Choosing WordPress Addons: The threat of Plugins and Themes

Wordpress core code has in the past had quite severe security issues. These are often fixed in a timely manner and updates are pushed out for users to update their vulnerable websites.

The same goes for WordPress themes and plugins. The difference between these addons and WordPress itself is that plugins and themes are optional.

Plugins and Themes have been and are the primary source of security attacks on WordPress

First rule of thumb is adding plugins and themes adds in extra risk of website compromise. Ask yourself do you really need to use a particular addon.

If your website cannot live without a particular addon your next task is to ascertain whether or not a particular addon is secure. One way for non-coders to do this is to search through the history of say a plugin. Google will show you whether or not this plugin has been exploited by attackers in the past. You can also search exploit reporting websites like Packetstormsecurity to see if the plugin has been, or is currently being reported as insecure.

Many addons have in the past had security issues that have lead to a websites security being compromised. However many of these were immediately patched therefore preventing exploitation by attackers, only in the instances when a user did not update their plugins as a fix became available.

I would say, do not use a plugin that has in the past been exploited, but most will not follow these instructions, rather then the next best thing is to say, check in the reported exploit to see whether the plugin developer responded in a timely and professional manner when the exploit was disclosed to them. What you should see is a note from the discloser looking something like this:

2018-xx-01: Discovered vulnerability in version 1.1
2018-xx-01: Reported to plugin author
2018-xx-05: Vendor reported fixed in 1.2

This the is a sign that at least the plugin or theme development team are vigilant.