Evaluating if a WordPress plugin poses a risk to your site’s security


Evaluating if a WordPress-plugin-poses-a-risk to your site's security

Plugins are the most significant risk to your WordPress site’s security. Plugins are custom-coded applications that you allow to run on your website. As a regular site owner with no coding skills, you probably can’t read the plugin’s backend code for any vulnerabilities, so how do you know if it poses a threat to your site’s security? While you can never be sure of a plugin’s safety, you can take steps to ensure that it is well developed and maintains a high standard of protection. Here are a few items to review before you decide to install a plugin.

Check the developer’s website and information

Each plugin has a description and a profile for the developer. Most professional WordPress developers have a website that you can check out. It doesn’t ensure that the developer’s plugins are secure. Still, it shows that he is serious about having a professional appearance and that he put time and effort into his plugin.

Any developer can upload to the WordPress plugin repository, but you want to use plugins created by professionals that take the time to ensure their code is safe and maintained regularly. You can get a sense of professionalism from the developer’s portfolio, profile, and website.

Does the website have a ToS and Privacy Policy

Professional developers always have terms of service and privacy policy posted to their site. Some countries require a ToS and privacy policy, so you know the developer is interested in staying up-to-date with the latest requirements if they have pages dedicated to the legal requirements in their country.

For instance, the UK has a cookie policy that requires all developers to display a popup warning to users that they use cookies on the website. The user must then agree to cookie storage before proceeding. Serious developers ensure that they follow this policy when they build their site and their plugins. If they are interested in following local laws, then they are likely responsible for security.

Does the developer have contact information on the company site?

If you have a severe problem, you need to contact the developer. You might find a bug or a critical security issue with the plugin. The only way you can communicate with the developer is the contact information provided on the company website. Before you download a plugin and make it a part of your WordPress site, check the developer’s website for contact information.

Some developers cut down on phone calls by only providing an email address to contact them. Developers can streamline the bug report process by using a form submission, which is still acceptable. Just make sure there is some way to contact the developer in case you have a severe problem with the plugin.

Do a Google search on the plugin name

To identify a good, long-term plugin that gets periodic maintenance and testing, do a Google search. Yoast SEO, for instance, is a favorite SEO plugin. Searching for the Yoast name will give you several results. Yoast SEO is always updated and tested regularly. You would even find a discussion on Yoast’s vulnerabilities. When someone found a significant weakness a few years ago, several security blogs and Yoast’s developers discussed it publicly and immediately fixed the vulnerability.

When a developer has thousands of installs, they make money off of the plugin in some way. This income gives them the incentive to maintain the code, test it after every WordPress upgrade, and regularly watch security blogs for any security vulnerabilities.

Search the plugin name with the term “hacked”

When a plugin is found to have vulnerabilities, several security blogs will publish an alert. You can find these discussions by searching for the plugin name with terms such as “hacked” or “vulnerabilities.”

If a plugin is found to have a vulnerability, it doesn’t mean that you shouldn’t use it. As a plugin becomes popular, hackers search for its weaknesses. If they can find a vulnerability in a popular plugin, then they can gain access to several websites with just one script.

It’s not unusual for a plugin to have a vulnerability, but you should evaluate the speed at which a developer acknowledges it and works to fix the problem. A good developer should have a fix within a few days. You can still install a plugin that has previously had security issues as long as the developer finds the issue a priority and has it resolved within a few days.

What can you do to protect your site?

If you carefully evaluate a plugin before you install it, you increase your chance of proper protection from hacker’s attacks. It doesn’t guarantee that your blog won’t be the victim due to a vulnerability in the plugin code, but you can take additional steps to protect your site.

First, don’t use a standard login account name for your administrator account. You should never use the default “admin” account name, as it is used to brute-force access to your dashboard. Use a combination of your name and numbers and letters or a unique name that only you know. Attackers also use the site name to attempt access to your dashboard. You eliminate many vulnerabilities by just using a unique account name for your admin account.

The next step is using two-factor authentication. Two-factor access means you get a unique code sent to your phone or email. This code is then used in addition to your account name and password to gain access to your dashboard. Since an attacker would need access to your phone or email to gain access, panel access for an attacker is getting harder and harder.

The final step is using a security protection plugin. WordFence and Sucuri are the two most popular plugins. They scan your site, protect it from brute force attacks, and detect vulnerabilities before attackers do. You’d be surprised at the number of attacks launched on even a small site, and you can see them if you have one of these plugins installed on your website.

Always review plugins before you install them on your site. It can take several days before you clean a website from a successful attack, so it’s better to do your homework now instead of cleaning your site later from a poorly written plugin.