If you have a WordPress website, you will no doubt have already discovered the world of WordPress plugins. They’re great. However, one of the biggest issues with a WordPress site is figuring out how to know if a WordPress plugin is safe to install. After all, a bad plugin can totally screw up your site in a few clicks.
It’s common for new WordPress users to go nuts installing plugins to do all sorts of things on their website. There is, quite literally, a plugin for everything on WordPress. Unfortunately, the more plugins your website has, the more vulnerability your website has. This is why it’s essential you ensure a plugin is safe before you install it on your website.
Why are WordPress websites vulnerable?
WordPress websites can be vulnerable to hackers because they require regular updates to ensure their files are secure.
WordPress.org is an open-source platform, which means the original files that every WordPress website is built from are available for anyone to see.
This is great, because it means developers all over the world can work on improving WordPress and it’s why we have so many amazing plugins to extend the functionality of our sites.
The downside of this is that hackers also have an understanding of what’s going on behind the scenes of every WordPress website.
With this knowledge, hackers can detect vulnerable plugins they can use to hack WordPress websites.
How can a WordPress plugin become vulnerable?
You have probably already noticed that when you log in to your WordPress site, you will usually have one or two plugins that need updating.
WordPress regularly updates the platform itself too. These updates will typically address any vulnerabilities developers have detected and other core updates to improve the platform.
At this stage, it’s important to note that WordPress plugins are often created by different developers to those who maintain WordPress.
So once a WordPress update has rolled out, it is up to the plugin developers to update their plugins to ensure they sit in line with the latest version of WordPress and address any vulnerabilities in the plugin files.
If they don’t, this can leave the WordPress website open to hackers who understand the file structure of a WordPress website and know where to look for gaps left by an out-of-date or poorly coded plugin.
How to keep your WordPress plugins secure from vulnerabilities
The most important thing to do to ensure your WordPress plugins are safe is to keep them up to date.
Providing you follow the next steps when initially installing plugins on your website, all you should need to do is keep them up to date to avoid any vulnerabilities.
How to know if a WordPress plugin is safe
There are many ways you can check if a WordPress plugin is safe. Ideally, you should use all of these methods to determine whether or not you will install a plugin on your website and if you can’t be sure that a plugin ticks all of these boxes, I wouldn’t install it on my website if I were you!
WordPress has a database full of free plugins which provide a tremendous amount of insight into the plugin’s performance.
This overview will usually tell you everything you need to know:
Let’s break down everything you can learn.
Plugin reviews
I don’t recommend installing any plugin on your website with under 300 reviews. Depending on the type of plugin you are installing, you may even want to up this minimum requirement to under 1000 reviews. The best way to judge this is to look at the number of downloads, star ratings and reviews.
If your plugin is fairly niche, only has 30K installs, has a 5-star rating and only 300 reviews, I’d say these are pretty good odds.
However, if the plugin has 100K installs, a 4-star rating and only 300 reviews, I would be looking for a different plugin.
Star rating
If a plugin has under a 4-star rating, you will probably find it won’t do everything it says it does anyway. This is all anecdotal, of course, but I’ve rarely found a plugin with 3 stars that does what it promises. For that reason, you can assume it won’t be kept up to date by the plugin developer as they aren’t even maintaining it enough to work for its users.
Active Installs
Active installs are a great way to determine if a plugin is a good fit for what you need and that it’s kept up to date. Plugins with 100K+ active installs tend to be regularly updated by a team of developers, have a paid option and therefore eep up with WordPress updates to ensure they maintain their reputation to increase sales for their paid option.
Final Check: Support Forum
Once a plugin has passed all three of my initial quality control checks, I will swing by the Support Forum linked on the plugin page.
The support forum will give you insight into the most recent issues with the plugin and how quickly the plugin team are to respond to any issues.
It’s not a problem if users have issues, provided the support team is responsive in helping them resolve them.
If you notice many threads left unanswered or saying the plugin is not working for them, this is a huge red flag that the developers are not maintaining or supporting the plugin.
With that in mind, it’s not worth risking your WordPress website by installing it.
What to do if you’re using a vulnerable plugin
You may be reviewing all your existing plugins and realising that they don’t meet all the criteria listed above to determine a safe plugin.
If that is the case, removing the plugin is the simplest thing to do.
Some plugins are “nice to have” features that you don’t necessarily need, in which case I would advise ditching the feature in favour of a safe WordPress website.
If the plugin is essential for the functionality of your website, then you should source a new plugin using the method outlined above to determine a safe plugin to install to fulfil your needs.
As the WordPress plugin database is so large, there will likely be a safe and working version of what you need.
However, if there isn’t, you may need to look for a paid plugin option which is more likely to have on-hand support should you run into any issues or vulnerabilities.
After all, it’s better to be safe than sorry!