Google Search to see if anyone else is having problems with a plugin.
  3. Check the star rating and number of installs before installing plugins. If the star rating is high and there have been a lot of installs, it is probably reliable.

Plugins add useful features to your WordPress website but make sure you install well-built plugins to avoid security problems.

– Tom

Tom Broadwater
TCE Media
Click right here to contact me!