How to choose WordPress plugins for better website security | Storm Internet

WordPress powers 43% of all websites. The popular open-source CMS can be extended with plugins, which are files containing code executed when visitors browse your website. But plugins also increase the attack surface of a website. To reduce the risk of a breach, a plugin selection strategy can be useful.

How secure is WordPress?

Given the popularity of WordPress – with 500+ new WordPress websites built every day – it is one of the most targeted content management systems on the internet. In 2020 Wordfence blocked more than 90 billion malicious login attempts, with that number dropping a few points to 86 billion in 2021. Those are just the WordPress websites that have the Wordfence plugin installed and activated.

According to the iThemes WordPress Vulnerability Report, reported WordPress core vulnerabilities totalled only 0.05% of all WordPress-related vulnerabilities in 2021. That’s a total of eight, all of which were swiftly patched. So we can assume that the WordPress core is secure.

But when we consider themes and plugins, things are less rosy. WordPress themes accounted for 2.4% of WordPress-related vulnerabilities, while plugins worryingly made up the remainder at 97.1%.

This emphasises the importance of a plugin selection strategy that can minimise the risk of a breach. And just in case you think your site is too small to attract the attention of hackers, think again.

“Smaller companies are easier to hack,” said Clay Calvert, then director of security at MetroStar Systems, in this New York Times article. “They don’t have the resources to set up protective barriers.”

Choosing WordPress plugins

Unfortunately, there’s no universally-accepted method of choosing plugins that’ll protect against breaches. The only thing you can do is to minimise the risk. While there are different takes on the matter, the points below are those I’ve found to prove reliable over the years.

Keep your plugin footprint small

The more active plugins on your WordPress website, the greater the risk. Each plugin presents a potential entry point into your WordPress website, which is why keeping your plugin footprint small can minimise your site’s attack surface.

Minimising your plugin footprint starts with a needs assessment to determine which plugins actively contribute to your website’s functionality or the visitor experience, and which of those are simply nice-to-haves that don’t deliver any actual value.

The idea here is to eliminate the non-essentials, as well as plugins that provide functionality that can easily be achieved with a little HTML or CSS tinkering, or that are already built into the theme or page builder plugin.

Download from reputable sources

There is no shortage of websites on the internet where WordPress plugins can be downloaded. The WordPress plugin repository is among the most well-known and provides almost sixty thousand free plugins. These plugins have to comply with the WordPress plugin guidelines or face removal.

Similarly, plugins purchased through sites like CodeCanyon have to adhere to a lengthy set of requirements to be eligible for publication. Since these are paid-for plugins, most plugin authors work hard to deliver products that are safe to use.

But there are times when you need a plugin that can’t be found in the WordPress plugin repository, or that’s above your current budget on sites like CodeCanyon, which is when you turn to Google. We’ve all gone rogue at some point, and it’s not inherently a bad move. But it deserves some extra attention:

• Buy directly from the plugin vendor or an accredited affiliate.
• Be wary of sites offering popular plugins at prices well below or above the vendor’s asking price
• Always check independent vendor and plugin reviews before making a purchase
• Avoid nulled plugins (and themes). These are generally not supported anymore and may contain malicious code

If you stay within the confines of popular repositories and vendor websites (which you have researched), chances are that you’ll find a plugin that does what you want it to do, with minimal risk.

Choose plugins that are actively updated and supported

A changelog is a record of all changes made to a plugin, a theme, or any other project. It lists the plugin version, the date on which the version was released, and changes associated with that version.

A changelog with regular updates (at least once every 3 to 6 months) is important for several reasons:

• It shows that the plugin vendor / developer is committed to the project, which in turn means that you can expect updates for the foreseeable future
• The plugin is likely to remain compatible with current and future WordPress releases
• It’s an indication that the vendor / developer actively addresses bugs and / or security concerns

At the opposite end of the spectrum, where there are seldom updates to the changelog, you’ll find that:

• The plugin vendor / developer has all but abandoned the project
• The plugin becomes increasingly incompatible with newer WordPress versions, which can break your site, cause functionality problems, or cause conflicts with other plugins
• Unpatched vulnerabilities will leave your site exposed to attacks

Actively supported plugins typically have more active installations than unsupported plugins.

Avoid bloated plugins

From our computers and phones to the plugins we choose, the more features the better. They make us feel as if we’ve struck a bargain that should probably cost a penny or at least more than we paid. But, generally speaking, there are two types of feature-heavy plugins:

1. Features added over some time to enhance the overall purpose of the plugin
2. Features added to boost sales

Which one do you think is the better choice?

The risk with any feature-heavy plugin is the amount of code: more features require more code, and more code increases the potential for security oversights. This doesn’t mean you should only opt for single-feature plugins since that can increase your plugin footprint.

The other problem with plugin bloat is that it becomes difficult to manage the code base as the plugin grows.

“When the plugin has so many users that it becomes impossible to improve (refactor) the code. Because even if you had the experience, time, budget, and personnel to do it…you still CAN’T! Because it’ll break all the thousands of existing sites running on it.” – WPJohnny

To solve this problem, we can again turn to the changelog to get an inkling of the development cycle. Where developers add a few new features and then spend weeks or months responding to customer feedback, fixing bugs and security issues before releasing the next feature set, it could be inferred that the vendor cares about the quality of their product.

When the focus is almost exclusively on adding new features in rapid succession while doing little to address user concerns, caution is advised.

Minimise your vendor footprint

Vendor management is a hot topic in enterprise cybersecurity, one that can be translated to the WordPress environment. According to PwC’s 2022 Global Digital Trust Survey, “75% of executives reported their organizations are overly complex, leading to “concerning” cyber and privacy risks.” The survey also found that “many organizations have a blind spot arising from third parties and the supply chain.”

When working on client sites I look for vendors / developers whose plugins provide most, if not all, of the functionality I’ll need for the foreseeable future. This isn’t a single plugin that does everything, but rather a suite of plugins that cover all the bases. Nor would I install and activate all of them at once, but rather only those that are necessary.

This helps keep the vendor footprint to a minimum, which ensures minimal variation in coding practices as well as consistent quality and product support (which I’ll research before purchasing). This approach also makes it easier to keep tabs on individual vendors.

But plugins will get safer…

In June a proposal for a plugin checker was announced, which could go a long way to enhance the overall quality and security of WordPress plugins. Here’s a little snippet of the announcement:

“The goal of the plugin checker would be largely equivalent to that of the existing theme checker, fulfilling similar purposes for plugins. Specifically, the primary goals would be to:

• Provide plugin developers with feedback on requirements and best practices during development.

• Provide the wordpress.org plugin review team with an additional automated tool to identify certain problems or weaknesses in a plugin ahead of a manual review.

• Provide technical site owners with a tool to assess plugins based on those requirements and best practices.”

Until then, however, be judicious with your plugin selection. As Victor Santoyo, Sr. Account Executive for Sucuri Security, said during his session ”Security lessons learned from 2021” at WordCamp Europe 2022, “Security impacts everyone equally. There’s no one specific topic, target, or audience when it comes to website security,”

StormCloud Solo is a super fast and reliable cloud-based virtual server fully-managed by Storm. Get 24/7 maintenance, security, and disaster recovery for everything you host without all the technical fuss.