WordPress Plugin Security and the Truth About Hacking

Photo of a faceless hacker in a black hoodie at a computer in a dark room

Share this post


We’ve seen WordPress grow and change dramatically over the past 17 years. What started as a simple, open-source personal blogging platform in 2003 now powers around 455 million sites, or approximately 35% of the entire internet, according to the most recent research from W3Techs.

WordPress is a global community supported and maintained by thousands of volunteers, including designers, developers, writers, photographers and enthusiasts around the world. The fact that this CMS (content management system) is also easily customizable, functionally robust, easy to learn and free to use makes it the perfect choice for most of our clients’ website needs.Ermahgerd! Plergins! memeOne of the features that makes WordPress so versatile is the ability to incorporate plugins, which are pieces of pre-made software, typically developed by third parties, that can be installed to extend the functionality of WordPress websites. The official WordPress plugin directory includes more than 50,000 of these add-ons to enable everything from custom contact forms to SEO support to e-commerce functionality.

But when you need a new feature on your WordPress site and have to choose from hundreds of plugin options that claim to do the same thing, how do you determine which will not only work best for your needs but also not compromise the security and stability of your WordPress site?


Wait, what do “security” and “stability” have to do with WordPress plugins?

Researchers recently announced serious security flaws had been identified in three popular WordPress plugins used on approximately 400,000 websites. Remember when we mentioned most of the 50,000-plus plugins in the WordPress directory are developed by third parties (i.e., not official WordPress software products)? Those third parties are unregulated, often unpaid volunteers who aren’t required to update or maintain the plugin code they published to the official directory. Outdated code quickly becomes vulnerable to hacking and may break entirely if it’s not compatible with future versions of WordPress or other plugins on your site. Or, even worse, an outdated plugin could be so incompatible with a core WordPress update that instead of just breaking the plugin functionality, it could break the entire website. Yikes!

But my website isn’t that big and doesn’t include e-commerce or collect any personal information. Why would anyone bother to hack it?

A common misperception is that hackers attack specific websites because of the valuable personal information it might be collecting from its users or because it’s a very popular website that a hacker could use to “steal” traffic or promote their own cause. Unfortunately, reality is much less exciting. Among the main reasons hackers target your humble WordPress website are:

  • Sheer volume. As noted previously, WordPress sites make up 35% of the internet. More targets = more opportunities.
  • Plugins are the number one source of vulnerability on a WordPress site. With so many plugins available and no regulations to enforce updates or patches to them, outdated plugins are an easy target for exploitation.
  • Most hacks aren’t the work of some hooded nerd in a basement with something to prove. More often sites are hacked by a network of bots simply to gain more bandwidth to power DDoS (distributed denial of service) attacks. These “botnets” are often sold as a service to less tech-savvy attackers to use against their target victims. Denial of service… as a service. So meta.
  • Just to see if they can.

So how can I know if a plugin is safe or not?

We’ve worked on sites with all kinds of plugins, including the not-so-reliable ones that seem to get hacked the most. Based on our experience, we suggest checking a few things before you install any plugin on your WordPress site:

  • Is the plugin well reviewed? We look for verified user reviews that include a mix of pros and cons about the plugin because 100% positive reviews are sketchy. Another sketch factor we check is whether all the reviews (or a suspicious bunch of positive reviews) were posted on the same date, which is a classic sign of fake, forced feedback.
  • Has the plugin been updated recently? If a plugin is regularly updated, it’s less likely to become a security vulnerability. We typically steer clear of plugins that haven’t been updated within a month or two. We’re more lenient about time since last update if the plugin function is super simple and/or built with minimal code.
  • How many active installs does the plugin have? Active installs show the number of users who have installed and activated a particular plugin on their WordPress site. Not to knock newer plugins with a smaller user base, but we tend to prefer plugins with thousands or hundreds of thousands of active installs because it indicates that the plugin has been well tested across a variety of site and server configurations.
  • Has the plugin been tested and proven compatible with your version of WordPress? Making sure the plugin is confirmed to work well with the most current version of WordPress (or at least the version of WordPress your site currently uses) is a good way to limit the possibility that the plugin will break your site.
You can find most of the details mentioned in this checklist on each plugin’s description page in the WordPress directory.
  • Who is the plugin author? The author or developer of the plugin can be another indicator of whether the software is well made and reliable. Check to see if they’ve developed other plugins and if their other work is also well reviewed/popular. Never heard of the author? I bet Google knows something about them.
  • Check the plugin’s support forum. Are user questions being answered in a timely manner? Have several users asked about the same issue? Knowing if the plugin’s support team (which sometimes is just the one developer who made it) is responsive and helping to solve or address issues is a good indication that the plugin is being actively maintained. If any issues in the support threads seem significant, check the date of those discussions to see if the problem was fixed in a previous update. You can also look at the plugin’s changelog to see a history of updates and whether user-reported issues are being addressed.

