Could a rogue plugin ruin your WordPress security?

5 min read
Will Stevens

WordPress is a great way to create a website - it's user-friendly and things like plugins mean that you can add extra functionality to your website without needing to know how to code.

But did you know that plugins could have an adverse effect on your WordPress website's security?

Now before you panic, it's important to point out that the vast majority of WordPress plugins are safe to use, but it only takes one plugin issue to cause you WordPress security problems.

How can plugins threaten WordPress security?

Put simply, plugins work by running bits of code on your website. Usually, this code does useful things such as letting you put contact forms on your site.

But sometimes there can be mistakes known as vulnerabilities in the code of a plugin. If discovered, a hacker can use any such vulnerability to attack any WordPress website using the affected plugin.

A common attack involves hackers displaying unauthorised adverts on a site, often these ads are for dubious products/services, and the ads themselves may infect people who view them with a virus.

This kind of attack is known as malvertising. (You can learn more about what malware in general is in this guide.)

Hackers can also use this kind of attack to hijack a WordPress site and gain administrator-level control over it.

A significant malvertising attack was launched this year, and compromised WordPress plugins played a big part in it.

How can I protect myself against WordPress security threats caused by plugins?

Although plugins can pose a threat to your website security, there are several simple steps you can take to minimize your risk of encountering problems.

To protect against WordPress security threats caused by plugins you should:

  • Only install plugins from the WordPress plugin directory
  • Avoid plugins that aren't maintained
  • Keep plugins up to date
  • Remove unused plugins
  • Use a website security package

Let's take a close look.

Only install plugins from the WordPress plugin directory

All plugins available on the WordPress plugin directory are vetted before they're made available for download, that means that you won't be installing a malicious plugin.

If you're asked to install a plugin that isn't available via the directory then you should exercise extreme caution and check to make sure that the plugin is legitimate.

In most cases if a plugin is only available via a company's website it's because it is a premium plugin you have to pay for, so check reviews to make sure that everything is legit.

If you have any doubts, stick to the plugin directory.

However, just because a plugin is in the directory that doesn't make it 100% risk free, which is why you should…

Avoid plugins that aren't maintained

The best WordPress plugins are regularly updated to make sure they're compatible with new versions of WordPress, to add new features and to address any security issues which may have been discovered.

So if you're installing a WordPress plugin that hasn't been maintained in a while, you may be putting your website at risk.

Now, plugins that aren't maintained and are discovered to have a security flaw do get removed from the directory, so the overwhelming majority of plugins in the director are safe.

But security isn't the only reason you should avoid unmaintained plugins - the chances are you won't be able to get support for the plugin if you need it, and it's likely to stop working in the near future as new versions of WordPress are released.

You can see if a plugin is regularly updated by looking at its details page in the directory.

Here's an example:

Keep plugins up to date

The fact a plugin is regularly updated doesn't mean a thing if you've got a two-year-old version of the plugin running on your site.

As we've already mentioned, one of the reasons plugins are updated is to patch security issues that have been discovered.

So if you're not keeping your plugins up to date then you may be putting your WordPress site at risk.

Update plugins as soon as you can. Or, better still, turn on automatic updates.

And make sure you keep your WordPress install up to date too.

Remove unused plugins

Old, unused plugins can slow down your WordPress site. And you still need to update them to keep them secure.

So if you've stopped using a plugin, uninstall it.

Use a website security package

Okay, so although keeping your plugins up to date is best practice, we all know that in the real world sometimes we let things slip.

Of course hackers know that too, which is why they use programmes to scan websites looking for known-vulnerabilities like the ones that can be found in some out of date WordPress plugins.

By using a tool like GoDaddy Website Security, you can actually block these kinds of automated scans from hackers, which helps protect your site against attacks. (You'll need to opt for the deluxe package or better.)

The tool also removes malware if your site is infected, and helps protect against all kinds of security vulnerabilities - not just ones caused by plugins.

Summing up

WordPress is a great, user-friendly way to build a website. But its open source nature does make it vulnerable to security flaws.

But by keeping things up to date, you'll improve your WordPress website's security and make it less likely hackers will target you.