One of the biggest advantages of WordPress is its vast directory of plugins. With thousands of plugins to choose from, you can customize your WordPress site and add new features with minimal coding and cost.
Unfortunately, plugins are also the Achilles heel of WordPress. Outdated plugins and vulnerabilities continue to be the number one way that WordPress sites get hacked. The more plugins you have installed on your site, the more maintenance will be required – and the greater the risk of problems from theme breaks, plugin incompatibility, and site errors.
Whether you are a WordPress developer or site owner, there are several steps that can help you avoid dangerous plugins.
1.Vet New Plugins Before Installing
Because WordPress is an open-source platform, anyone can create a WordPress plugin.
This is why there are so many plugins available in the WordPress directory and often multiple options to choose from when you are looking to add functionality to a site.
However, it’s up to every individual plugin developer to manage and maintain the plugin. For this reason, it behooves you, the site owner, to check the WordPress plugin page and evaluate the following items before installing a new plugin on your site:
- How many installs does the plugin have?
- Does it have good reviews?
- When was the plugin last updated?
- Was it tested with the latest WordPress core?
- Does it have unanswered support questions from months ago?
If a plugin has been around for a while and it has very few installs, consider it a red flag. The same goes for poor reviews. Additionally, if you see tons of open support items on the WordPress plugin page, the plugin has probably been abandoned by its creator. When this happens, the plugin developer stops responding to support questions, stops testing the plugin with the latest WordPress updates, and stops updating the plugin to fix security vulnerabilities.
For brand new plugins, it’s always best to test out the functionality in a development/staging area of your site before going live.
2. Keep a Disallowed Plugin List
There are certain WordPress plugins that may never be a good fit for your website. Keeping track of these plugins can help you to avoid issues in the future, especially if a new web development team or site manager takes over managing your site.
You may also want to check with your hosting company to see if they have a list of disallowed plugins. This list may include plugins that are known to result in performance or security issues, such as those that overload the database and cause your WordPress site to run slow.
You should also review any features built into your hosting. For instance, a managed WordPress hosting platform may offer daily backups and security measures on the server level. If that’s the case, then you don’t need to install backup or security plugins. Remember: less is more when it comes to plugins. With each additional plugin you install, the greater the risk of vulnerabilities.
As a best practice, a WordPress developer should review and configure any new plugins on your website. A developer can go through the vetting steps listed above and test the plugin in a staging or development area to catch any issues before they have a chance to affect the live site.
3. Update Plugins Monthly
Every WordPress site requires maintenance – it’s just a fact. As we mentioned, plugin developers maintain their plugin’s code and just like any software, they release updates that often include patches for security vulnerabilities.
You could have an amazing plugin installed on your website, a plugin that is well cared for by the developer, with updates to cover each newly discovered security vulnerability, but it’s up to you or your development team to run the plugin update. If you don’t, your site could be at major risk of a security breach. It’s best practice to have a skilled WordPress developer update your plugins on a monthly basis to keep everything running smoothly.
If you have any paid plugins or themes on your site, keep track of the license information. Updating a plugin sometimes requires the license, and having to track it down just causes unnecessary delays.
Updating your plugins has an additional benefit, too: it gives you the chance to keep reviewing the plugins installed on the site. If you aren’t using a plugin anymore or notice a deactivated one that is still installed, ask a developer to remove it from the site.
4. Monitor WordPress Vulnerabilities
Because WordPress is the most popular content management system in the world, it is heavily targeted by hackers. Sadly, untended plugin security issues are the most vulnerable aspect of WordPress, putting thousands to millions of sites at risk.
WPScan vulnerability database is a good resource to check for any known security issues. WPScan tracks the latest issues found in plugins, themes, and the WordPress core itself. In the directory, you can view a known vulnerability and see if an update has been released to fix the at-risk plugin, theme, or core. If you notice a plugin or theme on this list that is installed on your website, be proactive and make sure to get it uninstalled or updated as soon as possible.
Additionally, follow the top WordPress blogs for any security news. Unfortunately, sometimes a plugin or WordPress core issue results in tons of sites being hacked or breached. A recent major security breach occurred in April 2019 when a vulnerability in the popular Social Warfare plugin was discovered and exploited by hackers, putting 900,000 sites at risk. If you are paying attention to the latest security news, you’ll be able to check your site immediately and hopefully fix the issue before you are hit.
5. Upgrade to the Latest PHP
Everything in the WordPress environment runs on PHP. Similar to plugins and themes, new versions of the PHP code are released every few months. Because PHP is a server-side programming language, it can be very dangerous to run a site on an outdated version of PHP. If a vulnerability is discovered in an outdated PHP version, a hacker can exploit that to target any sites and servers running that code.
An added benefit of updating to the latest PHP is that it can help you audit & weed out plugins. Before updating a site to the next level of PHP, your developer will need to run compatibility testing to make sure there are no compatibility issues with plugins or theme.
If a plugin fails a PHP compatibility test, it may mean that the plugin is no longer being maintained and that it’s time to look for an alternative. However, make sure an experienced WordPress developer is reviewing compatibility errors because there can be false positives. You also want to check the plugin website or documentation to find out if a compatibility fix is due to be released with the next update.
By staying on top of the latest PHP updates, you’ll keep your site secure and weed out abandoned or poor plugin choices.
A Big Payoff for a Little Extra Work
If the items above seem like a lot of work, consider how much money you’re saving in the long run. With plugin-friendly WordPress, you get to scale and change your website to grow as your business grows, easily expand from an informational site to an e-commerce site, without having to rebuild your whole website each time.
Sure, there’s some additional security and maintenance protocol, but the benefits definitely outweigh the risks.