Plugin Security - What You Need to Know

November 18, 2019 by Patricia Bennett

Your WordPress site cannot function without plug-ins. If you are going to have a blog, you will need Akismet, Defender, and a plug-in that serves as a contact form. Without these plug-ins, you can’t collect contacts, and your site’s safety will be at risk.

The above-mentioned plug-ins are known for their safety. They are well-rated, have been downloaded millions of times, and were created by developers who have a great reputation when it comes to creating error-free plug-ins. But what about the thousands of other plug-ins that are available for WordPress? How can you tell if they are safe or not?

Installing an unsafe plug-in can open you up to a whole world of security issues. Your hosting company may be a strong line of defense against the dangers that a unsafe plug-in can create. Make sure to find a host that has daily security scans and regularly checks for installed malware and weak passwords. Before signing up, you can ask your hosting company if they provide this service.

There are several warning signs that the #plug-in you are considering installing is not #safe. Click To Tweet

Everything about the Plug-In Is Outdated

You are on the hunt for a plug-in that does something that’s not very common. You search for the plug-in in Google, and the top result is a small independent developer who seems to have the exact plug-in that you need.

You visit the site, and it looks like something that was built in 2001. The developer is inviting you to contact them on their MySpace site or via an AOL email. Something is wrong, and alarm bells should go off in your head. We are not saying that the source of the plug-in should not be trusted, but you have to wonder how up-to-date the plug-in is when it comes to security and compatibility issues. It’s best for you to look for plug-ins in reputable locations, like the WordPress plug-in repository.

The Code Looks Questionable

This might be a bit of a challenge to verify because not everyone knows how to code a plug-in. However, you should familiarize yourself with the file structure and the appearance of the directives. This will tell you if all of the essentials of the code are in the right place. WordPress Codex is a great guide for writing plug-ins. You need to remove all of the code that WordPress requires and look at what is left over. If anything seems questionable to you, run away.

No One Is Downloading It

One of the nice things about WordPress is that you will be able to see the number of active installations. This means that you will be able to see not only how many people downloaded the plug-in only to delete it later, but you will be able to see the number of people who are actively using the install. This is a good place to start when it comes to judging trustworthiness.

We would recommend staying away from WordPress plug-ins that have fewer than 1,000 downloads.

Let the first 1,000 users be the guinea pigs. We would recommend waiting until a plug-in has closer to 5,000 downloads, but if it’s a new feature and a lot of people haven’t caught on to it yet, that might not be possible.

Beware of Infrequent Updates

WordPress plug-ins should be updated frequently. There is a difference between being updated recently and being updated frequently. If you see a plug-in that was updated last week, check and see when the previous update was. If the plug-in has gone years without being updated, it’s likely that it will not be updated again for some time. But it’s going to be running on your site. The plug-in is going to become out of date, and it’s going to present a security risk to your site.

There are a number of plug-ins that are simple and won’t change each time WordPress has a new core release. Still, you want plug-ins to be updated every three months. You definitely do not want plug-ins that have a year or more between updates.

Listen to Reviews and Read Blogs

Plug-in reviews can be a tricky thing to navigate. You might see that a plug-in has poor ratings. But you are shocked because so many of your friends and colleagues use the plug-in and say that it is amazing. This means that you have to dig a little bit deeper. Look at the reviews that people left next to the ratings. Look at the date of the bad reviews. For example, if all of the bad reviews came from 2014 and then in 2018 everyone had positive things to say about the plug-in, it is likely that the latest iteration of the review, the one that you’re going to download, is positive.

You also want to make sure that the developer did not pay a bunch of people to write positive reviews. If all of the recent and good reviews simply say “Nice plug-in” or “Awesome,” then you might want to question the validity of these reviews. If anything is true about the WordPress community, it is that they are descriptive in their feedback.

Also, look at the way that the developer responds to the negative feedback. Do they offer to either fix or investigate the issue? Could they provide a patch? Were negative reviews the result of user errors? All of these things will impact whether or not you will use a plug-in.

Take a look at blogs about WordPress security. If you see that multiple blogs say that a plug-in is no good, why bother using it? If you trust the blog enough to read their content regularly, have faith that they are steering you in the right direction.

WordPress plug-ins can negatively impact your site in so many ways. This is why you need to do your due diligence before you put them on your site. Then constantly review them to make sure that with time, they don’t go sour.

As always, we would love to hear from you. What warning signs would encourage you to skip downloading a new plug-in? Let us know in the comments section below.