Let’s get one thing clear right away: WordPress as a freshly-installed CMS isn’t particularly vulnerable and remains a strong option if you want to create a secure site. However, due to WordPress’ popularity it is often a target for hackers who are seeking access to popular websites. The fact that hacks are fairly rare is a testament to the work put in by the developers and the WordPress community.

The issue that often introduces vulnerability to a WordPress installation is the improper use of plugins: in particular, the use of plugins that have long since stopped being updated. Why do these plugins imperil your site and how can you guard against it? In this blog we will attempt to clear this up and run through some tips.

Why outdated plugins are dangerous 

Every plugin you add to your WordPress site (even if it’s a plugin designed to improve security) will technically add a point of vulnerability. It’s a simple concept: additional code from a third-party source (even a trusted one) can potentially leave your entire system further exposed. Modern security standards are quite high, with websites required to keep user data closely guarded while locking down transactions through standards like PCI. Just one weak link can break the chain and cause untold damage your site, business and reputation.

Most of the time an added plugin isn’t a problem because it has its own security updates, just as WordPress does and the developer will devise a patch soon after an issue is discovered. However, this isn’t always the case. When a WordPress plugin is abandoned, the last version that was updated becomes increasingly more dated and remains installed on many systems. This plugin could even remain available for download on WP.org until the developer remembers to take it offline.

Thankfully, it’s reasonably simple to address this issue: Just find the plugin and disable or uninstall it. We would typically recommend uninstalling the plugin, rather than disabling it, unless you have good reason to think that it may be updated at some point in the near future. You will also need to be careful about how the outdated plugin interacts with other plugins and your website though as issues could arise after deleting a plugin. For example, if you delete a plugin that deals with limiting the amount of password attempts a user can make, this could cause potential security issues and you will need to find an adequate replacement if necessary.

How to replace needed functionality

If you have removed an outdated plugin, but find it played an important part in the everyday operation of your site and can’t find anything similar on the market. What should you do? WordPress gives you the freedom to source plugins from multiple sources (not just the WP.org listings), but that can place you in a potentially precarious position when using these plugins.

For most people, particularly those running their businesses online, the restrictions of the modern SaaS model feel comforting. For instance, using a hosted CMS has grown hugely popular for eCommerce sites as it offers a good mix of customization options and guaranteed security. Even though in principle, you can do more with WordPress, having so many different choices can be confusing.

Should you find yourself in the unlikely position where you feel it is necessary to delete a plugin and can find no viable replacement to fill that gap, you have two realistic options for addressing it. Either hire a WordPress developer to program a replacement, or attempt to reproduce the functionality using existing systems (tools like Zapier and IFTTT can be used to achieve some remarkable automation if you can get to grips with them). 

Choosing your plugins carefully

The importance of developer expertise means that not all plugins are created equal. Developer expertise, reputation and general reliability are just some of the factors that make up the difference between a plugin created by a well-known developer with a solid monetization policy. While you might not like spending money on plugins, payments keep developers going and enable them to continually update their software. This is in comparison to other plugins you may be using which were made by a hobbyist, with little intention of maintaining it.

The most sensible way to proceed is to carefully consider the developer of a plugin before you install and start relying on it. Be sure to check their reviews. Research their track record when it comes to update value and consistency. Do they have a blog you can follow? If you stick with the developers that are profiting from their work, you can be fairly confident that they’ll continue to update and maintain the plugin, which will help to lower the possibility of your site being hacked via an outdated plugin.

One of the best ways to ensure that your plugins remain up to date is to use UpdraftCentral. This powerful remote control for WordPress not only allows you to centrally manage and update your themes, plugins and core on all your site with just one click, but also backup and control all your sites on which UpdraftPlus is installed on from one central location in the Cloud. If you are too busy or have too many sites to reliably update, you could also use Easy Updates Manager. This service automatically keeps sites up to date and bug-free.

How to secure your site

Even if you choose your plugins carefully, keep an eye out for outdated plugins that haven’t been updated in a while and act to remove them if possible when you spot them. However, there will always be some potential unseen danger as a developer might stop putting their full effort into updating their plugins, which could lead to vulnerabilities going unpatched despite updates being released.

Due to these potential security issues, you need to do more to keep your site secure. One of the best ways to do this is by backing up your site on a regular basis by using UpdraftPlus. Be sure to always create a backup before you install or update a plugin and schedule new backups on a regular basis to defend yourself against any unforeseen problems. If anything does go wrong because of a vulnerable plugin, you can use UpdraftPlus to revert to an existing backup, at which time you can remove the offending plugin and carry on as normal.

In summary, defunct WordPress plugins are a threat because they can allow vulnerabilities to creep into your otherwise secure WordPress site. To stay safe, be selective, stay on guard, take action when needed and keep your site backed up with UpdraftPlus.

Rodney Laws