Ask Wordfence: How to Limit Security Risks From Plugins

This is the fourth installment in a new series we started last month. You can access previous posts here.

Today’s question comes from Michela in Pordenone, Italy:

Plugins are necessary for enhanced functionality of each WP site but the more plugins we add the higher the risk to potential threats. How can we limit this risk and what can we do to prevent in general these kinds of attacks (through the installed plugins)?

This is a great question. According to survey results we published last year, vulnerable plugins are the top way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.

Use as Few Plugins as Possible

Every plugin you install on your website increases your “attack surface”. You are running more code, so your odds of having a security vulnerability exploited go up. Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind.

Only Download Plugins From Reputable Sites

If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.

If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:

  • The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
  • Look for a valid company name in the footer.
  • Terms of service and a privacy policy readily available.
  • You should be able to find a physical contact address on the contact page or in the terms of service.
  • If you Google the domain name in quotes (e.g., “example.com”) you shouldn’t find any reports of malicious activity. Adding the words “malware,” “exploit” and “vulnerability” to your search may reveal additional information.

Use summary data to assess plugin security risks

Choose Reputable Plugins

The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:

  • The more recent the last update, the better.
  • Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
  • It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
  • The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.

You should also periodically review your installed plugins to make sure they have maintained their good standing.

Delete Plugins Immediately When You Stop Using Them

We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.

Keep Your Plugins Up to Date

Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. In fact, the large majority of attacks we see on WordPress sites are attempts to exploit well-known security holes, some many years old. Instead of looking for new vulnerabilities, attackers look for site owners who don’t keep things up to date. Unfortunately, they continue to have success. You can stay ahead of the curve by simply keeping things up to date.

Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.

Replace Abandoned and Removed Plugins

Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Back in May we wrote a post about abandoned plugins and found that, at the time, over 46% of plugins had not been updated in over 2 years.

Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.

Another risk to keep an eye on is plugins that have been removed from the WordPress.org plugin directory. There are many reasons why the WordPress plugin team might remove a plugin, including having a security vulnerability that hasn’t been fixed. Since their policy is to not disclose why they removed a plugin, we recommend that you immediately remove plugins from your site that are removed from the WordPress.org directory.

This spring, we added a feature that alerts you when plugins have been abandoned or removed from WordPress.org.

Install a WordPress Firewall

Every now and then an attacker will discover a zero-day vulnerability in a WordPress plugin and start attacking sites. In these cases, if you are unlucky enough to be running the vulnerable plugin, having the latest version installed will not help protect your site. That’s where a web application firewall, or WAF, comes in. Web Application Firewalls examine the traffic hitting your site, filtering out malicious requests.

The Wordfence firewall includes a robust set of protections against the most common attacks on WordPress websites. These include SQL Injection, Cross Site Scripting, Malicious File Uploads, Directory Traversal and many more. In addition, when a new security vulnerability emerges, our security analysts quickly develop code to protect for that specific threat in the form of a “firewall rule.” These firewall rules are deployed in real time to Wordfence Premium customers via the Threat Defense Feed. Free sites receive them 30 days later.

We wrote in depth about about how the Wordfence firewall works earlier in the year.

Conclusion

As a WordPress site owner, managing your plugins is a critical component of keeping your site safe. Understanding the risks and actively managing them is an ongoing activity. By using careful criteria in selecting which plugins to install, keeping your existing plugins updated to the latest versions, and using a robust web-application firewall on your website, you can ensure that you’re doing everything you can to protect your site data from malicious attackers.

How do you choose what plugins to install on your site? How do you evaluate which plugins are safe? We’d love to hear your thoughts in the comments below.

Did you enjoy this post? Share it!

Comments

11 Comments
  • Absolutely. Nothing can be more true about keeping eye on the use of plugins to avoid security hole.
    Thanks for sharing!

  • As neat as it was the first couple of times to see the video versions, this written post was better for me. I'm at work right now and video is more intrusive and difficult to pause when I need to step away for a bit.

  • It's a good idea (common sense really) to remove plugins no longer being used. But for some, I don't know if they are still being used. For example, I used a plugin to update URLs after making some changes to my site (search, replace) - but how do I know if I need to keep that plugin active from now on? Did it actually make the change in the files or database? Or does it always need to be active because those updates happen on the fly? In the past I have tried removing plugins I didn't think were necessary, only to have to reactivate them because something didn't work correctly. So - how can I tell which plugins I can remove?

    • Ditto on this response. For years my site was fine, then 2 years ago it got hacked and had to rebuild and create a new one but now as wordpress...to this day I've had nothing but increasing problems since WordPress sites get attacked left and right. So it would be helpful to know which plugins to avoid or aren't really needed...or how about a top 10 (or 20)?

  • Same goes for templates. On a fresh WP install, I always install my fave template, Divi, then delete all the defacto templates.

  • This came at an ironic time, I just submitted a support ticket as I think an update I just did to one of my plugins may be hacked. It's a Wordpress plugin, not something I downloaded off a random website and I've had it installed for years...but this update is a bit suspicious. Hope to hear from you soon! Thanks for all the great information you pass on, this is definitely another good one.

  • Good tips -- but I just want to point out that enabling auto-update on some plugins can cause problems in themselves. Sometimes new vulnerabilities or bugs are introduced with an update ---most often unintentionally, but occasionally maliciously -- such as the situation described in https://www.wordfence.com/blog/2017/09/display-widgets-malware/

    I do have Wordfence set to auto-update, but I think the better practice is to manually update for most plugins, but to do it regularly. I do have utilities that allow me to update multiple sites at once, but I also have found it important to read the changelog before the update, and test on one site before updating the rest. The changelog will tell whether the update addresses a security problem or is introducing new features. Sometimes, when the update is not a security fix, it's better to wait a few days and monitor the support forum for bug reports before updating. I've learned over time, from experience, which plugins tend to have more "buggy" updates than others. In addition to real security concerns (hacking, etc.), plugin updates can also introduce new conflicts or they can bring down a site if the upgrade fails to complete for any reason. So human oversight to the update process is valuable.

  • THANK YOU for the text post. Much better than video.

    • LOL. You're welcome.

  • Abandoned Wordpress plugins are a massive nuisance and will always be an increasing issue whilst ever people are not making any money from them. It seems that the majority of plugins are created by wonderful people trying to solve a problem or increase capabilities for us all. Unfortunately they probably don't realise the commitment necessary to keep one up to date and support it with the constant WordPress updates.

    Time after time they end up abandoned. I even saw a free plugin the other day requesting donations to help keep it alive yet it had 200,000 installations! If even half those people paid £1 they would have £100,000. I don't understand why we have this system of FREE plugins and expect good people to slave over them indefinitely for no money.

    As Wordpress seems to make plenty of money why aren't they investing some money into plugins? I'd like to see a lot more plugins that are vital where the creators make money and can keep them running and safe. I'd like to see Wordpress buy the excellent ones up and make them part of Wordpress.

    Why should we have to rely on plugins for basic functions like a contact form and SMTP emails? I appreciate in the past it was a great idea to have everything open but times they are a changing and too many plugins are now potentially dangerous.

  • You should add here that people should do the same with themes that they are no longer using.

    There are a LOT of vulnerable themes out there, not just plugins.