Once you’ve evaluated plugin options and confidently installed the best choice for your new site feature, you’ll want to make sure you know when an update is available for it. Check with your hosting provider to see if you can opt in to have software update notifications emailed to you as soon as they’re available. Some hosting providers also offer automatic updates to plugins and themes and simply email you after the update is complete.

You can also sign up for free email alerts when new WordPress risks are identified in the WP Vulnerability Database. This database is updated daily with known vulnerabilities affecting WordPress core files, themes and plugins. If you don’t want to be notified about updates from your host or a service like the WP Vulnerability DB, you should make time to log into your site at least once a week to check for and install any available updates.

But WAIT! Before you install that update…

You want to make sure the new version of the plugin won’t conflict with any other plugins or code on your site. It’s frustrating but true: not only can failing to update certain plugins break your site but sometimes updating plugins can also wreak havoc. How do you know if it’s safe to update?

Check the version number of the update. The first and second numbers in a version sequence (#.#) usually represent a major update. Unless your site relies on heavy customization in the theme or functions files, you can usually safely update from version 5 to version 5.1, for example. But switching from version 5.1 to version 6.0 may require some testing on your part to ensure your site customizations and functionality don’t break.

A third number in the version sequence (#.#.#) indicates a minor release, which includes bug fixes and security patches. These are usually safe updates to install and important for the security of your site code. Minor updates are released more often, as needed, and they are usually unlikely to break anything on your site.

Before installing any update, whether major or minor, ALWAYS make a backup of your current site in case the update is incompatible and you need to restore the previous version to unbreak your site. Check the support forums and extended WordPress community to see if other site admins are having trouble with the new version. This can help you decide if you feel confident making the update immediately or if you should create a staging site to test it.

How would I know if my site was hacked because of a vulnerable plugin?

Great question. Despite the way hacking is portrayed in TV and movies, the worst hacks are often the hardest to detect.

That’s not how this works. That’s not how any of this works.

Hackers who gain access to your site files through weak spots in plugins and other code may be able to inject malicious code that you might not notice until it’s too late. Some symptoms of these kinds of hacks include pages mysteriously redirecting to spammy sites, popup ads appearing when they shouldn’t, new admin accounts created unexpectedly or existing admin accounts deleted (potentially even your own!). You can use a third-party backup and monitoring service to keep track of and notify you anytime a file is changed on your site. We like CodeGuard for this because they notify us immediately if even one file was changed, added or deleted on any site we manage. It’s a very helpful line of defense that dramatically reduces the length of time a hack can exploit your site resources before you’re aware of the problem and can take action to fix it.

So what if a site has already been hacked? Asking for a friend.

Advise your friend to restore their site to a clean backup and immediately update or remove the plugins with the vulnerability. Update all user passwords and consider a malware cleanup service like Sucuri if your your friend’s hosting company does not provide the service as part of the site’s hosting plan. A malware service can identify and repair any files affected by the hack and remove unauthorized or malicious code.

How else can I reduce the risk of my WordPress site being hacked?

In addition to keeping your plugins, themes and WordPress core files up to date, evaluating a plugin’s reliability and monitoring known vulnerabilities as they are announced, here are a few more tips to help you protect your WordPress site against hackers:

  • Limit the number of plugins and themes installed on your site. Uninstall any plugins no longer needed on your site. The more plugins installed on a site, the more opportunities a hacker has to find a weak spot.
  • If there is a plugin on your site that hasn’t had an available update recently, check to make sure the developer is still maintaining it. If they’re not, consider removing or replacing it with a more actively maintained plugin.
  • If possible, add a firewall to your site.
  • Use strong, complex passwords and update them frequently.
  • Never take candy from a strange WordPress developer.

Any site on the web, no matter which CMS or custom code it was developed with, is suceptible to security flaws and hacking. As with any software, it’s crucial to follow best practices for development, and test and validate the code before releasing it into the wild.

When using a CMS like WordPress that offers prebuilt software made by the open-source community, it’s even more important to test the reliability and compatibility of third-party plugins with your specific site configuration, including other plugins and customizations therein. Evaluate any plugin you’re considering for your site with a critical eye, and don’t hesitate to reach out to us or any of the WordPress community with questions or help requests.

Recent Posts