How to Avoid Vulnerable WordPress Plugins

How to Avoid Vulnerable WordPress Plugins

According to W3Techs, 30% of all websites are powered by WordPress. This figure dwarfs the next closest content management system (CMS) — Joomla at 3.1%.

This widespread use of WordPress comes as no surprise; it’s an excellent tool for organizing a company’s website — especially for small businesses that typically don’t have the resources to build their site from the ground up.

One way WordPress stands out is through their plugin system, which allows specific software to be added to a WordPress website. Plugins are essential for giving your website the flexibility it needs to execute your unique business functions, like adding contact forms, blocking spam comments and much more.

Unfortunately, not all plugins are made equally. The perfect plugin for your site may not have been developed with the same security expectations you have for your business.

Let’s go over how you can avoid accidentally installing vulnerable WordPress plugins.

Not All Plugins Are Built by Pros

With enough time and effort, anyone can learn how to build a WordPress plugin and make it available to the masses. This makes deciding to install one potentially risky to your site’s security. Patrick Foster, writing for the National Cyber Security Alliance, explains: 

The problem with that is that we tend to automatically trust plugin marketplaces, assuming that anything listed will be safe because it’s been checked, even though we know that digital ecosystems are full of mediocre or outright harmful apps despite being curated. Anyone can easily upload a plugin, make it look like a product from a reputable developer and wait for someone to take the bait.

Foster suggests reading reviews, confirming the developer is listed, verifying the developer has a legitimate website and making sure they regularly update the app with security patches before you install any plugin. You can find reviews and developer information for each plugin in the WordPress.org plugin page. 

Maintain a Manageable Amount of Plugins

Even well-known developers can create plugins that contain small security flaws. The more plugins you have operating on your site, the more chances there will be to encounter one of those flaws. 

For example, just last week the popular WooCommerce plugin was found to be affected by a handful of issues that allow an attacker with access to a single account to take over an entire site. 

The more plugins you have, the more likely you’ll miss a critical update. Managing five plugins is easier than managing thirty and having to keep track of all their security updates. Plugins aren’t updated by default, which means you’re responsible for initiating security updates yourself via the wp-admin dashboard/plugins sidebar. 

How to Know Which Plugins to Avoid

Beyond what we’ve already mentioned, there are websites you can use to check for compromised plugins.

Firstguide.com maintains a list of plugins with known vulnerabilities, but they do have a disclaimer which reads: 

Although we can’t help you avoid every single bad plugin, we can pinpoint those who have known, confirmed vulnerabilities and security issues. Unless you know what you’re doing, you’re testing something on a local installation, or you’re into WordPress security, you should not use the dangerous plugins listed below on production sites. Problems explained in the table below are well known and documented, making it easy for anyone with bad intentions to exploit those security holes and attack your site.

If you have a plugin currently installed on your website that is found on this list, don’t be afraid to remove it. Taking unnecessary risks can compromise your site and negatively impact your company. One plugin isn’t worth it.

Maintaining a website with zero vulnerabilities is an additional task for your cybersecurity team. Ask them to review your plugin library frequently and confirm there isn’t anything suspicious or outdated. If they find do anything that could lead to problems, make sure it’s removed immediately.

Stay up-to-date on all cybersecurity related news by subscribing to our newsletter below!

Written by Nik Vargas