WordPress plugin security: How to secure WordPress plugins
WordPress is the undisputed king of the content management system (CMS) realm, powering 43.3% of the web as of 2024. With over 835 million websites using WordPress, any dangerous security threat has the potential to adversely affect a vast amount of people and businesses.
Whilst WordPress has a dedicated security team committed to reviewing code, identifying threats and developing fixes to keep websites safe, there are still vulnerabilities you need to be aware of. And even if you’ve chosen a reputable WordPress Hosting provider with excellent security features like malware scanning, DDoS protection and two-factor authentication, you still need to pay attention to website security and implement measures to keep your data (and customers’ data) safe.
If, like many WordPress users, you rely on plugins to customise your site and enhance its functionality, you could be unwittingly opening up your website to potential avenues of attack. Forgoing plugins isn’t really an option, so you need to devise a strategy for ensuring WordPress plugin security. Keep reading to find out how to secure your WordPress plugins.
What are WordPress plugins?
A WordPress plugin is a piece of software you can install to either add new functionality or enhance existing functionality on your site. Plugins are an essential part of making websites what they are by adding features and functionality, such as contact forms, photo galleries, sliders and much more. These incredibly useful tools can transform a WordPress website from bog standard to a flexible and customisable powerhouse. From small changes like adding contact forms to huge transformations like turning your site into an online store with WooCommerce, plugins are truly indispensable to any WordPress site.
The downside is that they can cause security vulnerabilities in websites, however. As the multitude of third-party WordPress plugins can be created by anyone, many are riddled with flaws and backdoors that can allow hackers access to the websites that they’re installed on.
Case study: File Manager security flaws
An example of a third-party WordPress plugin with a security issue is a plugin called File Manager. A piece of open-source software designed to help administrators manage files via a management interface, the plugin contains an extra library called elFinder, which suffered an easily exploitable vulnerability.
During a routine update, its developers renamed a certain file and accidentally added it to the project instead of keeping it as a local change. This alteration allowed unauthenticated access to this file and therefore the ability to enact commands to the library. By permitting the uploading and modifying of files, this chink in the plugin’s armour could permit the complete takeover of the associated website. Any successful probe leads to the hacker uploading a web shell disguised inside an image file on the unfortunate website’s server.
As File Manager is a very popular plugin for WordPress, approximately 700,000 separate WordPress sites were left open for attack. Once this weakness became known among hackers, it immediately became highly popular because of its high impact and easy exploitation. The first attacks began on 31st August 2020 at 1,500 an hour, rising to over 10,000 by 2nd September 2020.
How the File Manager plugin developer responded
This type of security issue is known as a ‘zero-day vulnerability’, which means that the developer found out about the flaw without having time to fix the problem. The ‘zero-day’ refers to how they have ‘zero days’ to sort out the issue and it may have already been exploited by malicious hackers.
In the case of the third-party developed File Manager, the developers quickly deleted the file to repair the plugin’s defences and make it safe again via an update within the day. While any website that upgraded to the new version of File Manager was safe, those that didn’t immediately do this were still unfortunately wide open to attack until they downloaded the latest patch.
How can I protect against cybersecurity threats to my plugins?
This story is pretty concerning for WordPress website owners, but luckily there are ways you can protect yourself from these kinds of security vulnerabilities. All you need to do is take plugin security seriously and incorporate the following six practices into your WordPress security strategy.
Want to learn more about WordPress security? Check out our ‘How to secure your WordPress site’ mega guide after finishing this article for more WordPress security tips.
1. Always install the latest updates
This is perhaps the most crucial point – always ensure that you always have the latest patch or update for your WordPress plugins! There are too many other threats to your cybersecurity out there to neglect your plugins.
With the horde of different third-party WordPress plugins available, even the very best of web hosting providers can’t assume responsibility for making sure your plugins are up to date. Developers tend to be on the ball when fixing potential security risks, but it’s up to you to make sure that your plugins are protected with the latest patch or update. Keeping one eye on the latest news regarding security breaches is also prudent.
