How can plugins compromise WordPress security?
Posted September 19, 2021 by Lee
WordPress plugins are a type of software, allowing you to add various features to your WordPress website. The great thing about WordPress plugins is that you can add various site features without needing to learn any code. There are thousands of options whether you need plugins for contact forms or for analytics. Plugins can help you to enhance your website in many ways, however, they can also pose a security risk.
How can plugins compromise WordPress security?
Cybercriminals and hackers have plenty of tricks to exploit WordPress plugins. Hackers look for WordPress plugin vulnerabilities, using these to attack your site. Cybercriminals use plugins to display bogus ads, attempting to infect your website with malware and viruses, (otherwise known as malvertising). Hackers also use plugins to hijack websites completely.
WordPress plugin hacks are becoming far more common, and so WordPress users must up their security defences. Data shows that ‘90% of WordPress vulnerabilities are related to plugins or themes,’ (Patchstack, 2021).
According to Portswigger, multiple vulnerabilities were discovered in the popular plugin ‘ProfilePress’, the plugin allows users to upload profile images to their WordPress sites. The plugin flaws made it possible for hackers to upload malicious codes, eventually hijacking the affected site.
In June 2021, Wordfence discovered that the ‘Fancy Product Designer’ plugin had a similar flaw. The Hacker News reported that the plugin was being exploited to upload malware, an estimated 17,000 websites were potentially affected, (Hacker News, 2021). Every day, new plugin vulnerabilities are exposed, impacting WordPress users across the globe.
To protect the integrity of your website, you’ll need to ensure that all your WordPress plugins are secure. There are many ways that you can do this:
1 . Check for WordPress plugin vulnerabilities
To keep your WordPress plugins secure you should check your plugins for security vulnerabilities. You can do this by using the ‘WPScan Vulnerability Database.’ Using the database you can search for plugins, and access info about vulnerabilities. If you find that one of your plugins is vulnerable, you can update it. Sometimes, there will be no current update available. In this case, it’s best to temporarily delete the plugin.
Another way to check for WordPress plugin threats is to scan your website. A full scan can inform you of security issues overall, as well as plugin vulnerabilities.
2. Only choose vetted plugins
There are over 58,000 WordPress plugins that you can choose from, yet not all of them are vetted for security issues. To ensure that your plugins are secure, access plugins WordPress plugin directory only. All of these plugins have been vetted, they are the safest WordPress plugins available. Using vetted plugins only is the easiest way to avoid plugin security issues.
Perhaps you’ve found a plugin that you want to install, but it’s not in the directory? When installing these plugins, you should be more cautious, and do your research. Take a look at the company website, the user ratings, and the reviews. Find info about the active installations, documentation, and updates.
The WordPress plugin directory is considered the most reputable site to find safe plugins. When you’re researching a plugin from elsewhere, consider the following:
- Locate the developer: Search the Internet to find the plugin developer. If you can’t find a legit website it’s best to stay away from this plugin.
- Check CodeCanyon: This is one of the leading marketplaces for WordPress plugins. CodeCanyon also vet their plugins, to ensure user safety.
- Check the popularity: When you’re searching for a third-party plugin, consider how popular it is. If a plugin doesn’t have many downloads, and has been around a while, this could be a red flag.
- Compatibility: Ensure that the plugin is compatible with the latest WordPress update. If the plugin is only compatible with older versions, you may want to steer clear.
Always update your plugins
To protect yourself from hackers you must update your plugins regularly. Cybercriminals can easily exploit any plugins that are out of date. The easiest thing to do is to turn on auto-updates. To do this you can go to the admin area and access the section named ‘Plugins-Installed Plugins’. In this next section you’ll find a complete list of your plugins, click on ‘Enable auto-updates’.
Ensure that you are running the latest version of WordPress and that all your themes are up to date also. Using outdated software poses a security threat to your data and your devices.
Remove plugins you are not using
If you have any plugins that you do not use, it’s best to delete these. These inactive plugins pose a security risk and are easily taken over by cybercriminals. If you have a large number of unused plugins, you may find that it slows down your WordPress site. Slow loading sites equals higher bounce rates and fewer conversions. To check your site speed, you can use Google PageSpeed Insights.
It’s easy to remove unused plugins, simply navigate to the ‘Plugins’ section on your dashboard. Find the plugin you wish to remove and click on ‘Deactivate’. Once you’ve clicked this, you’ll see the ‘Delete’ icon, click delete to uninstall the plugin.
Use a web app firewall
A web application firewall is a type of software used to keep your web apps secure. The software tracks and filters traffic between the Internet and your web apps. A WAF protects your apps from all sorts of web attacks such as file inclusion and forgery across sites. Using a web application firewall is a great way to avoid plugin security issues. You can implement WAF using a cloud-based provider or a hosted provider.
Avoid downloading a large number of plugins
Some WordPress users end up with a large number of plugins that they don’t need. To keep your WordPress site secure, consider putting a limit on the number of plugins that you use. If you have a large number of plugins, the chances are you’ll run into security issues with at least one of them!
Remove abandoned plugins
Abandoned plugins can be a security risk, but what exactly are abandoned plugins? Abandoned plugins are those which haven’t been updated for 2 years or more. It means that there have been no recent changes to code, bug fixes, or enhancements. It also could mean that potential vulnerabilities have not been corrected.
Abandoned plugins are incredibly easy for hackers to take advantage of. To find any abandoned plugins check the WordPress plugin page. Here you should be able to find out which of your plugins are categorised as abandoned. It’s worth noting that just because a plugin is abandoned it doesn’t necessarily mean that the code is flawed. However, even if there’s no issue now, there’s a chance that you may experience problems later down the line.
Plugins aren’t the only security issues to worry about on WordPress. Site users should also pay attention to the following areas:
1 . Login issues
WordPress sites are vulnerable to unauthorised logins, these cyber attacks are carried out using brute force. When a criminal uses brute force they check billions of password and username combos, (using a hacker bot). Eventually, the hacker can log in, and access private info.
To protect your site you’ll need a complex password. To help you protect multiple passwords, try a password management system. The best thing about PM software is that you only need to remember one password.
2. SQL Injections
Structured Query Language refers to programming language, the language is used to access data that’s stored on a certain website. WordPress uses SQL to carry out database management. The problem is, hackers can also use SQL to compromise your site. When a cybercriminal performs a SQL injection, they can view and change the database of your site. They might erase data, edit content, and input malicious links.
To protect yourself from an SQL injection, you’ll need to set rules regarding your form submission. When site visitors submit forms you should put a limit on the number of special characters. Doing so will prevent rogue users from submitting malicious codes.
3. DoS Attacks
Denial-of-Service attacks are used to block visitors and site admin from gaining access to a site. Cybercriminals do this by sending a huge amount of traffic to a server until the server crashes. To defend yourself against a DoS attack ensure that you invest in a reliable WordPress Hosting service.
Plugins can add a range of handy features to your site, but you must secure your WordPress plugins. Focus on WordPress vetted plugins, and approach non-vetted plugins with caution. Maintain your site by removing plugins you do not use, or plugins that have been abandoned by the developer. It’s best to implement strong website security measures, not just for your plugins, but for your website overall.
About The Author
Lee is a Website Developer at Unlimited Web Hosting UK Limited.