How can a plugin become insecure?
- When it hasn’t been updated by the developer for more than 2 years.
- If the developer doesn’t have proper training and simply copies code from the internet to create a plugin.
- If input fields and search fields are not properly protected against injections.
The problems caused by insecure plugins
As mentioned in point 3, insecure plugins can be used to perform database injections. The database contains all your pages, news posts, and yes: the users and administrators of your website.
If there is access to the database, anything is possible, and the website is completely in the hands of the hacker.
Not only that, but the injections and modifications are done automatically by computers. Rapidly and with thousands of websites per day.
An insecure plugin is a ticking time bomb for your website.
How can you check if a plugin is secure?
- The website WPvulndb.com collects information about many plugins that have been known to have vulnerabilities. Check if your plugin is listed there.
- Check if your website has been injected using the Sucuri Malware Scanner.
- Use WPscan on Linux. This is quite complex, but if you have a highly important website, it is a step you should take to ensure security.
Try to use as few plugins as possible. Every plugin is a potential door for hackers and scripts that are eager to place links to their own website on yours.