Plugins Remain WordPress' Biggest Vulnerability

According to security firm, plug-ins remain WordPress' biggest vulnerability.

WordPress runs a huge percentage of all websites on the Internet. Popularity makes it a big target hackers looking for security vulnerabilities and there are plenty to find.

The WPScan vulnerability database lists 4,284 known WordPress vulnerabilities. Fully 50% of those are found in WordPress plug-ins. By contrast, 10% are in WordPress themes and the remaining 40% are WordPress core vulnerabilities.

Part of the problem is the sheer number of plug-ins in use. There's 54,000 in the official directory and an unquantified number from unofficial sites, third party suppliers and lone developers. Some of these are open-source or easily reverse-engineered. Many are written by part-timers and amateur developers with partial or no knowledge of WordPress security standards. Source code is available to fork and modify on a number of code repositories.

The wonder isn't that some plug-ins are insecure, but that more plug-ins aren't.

The problem is magnified by the attraction of free. All those free WordPress plug-ins and themes from random sites risk a payload of malicious code, viruses and encrypted links.

Safe Shopping

Sourcing safe themes and plug-ins demands the same approach as any other online shopping. Use reputable directories and marketplaces such as, Themeforest and CodeCanyon. Don't be tempted by  premium or paid themes or plug-ins which some kind soul made available for free. You have no idea what hides inside that act of charity.

Apply the same standards to sourcing your plug-ins as you would to buying a used car, life insurance or a heavily discounted parachute ('only one owner, deceased'). Stay safe. RC

Image credit: