Keep WordPress Websites Secure with Fewer Plugins
When it comes to the number of plugins you have installed on your WordPress website, less is definitely more.
Although installing dozens of cool WordPress plugins may sound tempting, try to resist. Too many plugins can actually lead to a breach in your website’s security, leaving you entirely exposed. This ranges from your website crashing to slow website loading times, even PHP (Hypertext Preprocessor) malware attacks, which we’ll delve into a little later.
This isn’t to say that popular plugins aren’t worth your while (Yoast and WooCommerce rightly deserve their popularity, for example), it just means being more discerning about which ones you actually decide to install.
That’s why we’re here, to give you a general overview that helps you figure out which ones are reliable and which ones you should skip.
Are WordPress plugins secure?
This means that any user, located anywhere, can create their own code and upload their customized plugin to the ever-expanding WordPress library. Sounds awesome, right?
In theory, yes.
However, this “by-the-people” approach means that thousands of WordPress plugins (and yes, to some extent WordPress themes) get created in a very short amount of time, often without going through rigorous quality checks. These easy extensions often seem attractive, especially for those searching for a cool or useful feature that’s yet to be created.
And because these plugin source codes are public in the WordPress library, and written in PHP, a simple coding language, this means that anyone can read it and modify the code locally once they’ve downloaded it for their respective website.
Because plugin developers don’t always keep their code up to date, this can sometimes leave unintentional security holes. So, theoretically, it’s possible that someone can add plugins to the WordPress library with malicious code. In other words, a hacker can look through a plugin’s code, find those unintentional security holes, and insert their own code snippet that abuses a person’s website. While this rarely happens, it can happen.
Can WordPress plugins be dangerous?
Try imagining your WordPress website is the same as your trusted smartphone. You wouldn’t just install any application on there, would you?
The same goes for any WordPress plugin that seems too good to be true. Although you might not know straight away which ones are safe to use, feel free to cross-reference them with our handy list of dangerous plugins.
Although we can’t help you to avoid all the bad apples within WordPress plugins, we can help you to be more selective. Before downloading any plugin, ask yourself the following questions:
- How many installations does this plugin have?
- Are people giving it good reviews?
- Is it updated regularly?
- Was it tested with the latest version of WordPress?
- Are the support questions answered in a timely fashion?
- Can you avoid using a plugin by adding your own code snippet on the website that covers plugin functionality?
Just as it’s up to every plugin developer to manage and maintain their respective plugin, it’s up to you as the WordPress website owner to do your due diligence before installing.
What is PHP malware?
As mentioned before, PHP is a server-side programming language. (And it just so happens that much of WordPress runs on PHP.) Because new PHP code versions get released every few months, having an outdated version means you’re opening yourself up to a potential malware attack.
Need another reason to update? Updating helps you to weed out bad plugins that aren’t compatible with the latest PHP version. If your respective plugin is not compatible with the latest version, it can simply crash your website and make it unavailable to your visitors. In other words, by staying abreast of the latest PHP updates, you’ll continue to keep your WordPress website secure.
What about WordPress themes?
WordPress themes, in essence, alter your website or blog’s visual appearance, whereas WordPress plugins alter what it can do.
Both allow anyone to create their own theme code and many of the custom “free” themes have base64 encoding, which could hide malicious code. This is, unfortunately, just another way for hackers to gain access to your website files and upload malware.
However, WordPress themes differ from WordPress plugins in a few ways:
- Theme creation is often more complicated than plugin creation
- Users can install several themes but only one theme can be activated at once
- Themes are usually lighter in terms of storage needed than plugins
To ensure you are running only safe themes, you should only download or purchase themes from reputable theme shops or from the WordPress theme directory. Choosing free themes from random websites is a recipe for disaster.
Curious about how to choose a WordPress theme for your website? Jackie Dana breaks it down nicely.
Keep your WordPress website secure
Now is as good of a time as any to do a quick inventory of your WordPress plugins.
- Do you have too many?
- Do you have ones you’ve never used?
- Do you have ones you’ve only used once or twice?
If you have outdated plugins (meaning ones you never use), this is a welcome sign for hackers. If you haven’t disabled directory browsing for your wp-plugins folder, some simple sniffing around lets these would-be hackers find source files of your old disabled plugin, only to insert malicious script and let it work its way up to your core files.
Keep in mind that plugins can also majorly slow down your website. In fact, for every plugin you add to your website, the more code is added to the web browser to process. Sometimes it’s due to badly-coded plugins or that they’re not compatible with your current setup. Whatever the reason, having too many plugins will make your website take more time to load.
So remember, less is more! Now going forward, don’t forget to take mental note of the following:
- Only install plugins you actually need (for Namecheap Shared Hosting customers, we recommend 3-5)
- Only install reliable plugins
- Always update to the latest versions (this means PHP, too!)
- Always update WordPress core
Given that outdated plugins are one of the leading causes of cyberattacks, make sure to set up automatic updates to avoid any breaches in code. Our plugin pick? Easy Updates Manager.
Need help creating your WordPress website? Try EasyWP, Namecheap’s Managed WordPress solution that’s blazingly fast, free of technical hassles, and starts at just $1.00/month for the first month.