WordPress Plugins — Safe or Sorry?
Are All WordPress Plugins Created Equal?
The simple answer to this question is No. WordPress plugins vary wildly in terms of reputation, quality of coding, security, reliability, when they were last updated (compatibility with the latest WordPress version), reviews and support.
That's why it's vital to carry out due diligence when it comes to vetting WordPress plugins. Just because a plugin is in the WordPress repository or on the internet doesn't make it a "good or safe choice". There are many plugins that are specifically setup to be malicious. In fact vulnerable plugins are the top way that attackers gain access to WordPress sites.
Malicious plugins may:
- Redirect your site to other sites.
- Add links to your website within the content, in the footer etc.
- Upload new pages that you cannot see. These pages can then be used e.g. for phishing (the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising themselves a trustworthy entity) or to sell products, leading to your site being blacklisted by Goole et al.
- Add a new administrator to take control of your site.
- Cause your site to crash.
So How Do You Decide Which Plugins To Use?
When looking for a plugin for your site you should consider the following:
Do you need this plugin?
Are you adding a plugin because you absolutely need it or because it would be nice to have? Apart from security, each plugin you add slows down your site, so before you download and install a new plugin, make sure you really need it!
Is the plugin from a trusted source?
If possible, only use plugins from the official WordPress.org plugin repository. If you cannot find an appropriate plugin from WordPress.org then it's important to take a few minutes to check the site you are downloading from is reputable and trustworthy (that includes paid/pro plugins). To do this ask:
- Is the site professionally designed?
- Are T&Cs available?
- Is there a contact page or contact information? If so contact the plugin author and ask a simple question and wait to see if you get an answer.
- Does the site have an SSL certificate?
- Do searches for the company or plugin name + "malware", "hacked" or "exploited" come back clear?
Researching a plugin
If you go to the WordPress.org plugin directory, you'll notice there is detailed information about each plugin. Check each of the items on the list below to evaluate your plugin:
- What version of WordPress is supported? If you find a plugin has not been updated in a while or has been abandoned then avoid it.
- Look at the number of active installations. If the plugin only has a few installs then there maybe issues and you may find it's not compatible with your site.
- Read through the ratings/reviews that people have given/written about the plugin. Look at the overall rating (out of 5) and check what people say about the plugin.
Is there good plugin support?
Click on the Support tab and look at how many issues have been raised. Next check how quickly any issues are resolved. Look at whether there are instructions for using the plugin. Clearly if issues go unresolved or the plugin author is unhelpful then look elsewhere.
Carry out testing
If you are satisfied the plugin meets the criteria above then download and scan it with antivirus and antimalware software.
The next step is to test the plugin, preferably on a development server. If that's not possible make a backup of your site before uploading the plugin.
Check how the plugin performs. Does it cause any compatibility issues with your theme or other plugins. Install Query Monitor which is a developer tool panel for WordPress. It allows you to look for poorly performing plugins, themes or functions.
If you're happy with the plugin and it has performed well in tests then you're ready to use it in earnest!
Maintaining Your Site
It's important to keep plugins up to date. This is critical to avoid your site being compromised by hackers. However, this warning comes with a proviso.
On occasion the plugin author may inadvertently introduce a vulnerability into a plugin when they carry out coding to introduce new features or fix bugs etc. When this happens you can actually put your site at risk by updating to the latest plugin version!
We recommend waiting a couple of weeks before updating your plugins as any vulnerabilities are likely to be discovered and patched within that period thus avoiding opening your site up to hackers. The only exception to this is when a security update is issued. In this case you should update immediately.
There have been a couple of prime examples where this has happened to well-known plugins within the last few weeks:
Easy WP SMTP
With over 300,000 installs the Easy WP SMTP plugin is used by many sites to configure SMTP connections for outgoing email. In March the plugin authors updated the plugin to v1.3.9 to add export/import settings functionality. Unfortunately in coding the update they also opened the doors to hackers by introducing a zero-day vulnerability.
Using the vulnerability hackers were able to exploit the plugin by uploading files containing malicious serialised payload to allow them to change the siteurl (to http://getmyfreetraffic[dot]com), to enable user registration and to set the user default role to admin in the database.
Many site owners reported their sites had been hacked after updating to v1.3.9.
The plugin was patched in v126.96.36.199.
These vulnerablities were patched in v3.5.3 and further hardened in v3.5.4. Additionally the plugin developers added new code which attempts to directly reverse the XSS injections that had been distributed.
Staying Aware of Plugin Security Issues
Clearly, keeping your WordPress site secure means having to stay up to date with regards to the latest plugin vulnerabilities, and when they're patched, so you know when it's safe to update. To do this there are a number of sites that monitor plugins and report when there are issues:
By checking these sites daily to ensure it's safe to update — and by updating your WordPress core, themes and plugins in a timely manner, you minimise the risk of your WordPress website being compromised.