Risky, badly written plugins are the main way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.
Use as Few Plugins as Possible
You need to remember that every plugin you add to your site requires you to trust that the unknown person has written secure code, responses quickly to vulnerability reports and keeping your best interests in mind.
Only Download Plugins From Reputable Sites
If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.
If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:
- The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
- Look for a valid company name in the footer.
Choose Reputable Plugins
The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:
- The more recent the last update, the better.
- Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
- It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
- The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.
You should also periodically review your installed plugins to make sure they have maintained their good standing.
Delete Plugins Immediately When You Stop Using Them
We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.
Keep Your Plugins Up to Date
Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability.
Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.
Replace Abandoned and Removed Plugins
Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.