Updating and patching your WordPress plugins very regularly is the key to keeping your website as secure as possible. You have two options to ensure that this is done:
The human option
WordPress has a simple update system that automatically searches for plugin, theme and core software updates, and gives you notifications when it finds one. Updating your WordPress plugins is thankfully very straightforward as a task, as it can be carried out simply by going onto the dashboard and making a few clicks.
Easy huh? Unfortunately, this is an important task that relies on a human to remember to do it every week. As well as the obvious danger of forgetting to do it, a person who runs a website on their own wouldn’t be able to delegate the task if they went on holiday for example. For larger businesses, tracking who pressed what, where and when can cause a surprising amount of problems.
The automated option
The alternative to doing this manually is automating your plugin updates.
There are also a number of different automatic update and patching options that you can explore, such as the Easy Updates Manager. This plugin automates your WordPress core plugins as well as the vast majority of your third-party ones. It’s worth noting, however, that this type of tool may not be able to update every third-party plugin as they may be incompatible due to their customer update mechanisms.
In the near future though, we may soon have the option of letting WordPress automatically update third-party plugins, as well as its own core software. Until that date however, just make sure your plugins are secure whichever path you choose to walk down.
2. Download plugins from reputable sources
When downloading your plugins in the first place, ensure that you’re always using a reputable source. WordPress includes thousands of popular plugins in its plugin directory, or you can find reputable third-party sites to shop from. For example, some of the most popular plugins like Yoast (one of the top WordPress SEO plugins) can be found on third-party sites (e.g. yoast.com).
If you’re unsure, it’s best to stick to big-name plugins like Yoast or Jetpack or stick to browsing on the official WordPress plugin directory. It’s harder for you to verify the trustworthiness of lesser-known third-party plugin directories, so it’s best to stay away.
3. Check plugin reviews
No matter where you’re getting your plugins, you should check the reviews every single time. This will reveal whether previous customers were satisfied with the performance and security of these plugins – if customers are complaining about security vulnerabilities, this is a giant red flag.
However, bear in mind that reviews may not always be trustworthy. Some complaints may be due to user error rather than a fault on the part of the plugin developers, or in some cases (and particularly with less reputable third-party sites), reviews and ratings could be faked. Don’t install a plugin if reviews seem to be fake and AI-generated. If in doubt, look elsewhere.
4. Check how often plugins are updated
Whilst you’re checking the reviews, it’s also a good idea to check the update history of your chosen WordPress plugin. It’s best to opt for plugins that are regularly reviewed and updated by their developers, as this means that potential security vulnerabilities are addressed before they can cause a major issue for customers. If a plugin hasn’t been updated for a long time and you can’t see any recent activity from the developers, we would recommend looking for an alternative plugin.
5. Install a WordPress security plugin
There are reputable WordPress plugins that scan for updates and implement site security measures for you. For example, plugins like Wordfence, Cerber Security and iThemes Security act as all-in-one firewalls, scanning for malware across all files and mitigating common security threats like brute force attacks. Plugins like Wordfence also enhance your security with two-factor authentication, which isn’t implemented on WordPress websites by default.
In addition to these all-encompassing security plugins, you can also install WordPress security plugins for specific tasks. For instance, Advanced Google reCAPTCHA and reCaptcha by BestWebSoft add CAPTCHA tests to your site, helping you resist bot-based cybersecurity threats like DDoS attacks.
6. Only install the plugins you really need
Although all of these security plugins are fantastic choices for your site, make sure you don’t start installing loads of plugins and losing track of what you have. Not only will this make it harder for you to manually check for updates, but consider that each plugin you install can be a potential security vulnerability for your website. Installing fewer plugins will mean there are fewer ways for hackers to potentially gain access to your data.
Of course, this doesn’t mean that installing plugins is a bad idea – they’re essential for truly customising your website and enhancing its functionality. However, it’s best to opt for plugins that combine multiple functions wherever possible. So, if you’re choosing between two WordPress security plugins and one offers more features, it may be better to choose this one if you would need to install extra plugins to fill in these gaps otherwise.
Fasthosts offers a range of cybersecurity tools such as auto-updates and malware scanning to prevent vulnerabilities being exploited on our WordPress Hosting plans. So, if you’re looking for a secure Web Hosting and WordPress Hosting provider you can trust, get in touch with us today to find out more.