This year, WordPress security really came into the mainstream view. This was due to a couple of high-profile security threats that happened earlier in the year.
One of WordPress’s main benefits is the ability to use plugins to accomplish things without the need for programming. There are literally tens of thousands of plugins out there, made by everyone from large corporations to individuals without any credentials. As such, plugins present one of the biggest potential security threats to the WordPress ecosystem.
Aside from evaluating their general features, it does make sense to select plugins with security in mind. Here are some tips to help you choose WordPress plugins that are more secure:
1. Consider active installations
More important that number of downloads, the number of active installations is usually available on the main screen of any WordPress plugin and will tell you how many other websites are actually using this plugin right now. While popularity in and of itself is not a sign of security, there is definitely a correlation between how popular a plugin is and how well maintained it is. If you had your pick of two plugins that both serve your needs but one has 5 times as many downloads as the other, you would be wise to choose the more popular plugin.
2. Keep all plugins up-to-date
If, like most WordPress users, you have a number of plugins, you’ll probably see that you have some updates to do almost every time you log in. As much of a hassle as this is, it’s very important to install updates as soon as they’re available, because developers may be pushing the updates for a specific reason, such as patching a known security bug.
One common misconception is that you only need to worry about updating the plugins you actually use. This might make intuitive sense, but actually, the code for all your unused plugins is still sitting somewhere on your servers and can be exploited. So, your best bet is to update all your plugins in a timely fashion. If you have too many plugins installed that you don’t use and these are a pain to keep updated, consider deleting some of them entirely. You can always download them again at a later time if you end up needing them again.
3. Note the required WordPress version and most recent plugin updates
Sometimes, it can hard to deduce just how up-to-date a particular plugin has been kept, but on its main WordPress download page, you should be able to see the two things above. A plugin that requires a much older version of WordPress could be a warning sign because you know the plugin isn’t taking advantage of all the new security features available in WordPress 5+.
4. Supported/unsupported; paid/free
A free plugin is not necessarily less secure than a paid one. Free plugins that are very popular actually have an ecosystem of users that in a way ensure that the plugin meets a minimum requirement of security.
One tangible difference is that with paid plugins, users can typically expect a more traditional form of customer support, such as being able to reach a representative. With free versions, users typically have to turn to an online community of users and ask their question. Depending on the popularity of the plugin, this may be a very active community, or one that may be hard to get an answer out of.
5. Use a plugin security scanning tool.
If you’re still not sure if you can trust your plugins, you can use any of a number of available tools to scan your plugins. These include:
6. Choose a secure hosting provider
This is by far the most important one. All hosting accounts with CanSpace come with our free Web Application Firewall (WAF), which specifically protects WordPress from attacks. Our rules are updated nightly to ensure that even the most recent attack vectors will not exploit your website. Combining an excellent firewall with the above plugins is easily the most effective solution for protecting your WordPress-based website.