6/2/2016: How to Avoid Security Risks with WordPress Plugins

June 2, 2016

Every week and sometimes several times a week, we get word that a vulnerability has been found in a WordPress plugin that has been exploited by hackers to either send spam, create search engine spam or to in other ways deface your WordPress website. 

Sign Up for our WordPress Security Package - For a Limited Time Just $7.50 a Month!

Therefore, it seems like a good idea to offer some tips on how to choose plugins.  The first thing you should be aware of is that when you find plugins for WordPress, they are not written, tested or validated by WordPress.  Anyone and their brother can add plugins to the WordPress repository.  That in itself should be of grave concern, because even hackers can add plugins that appear to offer useful functionalities, but are really designed to break into your site. 

It's impossible to know for certain whether or not a plugin will have security vulnerabilities.  In fact, all plugins, even the most trusted will have security problems from time to time.  Even the Yoast SEO and JetPack plugin, the second and third most popular plugins on WordPress recently had security vulnerabilities.  But since they are so popular, the developers are constantly monitoring them and can quickly fix them. 

The three most important things you can do to ensure that you're getting reputable plugins is to:

  • Check the date they were last updated
  • Check how many users they have
  • Read the 5- and 1-star reviews

If they haven't been updated in at least the last 6 months don't even think about installing it on your site.  The reason is, things change so quickly and WordPress updates so often, that almost every plugin will need to be updated at least once every 6 months.  There are a few exceptions, but they are rare. 

You definitely want to check how many active installs a plugin has.  The top plugins like JetPack and Yoast have over a million active installs.  We recommend only using plugins that have at least 10,000 active installs.  There are exceptions, but if you see a plugin with only 500 active installs, proceed with great caution. 


A lot of plugins will show all 5-star reviews, leaving the impression that they're awesome, but when you check to see how many times they've been rated you might see just 5 or 10 times.  Generally, the more it has been downloaded, the better.  A lot of downloads usually keep the developers working on the plugin.  Plugins with only a handful of downloads are a sign that the developer may have lost interest in it and won't be around to fix it when a security issue arises. 

If you don't see any 1-star reviews, it means not enough people have used the plugin to produce any 1-star reviews.  That in itself is an indication that maybe you shouldn't bother installing it.  ALL plugins that have had enough users will have at least a few 1-star reviews.  So you actually want plugins that have a few 1-star reviews.  1-star reviews also show that it's not just the developer and their friends who are posting fake reviews.  Read some of the 1-star reviews to get a sense if the problems are serious or if they are just written by grumpy people who don't really know what they're doing. 

Sign Up for our WordPress Security Package - For a Limited Time Just $7.50 a Month!
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

6/23/2016 - WordPress has Released an Important Security Update

June 23, 2016WordPress has released an important security update that fixes the following very...

12/5/2017: Best Ways to Secure Your WordPress Website

As a web hosting company that hosts a lot of WordPress sites, LazyLizardwould like to share some...

6/23/2016 - URGENT: Update JETPACK Immediately

June 23, 2016For the second time in just the last several weeks Jetpack has released a major...

3/5/2017: Upgrade to WP 4.7.2 ASAP

A severe content injection vulnerability has been found in earlier versions of WordPress by...