Avoiding plugin security nightmares

One of the fantastic things about WordPress and the wider ecosystem that surrounds it is the way you can extend your WordPress site to do cool stuff using plugins.

The official WordPress plugin repository has tens of thousands of options for adding functionality to your site, many of which are terrifically useful. However, choosing the wrong plugin can have devastating consequences on your site.

Some of the problems that a dodgy plugin can cause include:

  • allowing an attacker to edit or publish posts on your site
  • stealing usernames and passwords
  • giving an attacker full admin rights over your whole site
  • take your site down completely or making it totally unresponsive

If this leaves you feeling a bit paranoid about your use of plugins – GOOD! Plugins are not something that should be considered lightly.

Here are some questions to think about when mulling over whether using a particular plugin is a good idea:

  • Does the plugin do one thing, or lots of things? It’s best to use small plugins that do one thing very well, rather than mega-plugins with bazillions of lines of code.
  • How old is the plugin? When was it last updated? If it’s not been for a while, then it probably is best to give it a miss.
  • Who wrote it? Can you have a dig around their background – do they seem trustworthy members of the WordPress community?
  • What’s the support like? Do the authors respond on the WordPress forums much? If not, that might be a warning sign.

Obviously there are often exceptions to all the above – but these basic questions are a good place to start.

An additional key point is to always keep your plugins up to date. Make sure that when updates come out, you apply them to ensure that any security holes the developers have identified get closed as soon as possible.

For more detailed assessments of a plugin’s trustworthiness, head over to dxw’s security site. Every time the team audits a plugin for a client, the outcomes are published, ready for you to search and make use of of. Obviously not every plugin ever made will be in the database, but a lot of the common ones are, and a quick check could save you a lot of time and, potentially, stress.

All the sites dxw build and host are subject to this kind of scrutiny to ensure that they and the plugins they rely on are secure. We can also provide this assurance work for other clients, where we don’t host the site. Interested? Drop us a line.

Our very own Duncan Stuart gave a talk in April to the London WordPress group on the topic of WordPress security, which goes into some detail when it comes to plugins. Here’s the video so you can glory in its excellence.

For the completists amongst you, you can also download a PDF of Duncan’s slides.

Any questions about plugin security? Ask away in the comments!