How many of you believe WordPress Plugins and Themes are safe?
Although the answer is yes, however, if enough care isn’t exercised the plugins used to maximize your blog’s potential might lead to cyber-attacks.
WordPress Plugins and Themes
As by far the most popular content management system, WordPress powers millions of different websites. It’s open source software, which means its source code is publicly accessible and can be modified by pretty much anyone with sufficient know-how.
Though WordPress plugins and themes can be purchased, tens of thousands of them are available for free. As one might expect, this does not come without its downsides. So how vulnerable are WordPress sites? What about its themes and plugins? And how can you protect your sites?
How Vulnerable Is WordPress?
In February 2022, Jetpack discovered that popular themes and plugins from a known vendor were compromised. The researchers spotted the vulnerability by accident, after discovering suspicious code on a compromised website. Upon further investigation, they realized most plugins and themes contained the same code.
Although the vendor updated and cleaned up their products, but presumably thousands of users were vulnerable to attacks for a long period of time.
Do WordPress Plugins and Themes Have Vulnerabilities?
Jetpack’s findings underscores just how vulnerable WordPress can be. But this was not an isolated case.
In March 2021, for example, Wordfence disclosed major vulnerabilities in two WordPress plugins that, if successfully exploited, would have allowed an attacker to take over a website. The vulnerabilities were discovered in the Elementor and WP Super Cache plugins. Elementor is a website builder used on more than seven million websites, while WP Super Cache is a popular caching plugin.
Of those WordPress Plugins and Themes, nine were used on more than 1.3 million websites: Header Footer Code Manager, Ad Inserter—Ad Manager & AdSense Ads, Popup Builder, Anti-Malware Security and Brute-Force Firewall, WP Content Copy Protection & No Right Click, Database Backup for WordPress, Download Manager, and Advanced Database Cleaner.
How to Secure Your WordPress Site
One would assume these vulnerabilities are always patched up or removed once discovered, but that is actually not the case.
Researchers found that 2021 saw an increase of 150 percent in reported WordPress vulnerabilities compared to 2020—and 29 percent of those vulnerabilities received no patch. Researchers also found that just 0.58 percent of the reported flaws were in the WordPress core, which means that vulnerabilities are almost always found in plugins.
It is critical to ensure all plugins and themes you use are up to date, as well as the WordPress core itself.
Before downloading and installing a WordPress Plugins and Themes, make sure you do a bit of research first. Check how many installs the plugin has, read reviews online, see when it was last updated, and check whether it was tested with the latest WordPress core. This will only take a few minutes, but it could save you from a lot of trouble down the road.
Alternatively, you can use WPScan, which is a fairly simple and efficient WordPress vulnerability scanner. This tool can also be utilized to look up a plugin by name. The free version allows up to 25 API requests per day.
Fortunately, some plugins are actually designed to protect your WordPress site from intruders. Login LockDown, Wordfence, BulletProof Security are some of the best WordPress security plugins today.
Login LockDown is completely free, while the other two have basic, free models.
WordPress Safety Tips
As vulnerable as WordPress Plugins and Themes can be, taking basic security precautions goes a long way when it comes to preventing and fending off cyberattacks.
Using unique login details and Two-Factor Authentication, keeping all WordPress Plugins and Themes up to date, hiding theme names and login details should be the foundation of your WordPress security hygiene.