Business

Are Your WordPress Plugins Putting Your Website at Risk?

Best practices for choosing safe WordPress plugins – and ensuring your current ones are secure.

Locked steel covered door and padlock (Image)

To some degree, the world of WordPress plugins is a bit like the old wild west. The open source platform means that anyone can write plugins to extend functionality. At its best, plugin authors create useful tools to help us build highly-functional websites for very little cost. The other side of the coin is that plugins containing security holes and even malicious code can put us at risk.

For example, it was recently discovered that an updated version of Display Widgets (a plugin with over 200,000 active installations) included code that generated SEO spam posts within WordPress. This was all done without the site owner’s knowledge or permission.

While this was certainly a nuisance, it’s not hard to imagine something even worse being attempted in the future. Such malware could potentially delete website content or infect a visitor’s computer or mobile device. This is a serious threat that could cause widespread damage.

We sometimes fall into the trap of installing plugins on a whim and assuming that nothing bad could come of it. Unfortunately, that strategy isn’t the most secure. Instead, there are some things you can do to help lower the risk of installing a potentially insecure plugin. Let’s have a look:

The first question: do you really need it?

It’s easy to treat a plugin like a shiny new toy. And since many of them are available for free, the temptation to give them a try is palpable. But before you install and activate, it’s worth asking whether or not you really need that extra piece of software running on your website.

As anyone who has experienced a plugin that conflicts with others already installed on their site can tell you – adding the wrong one can cause major headaches. Each new plugin you install introduces another potential problem, either due to something like a JavaScript conflict or a security issue. It’s important to carefully weigh the pros and cons.

Think about the overall mission of your website. Is the goal to inform visitors about your business? Is it to sell products online? Whatever it is, consider whether or not this new “gotta-have-it” plugin helps in that mission.

Keep in mind that, plugins can help in ways large and small. So while it doesn’t have to perform a crucial function, it should at the very least add something positive to the overall picture. If the answer is no, you probably don’t need it.

Research brings peace of mind

If you’ve decided that a particular plugin can be useful, then it’s time to conduct some basic research. Don’t worry – it’s quick and easy!

The goal of your research is to:

  • Ensure that the plugin is legitimate.
  • See that others are using it successfully.
  • Learn about common issues that others have experienced.

The good news is that this information is generally easy to find. If it’s a plugin listed on CodeCanyon or the official WordPress Plugin Repository, then the plugin changelogs, reviews and user comments are readily available. If you’re looking at a plugin from somewhere else, look for support forums. When all else fails, a Google search should turn up some useful information.

You should also look into whether there have been any recent ownership changes with the plugin. In the recent case of malicious code appearing in some previously trusted plugins, the problems occurred once the software was purchased by a new author who had less-than-pure motives. While new ownership in itself isn’t usually a bad thing, it still pays to keep track of those types of transactions.

Stay vigilant

This may well be the most difficult task for website owners. But it’s also one of the most important things you can do to stay safe. Installing a plugin and forgetting about it afterwards is a serious risk.

One of the most popular security tips in the world of WordPress is to make sure that you keep up with updates to WordPress themes and plugins as they are released. That’s vitally important – but there’s more to it than that.

When a new version of a plugin is released, it’s worthwhile to repeat some of the research you did previously. Especially pay attention to the plugin’s changelog, which will provide some detail about what has changed since the last version. New releases often contain some combination of bug fixes and new features. Those are things you’ll want to be aware of, even if you aren’t a programmer.

The other place you’ll want to revisit is any available support forums. You’ll often find that, after a new version of a plugin is released, other users will post any issues they’ve run into. In fact, the WordPress support forums were the very place information regarding malicious code in multiple plugins was first reported. So it’s worth the time to take a quick scan.

Lastly, it’s generally okay to hold off a day or two in applying updates – unless there is a major security hole or you are experiencing functionality issues on your website. Otherwise, give the update some time before installing and see if any potential issues pop up. A little bit of patience in this area can really pay off.

Security is worth the effort

The decentralized nature of WordPress plugins comes with both risks and rewards. But time and again, even when things go awry, the community steps up to make a positive impact. They’re often our best resource for information.

As much as we try to stay on top of things, there are still no real guarantees when it comes to choosing a safe and secure plugin. There will always be a certain leap of faith required when clicking that install button. But by doing our homework and staying in the loop, we can give ourselves a much better chance of staying safe.

Build your plugin library with CodeCanyon.


About the Author Eric Karkovack

Eric Karkovack is a web designer with well over a decade of experience. You can visit his business site here. In July 2013, Eric released his first eBook: Your Guide to Becoming a Freelance Web Designer. You can follow his rants on Twitter @karks88.