How to Protect Yourself from Rogue WordPress Plugins

By Charles Costa
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

Before installing software on your computer, you would probably do a bit of research on the software before loading it on your system. Since the traditional software world has a handful of established vendors, vetting out bad software is relatively easy.

WordPress Plugins

WordPress plugins are often a little more difficult to screen because traditional antivirus programs can’t detect web exploits. Instead users are often forced to rely on their gut or sparse comments on the web to figure out if code is safe to use.

The best option to ensure the security of WordPress plugins you use is to audit the code by hand. For most people, this time commitment is a bit excessive. By following a couple of common sense measures, you can protect yourself from many malicious WordPress plugins.

Using Security Scanners

Although most security threats can’t be controlled with automated tools, using a quality web security scanner is a great way to compliment common sense security measures. SitePoint mentioned a few security plugins in their article on managed WordPress Hosting pros and cons which are worth looking at. In particular Wordfence and Sucuri SiteCheck are both solid tools which can help you spot malware which isn’t visible to the average user.

Going Beyond Reviews

While the WordPress Plugin Directory and many WordPress Plugin sites offer user reviews, this feature isn’t reliable for a couple of reasons.

The first reason is that reviews on the WordPress Plugin Directory are often sparse and the reviews often only have star ratings rather than actual user comments. Additionally, reviews on company websites aren’t trustworthy because the developer has ample opportunity to manipulate the ratings.

If you are looking for credible reviews, then you should check out independent plugin marketplaces such as Envato Market or BinPress as they are the vendors which stand out. Just make sure you pay attention to user comments which detail why they gave a product the rating they did.

Aside from relying on reviews, have a look at the plugin website and look at the support forums to get an idea of the attentiveness of the developer and quality of their code. Look to see if they have a professional support ticket system, and also try contacting the developer if you have concerns about their offering.

You also should try Googling the developer’s information to see if they have a negative reputation across the Internet.

While these steps aren’t foolproof, they are much better than making a blind purchase.

When Good Plugins Turn Bad

Although screening plugins up front is a must for any WordPress user, even great plugins can become neglected overtime. Sometimes you might buy a plugin from reputable developer who charges for a subscription, or you might buy a plugin for a flat rate. Either way, development shops come and go. Even some of the best plugins are discontinued over time.

If you can find a reliable plugin, the next step is making sure that it’s updated to keep pace with all major WordPress revisions. Whenever a major security update comes out, you should check the plugin changelog. Just because a plugin loads in WordPress doesn’t mean that it’s safe to use.

As the WordPress Handbook states, major releases are shown by a change in the first two numbers. A jump from 3.6 to 3.7 is more significant than a jump from 3.6.1 to 3.6.2. A ‘major’ release means that backwards compatibility can be (and usually is) broken. ‘Minor’ updates (updates with a third number) only address critical bugs and aren’t likely to break your plugins functionality.

While a plugin can function for an extended period of time, you should always check the plugin website or WordPress codex every time a major WordPress update is released.

Even if the plugin works by default, the developer might announce technical issues and bugs on their website which can be dangerous to your WordPress install. In most cases the plugin will continue working if it is safe, but it never hurts to exercise caution.

Don’t Forget the Importance of Common Sense

The best way to protect your WordPress install from security threats is to cut down your reliance on plugins all together. Only use plugins when they add tangible value to your install, and avoid them when they do tasks you can do yourself.

Using a plugin to edit your .htaccess file or relying on a plugin to insert AdSense code into your blog is not the best use of your resources. Plugins which enable complex functionality not included in WordPress, such as paywalls and forums are a good use.

As with your workstation, aimlessly adding software can result in poor performance. Learning how to tweak WordPress yourself allows you to keep your site secure without missing out on useful features.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • Three thoughts to share:

    1) The problem with the plugin rating setup is that the ratings are release-centric. That is v1.0.0 could be a 4.5 but v1.7.2 could be a 1. But there’s no way of really knowing the 5 was for the older version. WP doesn’t really do anything to help you understand the 5 isn’t a 5 any more. That is, the 5 should NOT be counted in the current average because v1.0.0 is not relevant anymore.

    2) The WP plugin update architecture should require, at at least allow for, the ability to collect a rating from the receiving site. I mean, is that really too much to ask?

    That is, for example, when you’re going from v1.0.0 to v1.1.0 you should be prompted to rate the previous version. That said, even knowing update stats could also be uber helpful. In theory a plugin’s 1.0.0 could be installed a million times, but if none updates to 1.1.0 then that’s good data to be aware of. In short, total downloads doesn’t mean squat.

    3) There could / should also be – similar to eBay – a seller’s reputation. That is, if the dev has multiple plugins you should be able to see / know those collective ratings as well. Each of us, one by one going from plujgin A to plugin B and so one to get a sense for quality, should not be what plugin “buyers’ have to do to make good decisions. Buyer’s should also be rated so you can tell which are fake and/or spam.

    Bottom line: At 10+ years, WP is a mature product that is in need of some re-imagining if the quality of the product’s experience is going to not fall off any further.

    • All excellent points. I think the problem with WordPress really is that Automattic is so focused on maintaining the code that they really don’t have time to focus on implementing improved feedback on the official plugin directory or things of that sort.

      If the points you mentioned were implemented, then this article probably wouldn’t be as relevant, but I think the biggest thing is that the open source ecosystem is so vast it’s really impossible to mandate developers to participate. If they did, who would foot the cost to administer these features?

      That’s probably why marketplaces are able to have the eBay like ratings because they have an immediate Economic incentive to keep the ecosystem solid. Automattic on the other hand isn’t making money off the plugins so they have no need to implement the systems.

      Ultimately money talks, and companies are going to focus on the areas which drive the most revenue rather than focusing on general good.

      • Exactly. The focus is on Period. End of story. To believe otherwise is just naive.

        That said, what trouble me is we’re sold the idea of a WP “community” when in fact the WP 1%ers (if you will) get to work the big / cool stuff (e.g., VIP) while the rest of us in the trenches are left to try to help each other deal with a second rate end to end product experience. I mean, if I have direct access to the person who wrote function X in core and I never even experience the Codex, how am I going to know what that experience is like?

        Don’t get my wrong, I like WP. But sometimes I reminds me of Washington DC / Uncle Sam.

      • p.s. You said, ” If they did, who would foot the cost to administer these features?”

        Well, I think Envato kinda has the right idea but no code review / quality control. In any case, it does prove people can / will pay for plugins. I also believe there’s a market for theme and plugin “certification”. Heck, I’ve pulled stuff off and with DEBUG true I pull warnings and/or errors. Really? I “buy” something new and it’s not even reviewed. Something is very wrong if that’s the experience being sold.