Plugins and extensions are powerful tools that let you extend your applications to do almost anything you can imagine. From automatically backing up your content to connecting with various social networks, using a plugin or extension can benefit your site.
While plugins and extensions provide useful features, it’s important to keep your website’s security in mind if you consider using these tools. A single security vulnerability in a plugin or extension can lead to the compromise of a fully patched application.
For example, we heard a few months ago that the popular All In One SEO Pack WordPress® plugin had two high-risk vulnerabilities that allowed for cross-site scripting (XSS) attacks and privilege escalation attacks. We recommended that you update to the latest version of this plugin if you have it installed.
Plugin security tips
So, how can you get the benefit of plugins while not making your site vulnerable to security threats? Here’s what we suggest:
1. If you no longer use a theme or plugin, delete it. Attackers cannot exploit code you do not have on your site.
2. Always get your plugins/themes from trusted sources. It’s tempting to look for free themes and plugins online, but these might contain malware that can compromise your site’s security.
3. Use strong passwords. This cannot be stressed enough. There are large, automated password guessing swarms of computers out there trying to break into WordPress sites, so keep your password hard to guess.
4. Keep your plugins and extensions are up to date. Here’s a cool WP plugin that gives you notifications about updates, or you can use ManageWP, InfiniteWP, or WPRemote to manage large networks of sites and update them all at once. There’s even an app (iThemes Sync) coming soon that will enable you to manage sites from your phone.
To learn more information about vulnerabilities in extensions and plugins, visit the National Vulnerability Database at http://nvd.nist.gov/.