Before installing software on your computer, you would probably do a bit of research on the software before loading it on your system. Since the traditional software world has a handful of established vendors, vetting out bad software is relatively easy.
WordPress plugins are often a little more difficult to screen because traditional antivirus programs can’t detect web exploits. Instead users are often forced to rely on their gut or sparse comments on the web to figure out if code is safe to use.
The best option to ensure the security of WordPress plugins you use is to audit the code by hand. For most people, this time commitment is a bit excessive. By following a couple of common sense measures, you can protect yourself from many malicious WordPress plugins.
Using Security Scanners
Although most security threats can’t be controlled with automated tools, using a quality web security scanner is a great way to compliment common sense security measures. SitePoint mentioned a few security plugins in their article on managed WordPress Hosting pros and cons which are worth looking at. In particular Wordfence and Sucuri SiteCheck are both solid tools which can help you spot malware which isn’t visible to the average user.
Going Beyond Reviews
While the WordPress Plugin Directory and many WordPress Plugin sites offer user reviews, this feature isn’t reliable for a couple of reasons.
The first reason is that reviews on the WordPress Plugin Directory are often sparse and the reviews often only have star ratings rather than actual user comments. Additionally, reviews on company websites aren’t trustworthy because the developer has ample opportunity to manipulate the ratings.
If you are looking for credible reviews, then you should check out independent plugin marketplaces such as Envato Market or BinPress as they are the vendors which stand out. Just make sure you pay attention to user comments which detail why they gave a product the rating they did.
Aside from relying on reviews, have a look at the plugin website and look at the support forums to get an idea of the attentiveness of the developer and quality of their code. Look to see if they have a professional support ticket system, and also try contacting the developer if you have concerns about their offering.
You also should try Googling the developer’s information to see if they have a negative reputation across the Internet.
While these steps aren’t foolproof, they are much better than making a blind purchase.
When Good Plugins Turn Bad
Although screening plugins up front is a must for any WordPress user, even great plugins can become neglected overtime. Sometimes you might buy a plugin from reputable developer who charges for a subscription, or you might buy a plugin for a flat rate. Either way, development shops come and go. Even some of the best plugins are discontinued over time.
If you can find a reliable plugin, the next step is making sure that it’s updated to keep pace with all major WordPress revisions. Whenever a major security update comes out, you should check the plugin changelog. Just because a plugin loads in WordPress doesn’t mean that it’s safe to use.
As the WordPress Handbook states, major releases are shown by a change in the first two numbers. A jump from 3.6 to 3.7 is more significant than a jump from 3.6.1 to 3.6.2. A ‘major’ release means that backwards compatibility can be (and usually is) broken. ‘Minor’ updates (updates with a third number) only address critical bugs and aren’t likely to break your plugins functionality.
While a plugin can function for an extended period of time, you should always check the plugin website or WordPress codex every time a major WordPress update is released.
Even if the plugin works by default, the developer might announce technical issues and bugs on their website which can be dangerous to your WordPress install. In most cases the plugin will continue working if it is safe, but it never hurts to exercise caution.
Don’t Forget the Importance of Common Sense
The best way to protect your WordPress install from security threats is to cut down your reliance on plugins all together. Only use plugins when they add tangible value to your install, and avoid them when they do tasks you can do yourself.
Using a plugin to edit your .htaccess file or relying on a plugin to insert AdSense code into your blog is not the best use of your resources. Plugins which enable complex functionality not included in WordPress, such as paywalls and forums are a good use.
As with your workstation, aimlessly adding software can result in poor performance. Learning how to tweak WordPress yourself allows you to keep your site secure without missing out on useful features.
Jump Start Git, 2nd Edition
Visual Studio Code: End-to-End Editing and Debugging Tools for Web Developers
Form Design Patterns