Plugins are a security risk
So you have a WordPress website and you’re looking for a plugin to do xyz. Be careful.
Plugins are like having your own personal assistant. You need a job done. Give it to your personal assistant. But can you trust him or her? What exactly are they doing when they are out of your sight?
WordPress is great out of the box but may not be able to do that special job. For that, there may just be a plugin. So you install it and it does the job, or does it? It may cause your site to crash or worse still, open all the doors to every hacker out there. Just like your personal assistant, you have no idea what its’ doing behind the scenes.
Anyone with a bit of coding knowledge can write a plugin. The result may be a work of art with all the bells and whistles. And then the marketing team gets hold of it, puts it on a pedestal, douses it with perfume and puts it on special offer. It’s now a must-have plugin. So you buy it.
You install it, no problem as it works out of the box. You’re over the moon as you very own personal assistant is slogging away tirelessly in the background doing that special job. So what’s the problem? About 60% of hacked WordPress websites are hacked via their plugins! That could be a problem, don’t you think?
Malicious or not?
Some plugins may just contain badly written code. The developer may genuinely be trying to develop a great plugin. Unfortunately their coding skills may not be up to scratch. So every now and then there’s a hiccough but generally everything works just great. Unfortunately the bad code may lead to security vulnerabilities which can be exploited by hackers. Not good for your website.
On the other hand, some plugins may intentionally contain malicious code, for example, the developer may intentionally want to steal your clients email addresses.
Either way, you should be very careful when selecting a plugin.
Are they updated regularly?
Another issue concerning plugins is, how often are they updated? This applies not only to patching discovered vulnerabilities but also by keeping abreast of developments in general, for example accommodating new rules and regulations, new coding best practices, etc.
Failure by the plugin developer to stay ahead of the game could lead to all sorts of problems for you, from incompatibility issues causing your website to not function as it should or not at all, to security breaches.
Have your needs outgrown the plugin?
Another issue is what I would call depreciation. This is where your needs have changed to the extent that the plugin can no longer do the job. No problem, simply get another plugin. Really? What if you’re so tied into the original plugin that it is just too expensive to get out?
Let’s say your plugin handles your emailing list. When you started you only had 1000 subscribers. That has now grown to 1 million subscribers. The plugin still works but you need it to do a little extra something but it can’t. You contacted the developer but they are no longer maintaining the plugin. Okay, no problem. Get another plugin and migrate the subscription list over. Really? Suddenly you find out that your subscription list is in xyz format and the new plugin only accepts abc formatted lists! So you’re now down the creek without a paddle and that important newsletter is just not going out anytime soon….
Have a plan B in place. Consider what you will do if the plugin no longer suites your needs or is no longer updated. Would you be able replace it without any downtime? Will your website still function if you no longer used the plugin?
Do research before committing to a plugin
Only use plugins if you absolutely need to use them. You increase the odds of experiencing problems with your website with each plugin that you install.
There are definitely some great plugins out there. Just be careful when selecting the one that you want to use and try to only install plugins from the official WordPress website. This does not mean that these plugins are safe, it just reduces the risks of installing a problem plugin.
Once you’ve decided on a plugin that meets your needs, Google it to see what others have to say about it. Also check the official WordPress websites’ plugin repository for reviews as well as the following:
• How many times has the plugin been installed
• What is the star rating for the plugin – the more 5 stars the better
• When was the plugin last updated
• What do users have to say about the plugin – both negative and positive
• What support is offered for the plugin
• Compatibility – will the plugin work on your version of WordPress
• PHP version – what PHP version is needed for the plugin to work
Once you have installed the plugin, keep checking the reviews to see if the plugin is updated regularly and that it still receives good reviews.
If your plugin is no longer listed in the WordPress repository, it is a sure sign that there is a problem with that plugin and you should delete it immediately.
Always check for updates to your plugin. A good plugin developer will make sure that they update their plugins to fix broken code and most importantly to remove know vulnerabilities. Enable automatic updates for your plugin if available.
Remove all plugins that you no longer use. Even if you don’t use the plugin, simply by being installed opens your website up to all sorts of issues if it contains faulty or malicious code.
You may also consider other options to plugins. For example there are services that you can leverage from within your WordPress website to perform those needed tasks. In many cases there is nothing to install on your website to be able use these services so there are none of the risks associated with plugins.
File download manager is one such service. File download manager manages your digital products. It secures your downloadable files and download links emailed to your customers. You can also set an expiry time for the download link.
Check out file download manager here https://www.filedownloadmanager.com/
Happy WordPressing with or without plugins!