Ask Wordfence: How to Limit Security Risks From Plugins
This is the fourth installment in a new series we started last month. You can access previous posts here.
Today’s question comes from Michela in Pordenone, Italy:
Plugins are necessary for enhanced functionality of each WP site but the more plugins we add the higher the risk to potential threats. How can we limit this risk and what can we do to prevent in general these kinds of attacks (through the installed plugins)?
This is a great question. According to survey results we published last year, vulnerable plugins are the top way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.
Use as Few Plugins as Possible
Every plugin you install on your website increases your “attack surface”. You are running more code, so your odds of having a security vulnerability exploited go up. Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind.
Only Download Plugins From Reputable Sites
If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.
If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:
- The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
- Look for a valid company name in the footer.
- You should be able to find a physical contact address on the contact page or in the terms of service.
- If you Google the domain name in quotes (e.g., “example.com”) you shouldn’t find any reports of malicious activity. Adding the words “malware,” “exploit” and “vulnerability” to your search may reveal additional information.
Choose Reputable Plugins
The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:
- The more recent the last update, the better.
- Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
- It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
- The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.
You should also periodically review your installed plugins to make sure they have maintained their good standing.
Delete Plugins Immediately When You Stop Using Them
We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.
Keep Your Plugins Up to Date
Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. In fact, the large majority of attacks we see on WordPress sites are attempts to exploit well-known security holes, some many years old. Instead of looking for new vulnerabilities, attackers look for site owners who don’t keep things up to date. Unfortunately, they continue to have success. You can stay ahead of the curve by simply keeping things up to date.
Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.
Replace Abandoned and Removed Plugins
Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Back in May we wrote a post about abandoned plugins and found that, at the time, over 46% of plugins had not been updated in over 2 years.
Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.
Another risk to keep an eye on is plugins that have been removed from the WordPress.org plugin directory. There are many reasons why the WordPress plugin team might remove a plugin, including having a security vulnerability that hasn’t been fixed. Since their policy is to not disclose why they removed a plugin, we recommend that you immediately remove plugins from your site that are removed from the WordPress.org directory.
This spring, we added a feature that alerts you when plugins have been abandoned or removed from WordPress.org.
Install a WordPress Firewall
Every now and then an attacker will discover a zero-day vulnerability in a WordPress plugin and start attacking sites. In these cases, if you are unlucky enough to be running the vulnerable plugin, having the latest version installed will not help protect your site. That’s where a web application firewall, or WAF, comes in. Web Application Firewalls examine the traffic hitting your site, filtering out malicious requests.
The Wordfence firewall includes a robust set of protections against the most common attacks on WordPress websites. These include SQL Injection, Cross Site Scripting, Malicious File Uploads, Directory Traversal and many more. In addition, when a new security vulnerability emerges, our security analysts quickly develop code to protect for that specific threat in the form of a “firewall rule.” These firewall rules are deployed in real time to Wordfence Premium customers via the Threat Defense Feed. Free sites receive them 30 days later.
We wrote in depth about about how the Wordfence firewall works earlier in the year.
As a WordPress site owner, managing your plugins is a critical component of keeping your site safe. Understanding the risks and actively managing them is an ongoing activity. By using careful criteria in selecting which plugins to install, keeping your existing plugins updated to the latest versions, and using a robust web-application firewall on your website, you can ensure that you’re doing everything you can to protect your site data from malicious attackers.
How do you choose what plugins to install on your site? How do you evaluate which plugins are safe? We’d love to hear your thoughts in the comments below.