Plugins are the biggest risk to your WordPress site’s cyber security. Plugins are custom-coded applications that you allow to run on your site. As a regular site owner with no coding skills, you probably can’t read the plugin’s backend code any vulnerabilities, so how do you know if it poses a threat to your site’s security? While you can never be sure of a plugin’s security, you can take steps to ensure that it is well developed and maintains a high standard of protection. Here are a few items to review before you decide to install a plugin.

Check the Developer’s Website and Information

Each plugin has a description and a profile for the developer. Most professional WordPress plugin developers have a website that you can check out. It doesn’t ensure that the developer’s plugins are secure, but it shows that they are serious about having a professional appearance and that they put time and effort into their plugin business.

Any developer can upload to the WordPress plugin repository, but you want to use plugins created by professionals that take the time to ensure their code is safe and maintained regularly. You can get a sense of professionalism from the developer’s portfolio, profile, and website.

Does the Website Have a ToS and Privacy Policy?

Professional developers always have terms of service and a privacy policy posted to their site. Some countries require a ToS and privacy policy, so you know the developer is interested in staying up-to-date with the latest requirements if they have pages dedicated to the legal requirements in their country.

For instance, the UK has a cookie policy that requires all developers to display a popup warning users that they use cookies on the website. The user must then agree to cookie storage before proceeding. Serious developers ensure that they follow this policy when they build their site and their plugins. If they are interested in following local laws, then they are likely responsible with cyber security too.

Does the Developer Have Contact Information on the Company Site?

If you have a serious problem, you need to contact the developer. You might find a bug or a critical cyber security issue with the plugin. The only way you can communicate with the developer is the contact information provided on the company website. Before you download a plugin and make it a part of your WordPress site, check the developer’s website for contact information.

Some developers cut down on phone calls by only providing an email address to contact them. Developers can streamline the bug report process by using a form submission, which is still acceptable. Just make sure there is some way to contact the developer in case you have a serious problem with the plugin.

Do a Google Search on the Plugin Name

To identify a good, long-term plugin that gets periodic maintenance and testing, do a Google search. Yoast, for example, is a favourite SEO plugin. Doing a search on the Yoast name will give you several results. Yoast is always updated and tested regularly. You would even find a discussion on Yoast’s vulnerabilities. When someone found a significant weakness a few years ago, several security blogs and Yoast’s developer discussed it publicly.

When a developer has thousands of installs, they make money off of the plugin in some way. This income gives them the incentive to maintain the code, test it after every WordPress upgrade, and regularly watch security blogs for any cyber security vulnerabilities.

Search the Plugin Name with the Term “Hacked”

When a plugin is found to have vulnerabilities, several security blogs will publish an alert. You can find these discussions by searching for the plugin name with terms such as “hacked” or “vulnerabilities”.

If a plugin is found to have a vulnerability, it doesn’t mean that you shouldn’t use it. As a plugin becomes popular, cyber attackers focus on the search for its vulnerabilities. If they can find a vulnerability in a popular plugin, then they can gain access to several websites with just one script.

It’s not unusual for a plugin to have a vulnerability, but you should evaluate the speed at which a developer acknowledges it and works to fix the problem. A good developer should have a fix within a few days. You can still install a plugin that has previously had security issues as long as the developer finds the issue a priority and has it resolved within a few days.

What Can You Do to Protect Your Site?

If you carefully evaluate a plugin before you install it, you increase your chance of good protection from cyber security attacks.

By following the advice given above, you should be able to determine whether or not the plugin you are considering installing is secure or not. If you have any doubt, then you should not install it. There are so many plugins available, that you will always be able to find a plugin to perform the actions you need, that meet the criteria laid out above.

If you’re not a WP Gurus client already, then check out our WordPress Maintenance & Support Plans, as we make sure that your website is safe, secure, and provide recommendations, as well as help and support on which plugins you should use to meet your needs. That, combined with our 24/7 Security Monitoring ensures that your website will never become vulnerable to hackers, malware, or plugins with security vulnerabilities.