Stay Safe! WordPress Plugin Vulnerabilities, and How to Avoid Them

Are you worried about WordPress plugin vulnerabilities sinking your site? A 2016 survey of hacked website owners by Wordfence found that 55.9% of WordPress websites (whose owners determined the hackers point of entry) were compromised due to plugin vulnerabilities. And that makes sense! Because while WordPress core may be secure, plugins add a wildcard that the WordPress core cant always account for.One of the reasons WordPress is so popular is the freedom it gives users to add any number of functions with the help of plugins. Users get to choose from close to 50,000 plugins available for free in the WordPress plugin repository. And thats not even counting the many third-party free and premium plugins. Scan for WordPress plugin vulnerabilitiesWPScan Vulnerability Database  is a good place to check if any plugin is a security threat. The service lists plugins and their known vulnerabilities. You can look up a plugin by name or filter all plugin vulnerabilities alphabetically. If you catch a given plugin in the list, first check the plugins listing page for an update. If theres no update to patch the vulnerability, you should delete the plugin for the time being if at all possible.Another way to catch these threats in time is to subscribe to paid services like, the aptly named, Plugin Vulnerabilities. Youll gain access to always up-to-date data as these services continuously monitor security threats and hacking attempts. And if youre using a plugin which is at risk, youll receive an email alert about it. Because you get the notification with this service, youre much more likely to be able to act quickly.You can also detect these threats by running a scan on your website from time to time. A plugin like Plugin Vulnerabilities will not only scan all your installed plugins, itll also notify you of the more common security issues.As for the threats that surface subsequently, you can opt to receive alerts. New threats crop up almost on a daily basis as  hackers tr y and target WordPress websites. For that reason, its important that you check for vulnerabilities frequently (or have a service do it for you).Choose the right pluginsNo plugin is 100% safe. But you can significantly reduce  WordPress plugin vulnerabilities by  learning to assess and select quality plugins before installing them. Pick  plugins only from reputed marketplaces like CodeCanyon, the WordPress Plugin repository, or third-party stores that you trust.  The WordPress repository vets each plugin before its available  to the public and CodeCanyon also has its own review system in place.So, what should you check to figure out if a plugin is good to install? Start with:Average user ratings.User reviews.Updates and compatibility.Active installations.Support and documentation.Weve covered analyzing these points in our earlier post,  so Ill skip discussing them in detail here. But you can keep these factors in mind before adding a plugin to your website:If you have the server resources to support it, you can install as many plugins as you want. Whats important is that the plugins are coded well. That being said, one badly coded plugin can bring the website down.An active change log section indicates that the author is supporting the plugin and is responsive to the needs of users. On the other hand, only a few entries in this section may simply mean that the plugin needs no changes or updates.There are hundreds of excellent free WordPress plugins. But keep in mind that premium plugins often have more responsive support and are up-to-date with the latest WordPress versions.Its a good practice to install plugins on a need only basis.Update plugins (and everything else) regularlyOne of the most popular attack vectors for hackers is an out-of-date WordPress plugin. A Sucuri analysis found that three popular out-of-date plugins were the cause of 18% of the hacked WordPress sites they looked at in Q3 2016.(Chart by Visualizer Lite.)In case youre wonderi ng, thats RevSlider, Gravity Forms and Timthumb. Its important to note that the plugin developers patched the vulnerabilities quicklybut enough people didnt update their plugins that the issue still led to a number of hacked sites.Heres the important takeaway:Even if you choose the right plugins to start with, if you dont keep those plugins updatedyoure still at risk.So how can you ensure your plugins are always updated? One way is to look for the update icon in your WordPress dashboard (pictured above). Another way is to enable automatic updates.To enable automatic updates for all or some of your plugins, you can use a free plugin called Easy Updates Manager: Easy Updates Manager Author(s): Easy Updates Manager TeamCurrent Version: 8.1.0Last Updated: October 17, 2019stops-core-theme-and-plugin-updates.8.1.0.zip 96%Ratings 2,544,808Downloads WP 4.6+Requires Additionally, for plugins that you purchase from CodeCanyon, try the free Envato Market plugin to help you automaticall y update the plugins.Delete unwanted pluginsAnother good way to stay safe is to delete inactive plugins that you no longer plan to use. While inactive plugins do not consume RAM, bandwidth or PHP, they do take up server space. And if present in large numbers, they can slow down your site. But the main reason why you shouldnt keep inactive plugins around is that they can be used to run malicious code on your website.Summing things up