Connect with us

Are WordPress plugins a security risk for your website?


Are WordPress plugins a security risk for your website?

Plugin Risks

Plugins are simply bits of code that you add to your WordPress website to extend its functionality. We use plugins to display videos, combat spam, connect to social media, and a host of other things. No matter what you want your site to do, there’s probably a plugin for it. But are they safe to use?

Generally speaking, yes. You do have to keep in mind that they are created with PHP code, just like WordPress itself. And because they’re written in PHP, they can potentially open doors for hackers to use.

Here’s the bigger issue, though: There is no licensing or governing board for plugin development. Anyone can write and distribute a plugin for WordPress, but not every developer is stringent about security, and not all plugins are properly maintained. If you’re using a plugin from a less-than-diligent developer, it could potentially leave your site vulnerable to attack.

Choosing Good Plugins

But just because plugins may create a risk doesn’t mean you shouldn’t use them. In fact, you’d find it pretty difficult to run a WordPress site without any plugins. It does mean, though, that you should practice due diligence when choosing which plugins to use.

  • Only use plugins from known sources. Never download a free plugin that cannot be found on Paid plugins are obviously not available for download there, but if it’s free to use, you should find it in the repository.
  • Only use plugins that are maintained. Check the last time it was updated. If it was more than a few months ago, look elsewhere.
  • Only use plugins whose developers are involved. Every plugin on has its own forum where users can ask questions. If the developer isn’t answering those questions, that’s a bad sign.
  • Keep your plugins up to date. Follow security WordPress security bloggers such as, and to stay updated on vulnerable plugins and make sure you upgrade them as needed.
  • Limit the number of plugins you use. They can and do conflict with each other, so it’s a good idea to keep your plugins to a minimum.

Security Plugins

So with all that said, does Evan have a valid point? Do security plugins increase your risk of being hacked?

I don’t think so.

The two plugins I recommended meet all my criteria above. They’re well known, frequently updated, and both have security-conscious developers. I don’t have any concerns about using either plugin on my and my client’s blogs.

Now you could recreate the security functions of these plugins without actually installing them. You could browse your server logs and ferret out the IP addresses of bad guys, then add code to your .htaccess file to keep them out. You could add some more code to your functions.php file to hide your WordPress version. You could even check to see that your core files haven’t been changed recently. Or you could let WordFence do all that for you.

I’ll let WordFence handle it, thanks.

As with nearly anything in life, security plugins have their pros and cons. In this case, I believe the good far outweighs the potential for bad, and I think most WordPress users would agree. After all, who wants to go poking around in the .htaccess file to accomplish something that can be done with the click of a button? Not me.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in security

About Me:

Szabi Kisded

Hey there, I'm Szabi. At 30 years old, I quit my IT job and started my own business and became a full time WordPress plugin developer, blogger and stay-at-home dad. Here I'm documenting my journey earning an online (semi)passive income. Read more

Sign up for my newsletter and get the YouTube Caption Scraper WordPress plugin for free
(worth 29$)!

All My Plugins In A Bundle:

My AutoBlogging Plugins:

My Online Courses:

A Theme I Recommend:

Featured Posts:

To Top