Why judge plugins?
So you’ve found the perfect plugin – the title and description perfectly match your needs. How do you know if you can trust the security of the plugin?
A bad plugin can introduce a range of security vulnerabilites to your website, including:
- Cross Site Scripting (XSS)
- SQL injection
- Remote Code Execution (RCE)
A bad plugin can also break key elements of your website, cause loading issues and console errors. Bad plugins reduce trust in your website.
How do I judge plugins?
There’s no ‘one size fits all’ approach here, and gut instinct can come into play. However, we follow this approach:
1. Check the reviews. If the score isn’t 5/5 or close, we look at the common complaints and if they get replies.
2. Google the plugin and it’s author – do they show up in negative news articles or blog posts?
3. Check when the plugin was last updated – was it a week ago, or 2 years ago? Regular updates suggest it’s actively looked after.
4. Check if the current version is compatible with your version of WordPress. Ideally, you’ll be using the latest version of WordPress.
5. Check if the plugin has a Git repository – e.g. on Gitlab, Github etc. Look at the issues to see if the author responds and addresses them.
6. Search for the plugin and author on cvedetails.com – do they have a bad history of vulnerabilities?
Be cautious when selecting plugins which…
- Edit php files
- Edit theme files
- Allow users to input comments, names, addresses etc
- Interact with WooCommerce order data
Why? These are some of the riskiest uses of WordPress plugins. For example, a plugin which poorly sanitises user input could introduce cross site scripting (XSS) vulnerabilities.