When it comes to making a website for your business in WordPress, few tools can be more helpful than plugins. There seems to be a WordPress plugin for just about everything you would want to do with your website, from managing SEO to making it easier to process payments online.

While plugins can be very helpful, they aren’t without their drawbacks — particularly in regards to your website security. If you aren’t careful, your plugins could make your website and its data vulnerable to attackers.

Recent Examples Highlight Plugin Risks

The last few months have seen multiple instances where a WordPress plugin presented a security risk for site owners. In March, WordPress implemented a force patch for the WooCommerce Payments plugin after it was discovered that it had “a critical vulnerability that [could] let unauthenticated attackers gain admin access to vulnerable stores.”

In April, it was discovered that an outdated but legitimate plugin called Eval PHP was being used by attackers to install backdoors on websites that compromised their security and even reinfected websites after they had been “cleaned.”

With so many plugins available, it shouldn’t come as much of a surprise that security breaches are relatively common, as attackers will look for any way to get into a website and its data — especially so they can steal customer information.

How Can Plugins Become a Hazard?

These recent examples illustrate some of the most common ways that a plugin can become a security issue for your WordPress site. With Eval PHP, attackers used an abandoned plugin that is no longer being updated, even though it is still available for installation. When a plugin is abandoned by its developer, it immediately becomes a top target for hackers, as it will not get any future security updates.

Despite this, many site owners continue to use or install an abandoned plugin because they like the features or functionality it provides. In reality, abandoned plugins should be dropped by site owners and replaced with an active alternative.

Of course, even actively maintained plugins like WooCommerce Payments can become a security liability. Hackers are always looking for ways to discover and exploit new vulnerabilities. The good news with active plugins, however, is that when a threat is discovered, developers usually act quickly to patch it.

Promptly installing a security patch or the latest update for your plugins will protect your site — but continuing to use an older version of a plugin could leave you at risk.

Keeping Your Website and Plugins Healthy

Keeping track of the security status of each of the plugins you use for your website can be time-consuming, but it is essential. Routinely auditing your plugins to take care of needed updates, removing plugins you no longer use, or assessing if you should switch to a different plugin, can greatly improve security.

Site Rockstar can help. As part of our website care plans, we make sure your theme and plugins are regularly updated. With regular plugin updates and daily security monitoring, you can stay ahead of any vulnerabilities and keep your site safe — all without lifting a finger!