WordPress plugins – the good, the bad and the ugly!
WordPress is a very powerful and mature platform. Even though it started life as a blog system, today thousands of customers use it to power their entire website – many on our managed Cloud VPS service which is an ideal wordpress hosting option (even if we do say so ourselves!).
Plugins play an essential part in increasing the flexibility of the system to do exactly what you need. As one of the success stories of open source software, one of the great things about WordPress is that anybody can write a plugin. So there are already thousands of plugins already written – there’s a good chance somebody already wrote the plugin you’re looking for.
But, as I said – literally anybody can write a plugin. You don’t need to be a great software developer, you don’t even need to pay any attention to the OWASP top ten web application security risks; anybody with any level of coding expertise and skill can write a plugin.
So there are thousands of pre-written plugins to choose from, to give your WordPress powered site the extra functionality or feature that you crave – what could possibly go wrong?
Your new plugin could contain:
- malicious code
- SQL injection vulnerabilities (giving attackers full access to your database)
- XSS (cross site scripting) vulnerabilities
- CSRF (cross site request forgery)
- inefficient coding that seriously damages website performance or server stability
All have potential to cause serious problems for your website – so how do you know which plugins to trust?
The short answer: unless you review and understand every line of code you really can’t. Ideally that is exactly what you should do, but here are some basic tips to get you started when selecting plugins from the official WordPress.org plugin directory:
Check the ‘Most Popular’ List
I always find it worthwhile to initially check the ‘Most Popular’ list on the Plugin Directory before beginning to search for a plugin I’m looking for. Usually, if the plugin that I require is fairly ‘mainstream’ (e.g. Google Analytics or a plugin to create contact forms) then this list is usually the best bet on finding a well tested and stable plugin.
Compare Downloads vs Ratings
The most efficient way to gauge how stable a plugin is likely to be is to compare the number of downloads with it’s current rating. Each plugin can be given a rating from 1 – 5 stars along with a counter displaying how many times it’s been download, all this information is conveniently displayed both in the search results and on each specific plugin page.
For example, a plugin with a 5 star rating and 3 downloads is likely not as reliable as a 4 star rating with 2,000,000+ downloads!
Plugin Documentation
Each plugin has its own documentation page displaying a description, installation instructions, an FAQ, download stats, a support page and accreditations to the developers. Professional, up to date and detailed documentation often points to a well developed and properly maintained plugin. Here’s some points you should check for when browsing the documentation:
When was the last update?
Each time a plugin is uploaded to the Plugin Directory, the date is recorded and shown on the plugin page (just under the download button). This is extremely useful when looking for a plugin – if the last update was over 12 months ago, it’s probably not being maintained any longer and could well contain unpatched security holes!
Is it compatible with the WordPress version you’re running?
Another extremely useful tidbit is the ‘Requires’ and ‘Compatible up to’ values (also displayed just under the download button), with this information you can see at a glance if the plugin is compatible with the version of WordPress you’re running. Bearing in mind that you should always be running the latest version of WordPress, if the plugin isn’t compatible with it then it shouldn’t be installed.
Is the description detailed and neatly presented?
If the description lacks information, it could be that the plugin was developed by a single person as a hobby project who hasn’t had the time to include a detailed description yet. If that’s the case they might not be patching security flaws promptly either!
Are there lots of posts on the support pages?
Lots of frequent posts on the support pages could point to an unstable plugin or a recent update that’s causing issues. However, you should also take into account that some plugins have millions of users – these are likely to have a very busy support page!
Search For More Information
This simple trick works best for some of the more popular plugins. Just browse to your favourite search engine and search for ‘[Plugin Name] vulnerabilities’ or ‘[Plugin Name] exploits’, usually if the plugin has any flaws you’ll see them clearly on the first page. It’s also useful as it’ll show results for any recent security flaws that have been fixed, which indicates that the plugin is still being actively maintained.
Compatibility Checker
Finally, WordPress have a compatibility checker which is available for each plugin. It allows you to check if anyone has had any issues with any version of WordPress when using certain versions of the plugins.
As this relies on feedback from the community, it tends to be useful on some of the more popular plugins when checking the latest version of WordPress but tends to lack data on the less popular ones.
Practice Minimalism
As the statisticians will tell you, the more plugins that you install, the greater the risk will be of running one that’s not properly coded. So it’s a good idea to be minimalistic and aim to install as few plugins as possible – but it isn’t just about the number of plugins. In theory, you should be able to run as many WordPress plugins as you’d like without any problems. However, it only takes just one single badly coded WordPress plugin to cause significant performance, resource, or security problems.
Update Regularly
It’s very easy to find all websites running WordPress, or even running a certain plugin. If an attacker finds a security hole in a plugin, they can use this technique to find all vulnerable websites that use it; then run an automated script to exploit the security hole across thousands of websites (you don’t have to be “targeted” – just run the vulnerable software on your website and you automatically make yourself a target!).
Regular updates are a necessity for any system, and WordPress is no exception. As well as keeping the WordPress core itself up to date it’s also important to regularly update any plugins and themes that you have installed because the patches often contain important bug and security fixes.
WordPress includes an automatic version check system that will check your core, plugins, and themes against those published on wordpress.org (only – so plugins/themes from other sources are not checked here!). This notifies you automatically when you login to the WordPress admin panel – you already do that regularly right?
There are also update notification plugins that can check this for you and send an email alert when a new version update is released. Remember to evaluate their worth to you though – do you need to install either of these? 🙂
What now?
Lots of other great people have covered this issue at length before, so there’s much more information out there to explore. If you run a WordPress powered website it’s a good idea to take 5 minutes to learn more about this!
Also this issue applies equally to themes as well as plugins, so take just as much care when selecting and installing third party themes as you do with third party plugins.
Have you blogged about this issue yourself with your own tips to stay safe? Let us know and we’ll be happy to link to your work!
In the meantime, here are a few excellent links we’ve collected together as further reading (and watching) – definitely worth checking to learn more about the potential pitfalls, and some good security basics reminders if you also write your own plugins:
- http://2011.sf.wordcamp.org/session/plugin-security-showdown/
- http://sixrevisions.com/wordpress/before-install-wordpress-plugin/
- https://www.owasp.org/images/d/db/Wordpress-security-ext.pdf
- http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
Also an important footnote about being over-reliant on the included plugin update system: