WordPress Plugin Security Risks

By Henry Bagdasarian

The WordPress plugin security risks are many and affect millions of websites that use the WorPress program which is an open source website creation tool that makes it very easy for website owners to blog and manage website content. Let's be clear that WordPress is used by many prominent companies to manage their websites like BBC America, Sony Music, The New Yorker, and many more. Plugins are an integral part of WordPress that website owners install to add functionality, security, make design changes, and much more. Without plugins, WordPress websites will not function.

The heightened WordPress plugin security risks arise from the fact that WordPress plugins are often created and maintained by single individuals or small companies which may not have adequate and formal processes to stay on top of the WordPress plugin security risks in order to update the plugin code and prevent any potential security compromise resulting from plugin vulnerability. In fact, many plugins are abandoned by their owners because they don’t make money. Some plugins are paid and others are free which require paid add-ons if additional functionality is desired. The primary purpose of the WordPress plugins for their developers is selling downloads and making money, but when the cash flow slows down or worse disappears, the incentive to maintain the plugin also disappears. Therefore, plugin users must be selective and willing to replace their plugin applications quickly when the risk of using one plugin rises due to its less than motivated developers.  

Another risk is that WordPress website owners may not have technical support to stay on top of plugins and update the program on a timely basis. Best practices dictate that when a plugin security vulnerability is identified, plugin developers must update the code to improve security, however, after this is properly done and tested , website owners must immediately apply the patches to prevent a website hack. This is especially important if the websites include databases with sensitive data such as customer information facing the Internet.

Speaking of plugin testing, this is another risk that plugin developers and website owners may overlook. If a plugin is not properly and fully tested before it is deployed to website owners, many issues can arise. Sometimes, an updated plugin may change the configuration settings or change the design of the website. This can cause huge disruption in business operations as companies must detect the effect of the plugin update and then wait for the plugin developer to release a new update to fix the issues. For well established websites and companies, this can be translated to millions of dollars. Also, a plugins purpose must be considered when assessing the security risks. Some plugins affect user accounts, logging and other security mechanisms which must be selected and considered very carefully as any untested update can affect the security of the website or prevent log-in.

Therefore, website owners must select well established WordPress plugins and continuously monitor for new updates to be applied. Usually, it’s better if technical staff are engaged to update the plugins so that they can monitor any potential changes to the website’s look and feel or other changes which might negatively affect the websites traffic and ultimately business operations such as when the websites become unavailable or related online forms or other features become inoperable.

WordPress Plugin Security Risks Solutions

Once you carefully select the plugin that you need installed and used, make sure you download it from the Plugin Directory because these plugins are better researched and discussed by the community. Below is a summary of basic actions to mitigate WordPress plugin security risks:

  • Use as few plugins as possible
  • Research the trustworthiness of the author
  • Confirm that the plugin is actively supported/developed
  • Pay close attention to your site performance when plugins are added
  • Actively monitor and keep your plugins up-to-date
  • Monitor website performance after an update is installed
  • Keep frequent backups of your site in case of a disaster

Training and certification is a big part of the solution to mitigate WordPress Plugin security risks.  

Identity Management Certifications

Identity Theft Courses