Pedrera Blog

The Simple Guide to WordPress Security: Plugins - Part 2

March 23, 2016 by Matt Vona

(Part 1 - Securing the WordPress Core)

Plugins are a key part of WordPress and its community, however sometimes plugins can cause headaches and security holes. Plugins were developed to extend the functionality of WordPress, but the issue is that anyone can make one, and anyone can push it to the WordPress plugin directory. While this gives WordPress a vast amount of extra functions and features, it also introduces vulnerabilities people can exploit if the plugin developers are not careful. Here are some tips on finding good plugins and keep your WordPress site secure.

Choosing the Right Plugin

There are tens of thousands of plugins for WordPress, and of those thousands, there are many duplicates. For instance, if you type social share into WordPress Plugin Directory, you get over 1000 plugins that goes on for 34 pages, not to mention the first one hasn't been updated in 5 years. The idea is to pick the best one. Here are a few ways to decide which one is best for you. sw2_1_socialshare

Check the Compatibility

This is the easiest option. Make sure it is compatible with your version of WordPress (which should be the latest version, see part 1). Every plugin in the plugin directory has a 'Compatible up to' version number. Usually, if it is compatible within a number or two, it is okay, as long as it has been tested by you on your development version of your site (development or 'dev' builds, are important for feature testing and experimenting with updates of themes and plugins, as well as adding new functionality). If it is not compatible with your version, you should look elsewhere. The problem is that if this plugin is behind, who know when it will be updated?

When Was it Last Updated?

This is important. The plugin will also say when it was last updated. Generally, you want to this number to be within the last few months, the sooner the better. Some developers update only when there is a major update to WordPress, and other developers even less often. You want to find a plugin author who is constantly doing developing and working on the plugin, at least within the past few months. Staying up to date is important for your website. If there is an issue with that plugin and it isn't updated or hasn't been fixed, that issue could make your site more vulnerable to attacks.

Support Threads

Each plugin in the directory has a support forum that allows users to submit questions and issues/bugs about the plugin. Another good way to tell if the plugin author is keeping it current and how well the plugin is performing is by going to the support section in the plugin details. View the support forum, see how many issues there are, and check to make sure how many issues have been resolved within the last year or so. Well developed and maintained plugins will have a very active author. sw2_2_support

Ratings & Comments

The rating system is slightly odd. This is because you can't just look at the star rating, but the entire rating system as one. You want a high star rated plugin with many ratings. One 5 star rating is a lot worse than two-thousand 4 star ratings. This combined with the amount of active installs can show you how many people are using it and how many of those people like or dislike the plugin. Another thing is to read the comments. Read both the positive but especially the negative feedback. Sometimes users will report bugs and other issues.

It's Not Enough

Sometime it's just not enough. The best possible advice is to just try the plugin out. Always do this on a staging or development version of your site. See how it performs and works. Hacks and Exploits happen all of the time, and we never know when it will happen. The best thing you can do is to constantly keep your plugins and your WordPress version to the latest release, which will certainly help in the long run.

Part 3: Using the htaccess File for Added Security

Continue to part 3 where I go into using htaccess to protect your WordPress site.

Philadelphia WordPress Developers

Learn more about Pedrera Philadelphia's WordPress Development Services

Learn More

To learn more about Pedrera and how we might help with your project, please contact us.