A clean WordPress installation is not much fun, but plugins and themes can have security issues that should not be ignored. In this blog post, we explain what is good to take into consideration when installing a plugin or theme, and give tips on some useful WordPress security plugins that can make your WordPress experience safer.
Plugin Security Checklist
Themes and plugins open up a whole new world of possibilities and allow you to do more with WordPress. But what about security? Before you start installing themes and plugins, stop to consider the following:
- Take some time to do some research about the developers.
- Check the ratings – this could be a good indicator, but don’t trust it blindly.
- Check the reviews – if people take their time to write a review, it’s awesome or terrible.
- Has the plugin or theme had known vulnerabilities previously? If so, how did the developers or security team handle it?
Use your favorite search engine and search for ‘wordpress + plugin name + exploit’ or ‘wordpress + plugin name + vulnerabilities’ and take a look at the results, also search in databases like https://web.nvd.nist.gov/view/vuln/search and https://www.exploit-db.com. Doing so will give you a pretty good idea about the plugin or theme. Things like how many vulnerabilities have been discovered, is there any known vulnerability in the latest version, and so on.
Security plugins
There are a lot of plugins made to enhance your WordPress site’s security, some of them are good and some of them never should have been made from the beginning.
Below are three of the most popular security plugins.
1. Wordfence
This safety plugin protects you against malware and several other things. It will scan all your files – core, plugins and themes for malware infections, it will stop bruteforce attacks, check for known backdoors such as c99, R75, WSO, etc., and you can add two-factor authentication.
In 2014 ‘vexatioustendencies.com’ discovered two stored XSS vulnerabilities in Wordfence. The vulnerabilities should never have existed, however the Wordfence team acted quickly and patched them within 12 hours.
The vulnerabilities are pretty interesting, you can read more about them here.
2. Bulletproof security
Another security plugin that is very popular, it also protects against XSS, RFI, CRLF, CSRF, Base64, Code Injection, and SQL injections among other things.
Update: In March 2016, XSS vulnerabilities were discovered in Bulletproof Security. The issues that affected version 53.3 were fixed, but the incident illustrates both the importance of responsible disclosure and continuous security testing and research.
3. All In One WP Security & Firewall
This popular plugin has a web application firewall. This plugin protects against XSS, SQL injections and other attacks, it has backup functions and more.
In 2013 Checkmarx did a static code analysis of the 50 most popular plugins and came to the conclusion that 18 were vulnerable. These plugins, together had 18.5 million downloads. You can read their full analysis here.
Several of the plugins and themes out there have had problems with security and they are going to have more problems in the future. That’s ok. What’s more important is how the situation gets handled when the vulnerability is discovered.
See Mark Jaquith talk about Theme & Plugin Security:
Read more: Do you know how to set up WordPress for maximum security? Check out our WP security tips!
Stay safe!
Author: Anders Raldin