Plugins are simply bits of code that you add to your WordPress website to extend its functionality. We use plugins to display videos, combat spam, connect to social media, and a host of other things. No matter what you want your site to do, there’s probably a plugin for it. But are they safe to use?
Generally speaking, yes. You do have to keep in mind that they are created with PHP code, just like WordPress itself. And because they’re written in PHP, they can potentially open doors for hackers to use.
Here’s the bigger issue, though: There is no licensing or governing board for plugin development. Anyone can write and distribute a plugin for WordPress, but not every developer is stringent about security, and not all plugins are properly maintained. If you’re using a plugin from a less-than-diligent developer, it could potentially leave your site vulnerable to attack.
Choosing Good Plugins
But just because plugins may create a risk doesn’t mean you shouldn’t use them. In fact, you’d find it pretty difficult to run a WordPress site without any plugins. It does mean, though, that you should practice due diligence when choosing which plugins to use.
- Only use plugins from known sources. Never download a free plugin that cannot be found on WordPress.org. Paid plugins are obviously not available for download there, but if it’s free to use, you should find it in the repository.
- Only use plugins that are maintained. Check the last time it was updated. If it was more than a few months ago, look elsewhere.
- Only use plugins whose developers are involved. Every plugin on WordPress.org has its own forum where users can ask questions. If the developer isn’t answering those questions, that’s a bad sign.
- Keep your plugins up to date. Follow security WordPress security bloggers such as WPSecurityLock.com, SafeWP.com, and Sucuri.net to stay updated on vulnerable plugins and make sure you upgrade them as needed.
- Limit the number of plugins you use. They can and do conflict with each other, so it’s a good idea to keep your plugins to a minimum.
So with all that said, does Evan have a valid point? Do security plugins increase your risk of being hacked?
I don’t think so.
The two plugins I recommended meet all my criteria above. They’re well known, frequently updated, and both have security-conscious developers. I don’t have any concerns about using either plugin on my and my client’s blogs.
Now you could recreate the security functions of these plugins without actually installing them. You could browse your server logs and ferret out the IP addresses of bad guys, then add code to your .htaccess file to keep them out. You could add some more code to your functions.php file to hide your WordPress version. You could even check to see that your core files haven’t been changed recently. Or you could let WordFence do all that for you.
I’ll let WordFence handle it, thanks.
As with nearly anything in life, security plugins have their pros and cons. In this case, I believe the good far outweighs the potential for bad, and I think most WordPress users would agree. After all, who wants to go poking around in the .htaccess file to accomplish something that can be done with the click of a button? Not me.