A website is only as secure as the code behind it. With over 30,000 free plugins for WordPress, some choices can make your site vulnerable to hackers. Knowing how to assess and choose plugins can significantly improve your website’s security.
In this article we will examine:
- Known risks with some free WordPress plugins
- How to reduce your chances of being hacked
- How to choose the most effective plugins
With nearly 75 million sites running WordPress, it continues to be the most popular website platform. Its ongoing success is due in part to all of the customization options available, including thousands of free, community-contributed plugins in the public WordPress plugins repository that extend its basic functionality.
The popularity of WordPress, coupled with the ease of writing plugins and submitting them to the repository, has both pros and cons for a website developer. On one hand, there are many options from which to choose, and there is a plugin for almost anything you might want to do. On the other hand, the abundance of options leaves users open to potential risk. Created by unknown third parties, not official WordPress developers, it can be difficult to assess the integrity of every plugin.
How Do Plugins Make Your Website Vulnerable?
Some plugins represent deprecated or obsolete code, as their developers don’t consistently update them along with official WordPress releases. Others consist of sloppy code and shortcuts that open security gaps. Missing security elements in plugins can open your site to everything from SQL injections to cross-site scripting (XSS) assaults.
Attackers often exploit vulnerabilities in the way plugin scripts are run, injecting their own code to gain access to the backend of your website, as well as ancillary databases containing sensitive data. Such plugins can also permit them to take down your WordPress site altogether.
Top Plugins Can Also Be Hacked
Joost de Valk is the creator of two of the most popular WordPress plugins, Yoast SEO and Google Analytics by Yoast. Early last year he discovered an XSS vulnerability in his plugins. Previously, he learned that the arguments
remove_query_arg, when improperly implemented within plugins, allowed exploits through cross-site scripting (XSS).
XSS works on dynamic web pages. When content is not properly escaped, it allows a string to be interpreted as code. A hacker can input malicious code and initiate a variety of crippling system problems, including stealing user login details, gaining access to a site’s content, and inserting subtle phishing code that could transmit sensitive data to outsiders.
De Valk discovered that his plugins weren’t the only ones affected; popular plugins such as Jetpack, Gravity Forms, and the All In One SEO pack included the problematic code. The developers of these plugins patched their code and pushed out updates. While de Valk has provided instructions for other plugin developers on his blog, many WordPress sites may still be exposed to this XSS security risk simply due to poor or neglected maintenance.
How You Can Protect Your WordPress Websites
Even the most reliable plugins sometimes have security issues, and hackers are always on the lookout for weak spots to exploit. Some back doors that hackers discover go unnoticed for years. It’s imperative to initially choose your plugins carefully and then stay on top of updates. Protecting your WordPress site from plugin vulnerabilities requires vigilance and periodic maintenance.
Seven Tips for Protecting Your Site From Plugin Security Weaknesses
- Regularly install WordPress core updates and plugin updates to ensure you are running code having all the latest security patches.
- Use a modern and updated WordPress theme. Older themes often have embedded plugins that haven’t been patched and can present vulnerabilities.
- When researching the use of any plugin, check the date it was last updated and its WordPress version compatibility. Avoid older plugins, as those haven’t been tested with the current WordPress version.
For example, here’s the information in the plugin repository for the Yoast SEO plugin (current as of the date of this article):
- When deciding between plugins having similar functionality, choose those having greater numbers of active installs and better ratings. Generally speaking, such popular plugins are regularly updated and have a lower risk factor.
- Even inactive plugins on your WordPress site pose a security risk. Delete those that are unnecessary plugins and don’t actively use. The fewer the plugins you use, the fewer options a hacker will have.
- No plugin is 100% safe, but the WordPress Plugin repository vets each one located there before offering them to users. Only download plugins from the repository site and from third-party theme and plugin developers known to be reputable.
- Use WPScan’s Vulnerability Database to monitor plugins known to have vulnerabilities, as well as to learn when they are patched.
These methods can help ensure your WordPress plugins aren’t providing an open door for hackers.
Guest author bio: Kelso Kennedy is co-founder of RedStamp.ca, a leading growth and experience agency that has worked on a multitude of WordPress projects, including the Incapsula blog.