Plugins Remain WordPress' Biggest Vulnerability
WordPress runs a huge percentage of all websites on the Internet. Popularity makes it a big target hackers looking for security vulnerabilities and there are plenty to find.
The WPScan vulnerability database lists 4,284 known WordPress vulnerabilities. Fully 50% of those are found in WordPress plug-ins. By contrast, 10% are in WordPress themes and the remaining 40% are WordPress core vulnerabilities.
Part of the problem is the sheer number of plug-ins in use. There's 54,000 in the official directory and an unquantified number from unofficial sites, third party suppliers and lone developers. Some of these are open-source or easily reverse-engineered. Many are written by part-timers and amateur developers with partial or no knowledge of WordPress security standards. Source code is available to fork and modify on a number of code repositories.
The wonder isn't that some plug-ins are insecure, but that more plug-ins aren't.
The problem is magnified by the attraction of free. All those free WordPress plug-ins and themes from random sites risk a payload of malicious code, viruses and encrypted links.
Sourcing safe themes and plug-ins demands the same approach as any other online shopping. Use reputable directories and marketplaces such as WordPress.org, Themeforest and CodeCanyon. Don't be tempted by premium or paid themes or plug-ins which some kind soul made available for free. You have no idea what hides inside that act of charity.
Apply the same standards to sourcing your plug-ins as you would to buying a used car, life insurance or a heavily discounted parachute ('only one owner, deceased'). Stay safe. RC
Image credit: https://wordfence.com