Every WordPress web designer and content creator out there knows that their jobs would be much more difficult had it not been for the helpful plugins. The WordPress directory is packed with these handy add-ons that can simplify many different aspects of your website – from SEO to e-commerce.
Not every WordPress plugin is safe to use, though. Some of them can be exploitative of your data or slow down your WordPress site. A few of them are straight-up malware that, if installed, can do some serious damage not only to your website but also to the device you’re using it on.
Thankfully, the cases of viruses “smuggled” into the WordPress plugin directory as add-ons are rare and can be dealt with pretty quickly.
However, even if they are not maliciously designed, some plugins can pose a security threat simply because they’re outdated, poorly coded, or otherwise improperly created. They can increase your site’s loading time, make it vulnerable to external threats, and ruin the user experience for visitors who will be reluctant to return to your website.
Danger lurks everywhere. For instance, before you install that cool lightbox popup WordPress plugin, double-check its history in search for any warning signs. If you don’t know how to spot a suspicious plugin, check out this article! We’ve compiled a list of some of the major red flags for WordPress plugins, so you know what to avoid in the future.
Outdated Repository
When you google a plugin you want to install, and the repository you end up on looks like it was created in the early 2000s, with a tacky logo and poor spelling – you probably want to be cautious. If the website of the author looks similar, then it’s probably best to completely ignore it. When the plugin’s last update was more than 10 years ago, it’s safe to assume it’s not maintained anymore.
If the description says that the plugin was last updated years ago, or the author hasn’t been active on GitHub for years, be careful. Sure, it doesn’t mean that the plugin is dead, but you should definitely check how up-to-date the code is yourself and not blindly trust the author without verifying.
To summarize, you should always double-check whether the plugin you plan to download is maintained by its developers or not. If it isn’t – it’s a major red flag, as outdated plugins are vulnerable to all sorts of exploitation.
Developer with a Bad Reputation
A quick online search can tell you everything you need to know about a plugin’s developer. If the people on WordPress forums advise you to stay away from them, you might want to heed their warnings. Installing a plugin from a questionable source can potentially open a backdoor to your website. You never know how vulnerable you are until it’s too late.
Not Many People Have Downloaded It
Of course, if it’s a brand new plugin that has been released minutes ago, the lack of downloads is warranted. However, if a plugin has been around for years, promises to be everything you’ve ever needed, yet the number of downloads suggests otherwise, you should be cautious.
It can be a sign that the plugin is not in use by anyone, and while this may be a good indicator that the open-source community does not consider it worth trying, it may also suggest that the plugin has some major inconsistencies or bugs that the developers found hard to fix.
Fishy Code
A good practice when downloading WordPress plugins is to check their code yourself. This is the best way to protect yourself from unsafe plugins. There are plenty of hacked plugins out there, either by the developers themselves or by external hackers who exploited its poor code.
Even plugins that are considered secure can be hacked. Let’s say that the author of a plugin protected it with a secret key known only to him. Someone might have gotten their hands on that key and distributed the plugin with malicious code.
Unfortunately, sometimes even good programmers use weak encryption codes or don’t use one at all. If you take your time to check the malicious plugin code, you can avoid using it. For this purpose, you need to be able to read some code and understand what it does.
The Bottom Line
Developing your own WordPress site can be a pleasant and effortless experience, provided that you’re using the right plugins to help you throughout the process. Once you learn to recognize suspicious and untrustworthy add-ons, you’re going to make sure that your WordPress website does not get exploited by malicious actors.
A lot of the time, it is faulty plugins that open up the backdoors for these kinds of exploits. Remember that there are more bad plugins than there are good ones, and knowing how to safeguard yourself against them is one of the most important things to keep in mind when working with WordPress.