Are you worried about WordPress plugin vulnerabilities sinking your site? A 2016 survey of hacked website owners by Wordfence found that 55.9% of WordPress websites (whose owners determined the hacker’s point of entry) were compromised due to plugin vulnerabilities. And that makes sense! Because while WordPress’ core may be secure, plugins add a wildcard that the WordPress core can’t always account for.
One of the reasons WordPress is so popular is the freedom it gives users to add any number of functions with the help of plugins. Users get to choose from close to 50,000 plugins available for free in the WordPress plugin repository. And that’s not even counting the many third-party free and premium plugins.
But sometimes so much choice leads to potential issues. Rogue plugins, out-of-date plugins…all can provide a vector for hackers to gain access to your site. So to plug those potential holes, here are some tips to keep your site safe by eliminating WordPress plugin vulnerabilities as much as possible.
Scan for WordPress plugin vulnerabilities
WPScan Vulnerability Database is a good place to check if any plugin is a security threat. The service lists plugins and their known vulnerabilities. You can look up a plugin by name or filter all plugin vulnerabilities alphabetically. If you catch a given plugin in the list, first check the plugin’s listing page for an update. If there’s no update to patch the vulnerability, you should delete the plugin for the time being if at all possible.
Another way to catch these threats in time is to subscribe to paid services like, the aptly named, Plugin Vulnerabilities. You’ll gain access to always up-to-date data as these services continuously monitor security threats and hacking attempts. And if you’re using a plugin which is at risk, you’ll receive an email alert about it. Because you get the notification with this service, you’re much more likely to be able to act quickly.
You can also detect these threats by running a scan on your website from time to time. A plugin like Plugin Vulnerabilities will not only scan all your installed plugins, it’ll also notify you of the more common security issues.
As for the threats that surface subsequently, you can opt to receive alerts. New threats crop up almost on a daily basis as hackers try and target WordPress websites. For that reason, it’s important that you check for vulnerabilities frequently (or have a service do it for you).
Choose the right plugins
No plugin is 100% safe. But you can significantly reduce WordPress plugin vulnerabilities by learning to assess and select quality plugins before installing them. Pick plugins only from reputed marketplaces like CodeCanyon, the WordPress Plugin repository, or third-party stores that you trust. The WordPress repository vets each plugin before it’s available to the public and CodeCanyon also has its own review system in place.
So, what should you check to figure out if a plugin is good to install? Start with:
- Average user ratings.
- User reviews.
- Updates and compatibility.
- Active installations.
- Support and documentation.
We’ve covered analyzing these points in our earlier post, so I’ll skip discussing them in detail here. But you can keep these factors in mind before adding a plugin to your website:
- If you have the server resources to support it, you can install as many plugins as you want. What’s important is that the plugins are coded well. That being said, one badly coded plugin can bring the website down.
- An active change log section indicates that the author is supporting the plugin and is responsive to the needs of users. On the other hand, only a few entries in this section may simply mean that the plugin needs no changes or updates.
- There are hundreds of excellent free WordPress plugins. But keep in mind that premium plugins often have more responsive support and are up-to-date with the latest WordPress versions.
- It’s a good practice to install plugins on a need only basis.
Update plugins (and everything else) regularly
One of the most popular attack vectors for hackers is an out-of-date WordPress plugin. A Sucuri analysis found that three popular out-of-date plugins were the cause of 18% of the hacked WordPress sites they looked at in Q3 2016.
(Chart by Visualizer Lite.)
In case you’re wondering, that’s RevSlider, Gravity Forms and Timthumb. It’s important to note that the plugin developers patched the vulnerabilities quickly…but enough people didn’t update their plugins that the issue still led to a number of hacked sites.
Here’s the important takeaway:
Even if you choose the “right” plugins to start with, if you don’t keep those plugins updated…you’re still at risk.
So how can you ensure your plugins are always updated? One way is to look for the update icon in your WordPress dashboard (pictured above). Another way is to enable automatic updates.
To enable automatic updates for all or some of your plugins, you can use a free plugin called Easy Updates Manager:
Additionally, for plugins that you purchase from CodeCanyon, try the free Envato Market plugin to help you automatically update the plugins.
Delete unwanted plugins
Another good way to stay safe is to delete inactive plugins that you no longer plan to use. While inactive plugins do not consume RAM, bandwidth or PHP, they do take up server space. And if present in large numbers, they can slow down your site. But the main reason why you shouldn’t keep inactive plugins around is that they can be used to run malicious code on your website.
Summing things up
Plugins are awesome. They help you do wonderful things with your WordPress. But sometimes poorly coded or out-of-date plugins can open your WordPress site up to hackers. By choosing your plugins with care and updating them regularly, you can go a long way towards reducing your chance of falling victim to WordPress plugin vulnerabilities.
Need us to clarify any of this WordPress plugin vulnerabilities stuff further? Don’t hesitate to speak up in the comments.