How risky are WordPress plugins

Risky, badly written plugins are the main way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.

Use as Few Plugins as Possible

You need to remember that every plugin you add to your site requires you to trust that the unknown person has written secure code, responses quickly to vulnerability reports and keeping your best interests in mind.

Only Download Plugins From Reputable Sites

If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.

If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:

  • The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
  • Look for a valid company name in the footer.
  • Terms of service and a privacy policy readily available.

Choose Reputable Plugins

The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:

  • The more recent the last update, the better.
  • Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
  • It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
  • The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.

You should also periodically review your installed plugins to make sure they have maintained their good standing.

Delete Plugins Immediately When You Stop Using Them

We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.

Keep Your Plugins Up to Date

Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. 

Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.

Replace Abandoned and Removed Plugins

Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot.   Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.

 

Why upgrade WordPress if it’s working

Lots of customers we work with come to us because they have an outdated website that is based on the WordPress framework, whilst others come to us specifically requesting that we develop their site using WordPress.  Whether the site is an established site or a brand new one.  Making sure you the version of WordPress you’re using is critical to the success of your website.

I’m safe, no one would bother hacking my site.
It’s reasonable for customers to suspect that hackers only target corporate or government websites that handle sensitive financial or customer information such as credit card numbers and personal information. However, this simply is not the case.  Over the years a number of our clients with simple informational websites have been hacked by malicious software. Hackers write code that automatically scans the web and identifies vulnerabilities within websites running older, expired software. 

Sometimes the hackers are only doing it for vanity (look what I can do), other times its so they can use your website to transmit span across the internet using your email accounts. 

In rarer cases, hackers want to hold your website for ransom until you pay them with money – Bitcoin.

If you’re on a shared hosting server, they may be using your site as an indirect access to another site, but causing you disruption in the process

  • Hackers may want access to the server where your website is hosted, and by gaining access to your website, they may be able to extend their hack to the server and all the websites that are hosted on it.
  • Hackers may want to use your web account to send emails or host content hidden from view.
  • Hackers may use your website to promote products or illegal content by hiding links inside your code, even though you can’t see it, it still can boost their content within the web.

What should I do
If you’re using WordPress, it is critical that you keep your core code and plugins up to date. Always update to the newest releases, which often contain security patches.

Of course, this option only works reliably in WordPress as long as any customisation to the website theme or core functions was conducted by a competent WordPress practitioner.  If they simply hacked updated onto your website, upgrading to the latest version of WordPress, without backing up your code could be the worst option.

WordPress is built to alert you when updates to the cored (minor & major) updates are available.  It also provides this advice for its plugins.

Automated Plugins
For some people, being told that an upgrade is available is not enough.  They may be time poor or simply not interested.  Luckily there are free plugins to help with  hate

Easy Update Manager
There is also a very powerful plugin that allows you to automate the backup process.  The plugin lets you choose which plugins you do not want to update automatically.

UpdraftPlus Backups
This free plugin allows you to schedule backups of your website and offers you the opportunity to automatically back up your files and databases locally or externally (Dropbox, Amazon etc…..).

 

WordPress working with ACF Pro

One of the best features of the WordPress plugin “Advanced Custom Field (ACF)” is the ability not just to add custom fields, but by extension the abilty to create field type called ‘repeat’.
This lets editors add rows of content that is associated with a field  (in a crude way it’s like having relational data).

So, having created the field and poplated it with data (for example, adding multiple images to a post to are presented in a  table)

<?php
// test if the ACF field has rows

if( have_rows(‘image_sliders’) ):
   // run through the rows to get elements in each row

    while ( have_rows(‘image_sliders’) ) : the_row();
      //  get_sub_field is the key

        $theImage=get_sub_field(‘slider_image’);
        $theImg=$theImage[‘url’];
       $theLink=get_sub_field(‘slider_image_url’);
       echo “<div class=’imagecon’><a href=”.$theLink.”><img src=”.$theImg.”></a></div>”;
   endwhile;
   else :
endif;

// clear query after use
wp_reset_query();

?>