A WordPress plugin is an application that allows you to add new functionality to your WordPress site. Just like apps do for your smartphone.

If you are familiar with WordPress, you have probably encountered what’s called the “Repository of free WordPress plugins”. Essentially, the repository is a large digital repository of free WordPress plugins that can be installed with a few clicks through the admin interface of WordPress itself on any website that uses – WordPress.

Currently, the repository contains almost 60,000 plugins with over one billion and 240 million downloads. Each of these plugins (at least most of them) brings certain features to a WordPress website, to put it in layman’s terms – they enhance its capabilities. But are these plugins safe to use, who creates them, maintains them, and who even reviews the plugins before they appear in the official WordPress plugin repository?

The creator and co-founder of WordPress CMS is Matt Mullenweg while his company Automattic Corporation owns WordPress.com. Every plugin published there goes through a manual review before it becomes publicly available.

But is everything as secure and vetted? The recent interesting incidents suggest that there are loopholes in the WordPress plugin ecosystem that can be abused to hack and infect a large number of websites. Let us see how and why.

Authors of the WordPress Plugins

The authors of the plugins in the free WordPress repository are people with different profiles, from all over the world, with different programming skills, with different goals and intentions. It’s a motley crew that’s hard to describe in a few sentences.

The vast majority of plugin authors are well-meaning developers with excellent programming skills and knowledge of WordPress. But what about those who have bad intentions?

The life cycle of the average WordPress plugin

We have already mentioned that each plugin is manually reviewed before being made publicly available in the official WordPress plugin repository. But what happens after that?

Usually 2 things happen:

1. The plugin becomes very popular, it is adopted by a large number of people, the plugin developer finds a way to monetize an otherwise free plugin (through premium versions, paid customizations, etc.). The plugin development cycle continues uninterrupted with the regular release of new versions of plugins (bug fixes, addition of new features) that can be installed through the standard WordPress admin interface.

2. The plugin does not reach great popularity, the developer loses interest or fails to monetize the whole project, does not release patches for previous versions of the plugin regularly, does not take care of customer support and the whole project slowly dies out.

When the WordPress plugin goes bad

As we have written before, the life cycle of the average WordPress plugin has two directions – it becomes popular and lives on, or it slowly fades into oblivion and dies out (technologically, of course).

In the (very rare) case we are looking at, it’s a Custom Content Type Manager plugin, a plugin that was developed over three years, downloaded by over 10,000 visitors to the WordPress repository, and received an average rating of 4.8, it happened that the plugin passed into the hands of another developer. In short, it passed into the hands of developers with bad intentions. How exactly this happened, no one knows, not even the WordPress investigative team, but it is believed that two things are possible:
a) The original author of the plugin sold his account with the plugin to a new author;
b) The original author left the plugin, someone hacked his account and downloaded his plugin.

What happened to the plugin then?

After 10 months of inactivity, the new “author” released a new version of the plugin. Naturally, all the users who had installed the plugin on their website started installing a new version, hoping that it would contain an improved version of the plugin they had used and loved for so long.

But the story did not go in that direction.

Our new “author” built into the plugin mechanisms for hacking sites that downloaded the new version. Not to go into too much technical detail, let us briefly say that (now we can call him a hacker) the new owner of the plugin programmed instructions for collecting website credentials (user account names) and “tapped” web addresses (URLs) of all websites using his plugin. So, he compiled a long list of websites and prepared everything for the attack, which happened very quickly.

The hacker then inserted infected files into the compromised WordPress installation, through which he took virtually complete control of the site’s operation, allowing him to insert any kind of content (ads, banners, additional infected scripts, etc.) into the site itself. After that, there is only the sky as the limit. By controlling such a large number of websites, the possibilities for hackers are endless (selling advertising space, SEO links, spreading the infection to computers that visit infected websites, etc.).

So we have explained who, how, and why.

The question remains – are free WordPress plugins safe?

And the answer is – (largely) yes, but also no. The WordPress plugin is as safe as you can trust its developer (i.e. the author). Which is a very difficult and risky assessment in many cases. In the incident above, the problem occurred when the plugin was updated to a new version that was not checked, because new versions of the plugin do not go through the same checks as new plugins that just show up in the repository. The new malicious owner of a previously well-intentioned plugin inserted malicious code into the new version of the plugin, infecting a large number of websites whose owners did nothing more than click in their WordPress admin interface to install the new version.

How can you protect yourself?

By democratizing and decentralizing the way WordPress works, we have all gained a lot. We have gained an open and reliable platform that we can easily extend indefinitely, but we have also gained the ability for anyone, even the biggest layman, to implement very sophisticated programming code on a site they do not understand at all with just a few clicks.

We have also been given the opportunity for anyone with sufficient knowledge to write program code and turn it into a WordPress plugin that can be used by an incredible number of people.

This code is usually not malicious, but infection is not the only potential danger – remember that the average free WordPress plugin is developed by developers mostly in their spare time – it’s normal for them to steal bugs – but these bugs can also cause problems with your website. and even lead to instability and collapse.

3 differences between WordPress Free Vs. Premium security plugins

The main differences are:

1. Customization
2. Maintenance
3. Support

If you are not sure are the Premium WordPress security plugins worth the money, here you have some reasons why they are:

1. Solutions Specific WordPress Plugins

2. Advanced Features

3. Dedicated Support from Plugin Developers

4. Extensive Documentation and Tutorials

5. Regular and Frequent Updates

6. New Features and Enhancements

7. Supporting The WordPress Ecosystem

Where can you find your plugin?

Once the plugin is installed, you’ll usually need to play around with the settings a bit.

You can access them in 3 ways in your WordPress Dashboard:
– in the menu on the left, find “Plugins” – > click on “Installed Plugins” – > click on “Settings” under the plugin’s name.
– in the menu on the left, click on “Settings” or “Tools” and find the name of your plugin, and change the appropriate settings there
– to access the settings of your plugin, find it as a separate item in the left menu (usually found under “Settings”)

How do I choose the right plugin?

There are a few things you can tell how (bad) a plugin is (this is especially true for plugins that have their own plugin pages on the wordpress.org site):

1. Does the plugin have a high rating?
A high rating is a criterion that you need to approach with some caution. Not all well rated plugins are worth installing on your WordPress website. A high rating is no guarantee of quality if only a small number of people participated in the evaluation. The number of participants is shown in parentheses next to the stars.

2. How many websites are currently using this plugin?
The number of active installs is one of the strongest proofs of plugin quality, because users do not use plugins that do not do their job properly.

3. How often is the plugin updated, i.e. when was the last update?
One of the most important points, even if it does not look like it at first glance.
WordPress is updated several times a year and therefore it is very important that the plugin is also updated regularly to be compatible with the latest version of WordPress.
Updates are also important because they fix security as well as other bugs related to the functionality of the plugin itself.

4. What do users of the plugin think of it in their reviews?
If a plugin’s rating is high and the plugin has a large number of active installs, is not that sufficient evidence of quality? Then why should you read the comments?
Some plugins work great at first, but their functionality may not be at the same level over time. The best way to find out is to take a look at the comments.
There you will also find out what are the most common issues that users of this plugin encounter.

5. How complicated is it to install and use the plugin?
Some plugins are easier to use, but for others you need to put a lot of effort to make them work.
You can usually find this information on one of the tabs on the plugin page (usually the “Installation” or “Screenshots” tabs).

3 Golden WordPress Plugin Rules

#1 Plugins are not Pokémon and you do not have to collect them all.

Too many plugins slow down a site, and we all know Google does not like slow sites.

If you are aiming for a high position in the search engines, choose carefully which and how many plugins you will install.

#2 Read rule number 1 before installing any new plugin.

#3 Never, but really never, ignore rule number 2.

How and where to buy security Premium plugins?

It is important that you know when you are buying the plugin. Just as you choose a store to go to for a new laptop, for example, and pay close attention to the model, brand, performance, but also the behavior of the dealer from whom you expect to get all the necessary information, follow the same logic when buying a WordPress plugin.

On websites like virusdie.com, you will not only find what you are looking for, but you will always get additional security advice and support – is that really what you need.

Take care of every security segment in time. That way, you will not regret it later.

Yep, and now Virusdie has its own WordPress plugin! And you may download it for free Virusdie WordPress plugin.

———

Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.