Plugins can do so much for your small business website.
You can use them to make your WordPress site load faster, make your content shareable, collect visitor email addresses for your marketing list, and do better in search results. Even better, many of the best WordPress plugins that can upgrade your website and your business blog are free.
It’s important to make sure the plugins you choose are reputable and secure. Unfortunately, people can and do exploit plugins. Usually, this involves malicious scripts injected into plugins with security gaps.
What do these malicious scripts do? The possibilities include site takeover, spyware installation and cryptocurrency mining—as well as theft of customer information and credit card data from eCommerce sites.
This isn’t to say WordPress is insecure. Between January and July 2021, researchers found only three vulnerabilities in the core software, and those have been patched. But with tens of thousands of plugins from almost as many publishers, the odds of a security issue are higher with plugins than with the platform itself.
Is Your WordPress Plugin Open to Threats?
Choosing plugins is kind of like buying a car. You want performance, of course, but you also want something that’s safe, reliable and easy to maintain. You choose a reputable car dealer and read reviews, so you don’t buy a lemon. And you should get top-rated plugins from a reliable source, so you don’t end up with a malicious plugin or one that has known security vulnerabilities.
Security experts consider WordPress.org’s plugin directory to be the safest source for plugins. With more than 59,000 plugins, you won’t run out of options, and the site solicits feedback and reviews from users.
Check those reviews before you download—not just the star ratings but also the user feedback. See what people like about the plugin. Read about any issues they’re having with the original plugin or updates. Get a sense of how well the publisher supports the plugin.
Also check out the number of active installations to get a sense of how many users trust the plugin. A good plugin can have just a few hundred users, but a plugin with thousands of users has earned a lot of trust.
Wait, Doesn’t My Web Host Do Security for Me?
Your web host does handle a lot of security, including physical and digital protection for the server that hosts your site. Your specific hosting plan may include security features for your website, too. For example, HostGator’s Managed WordPress Hosting plans include CodeGuard automated daily website backups, SiteLock to detect and remove malware from your site, and spam prevention on your domain’s email accounts with SpamAssassin.
Those layers of protection save you time so you can focus on specific security needs for your website: keeping your version of WordPress, your themes, and your plugins up to date and making sure the updates don’t break your website (another reason why daily backups are so important).
Remember: The security features can vary by web host and hosting plan. When in doubt, check with your plan’s support team to know for sure what security features are offered.
Check for Compatibility with the Latest Version of WordPress
So, you’ve found a plugin with good reviews and lots of users. Before you download it, make sure it’s compatible with your version of WordPress. (For security and performance, you should always keep your own website up to date on WordPress, too.)
To ensure your plugins and WordPress are compatible, you need to know your current WordPress version. You can find it by going to your WordPress dashboard and clicking Updates. You’ll see a notice that lets you know if you’re running the latest version and gives you the version number.
If you have the latest version of WordPress, you’ll see a message that looks like this:
If you’re running an old version of WordPress, you’ll see a message that looks like this, with a button inviting you to update:
You also need to verify that the plugin you want is up to date. Most plugin authors are good about updating their products, but sometimes plugins are abandoned, or updates are slow to come. If you see a yellow-box notice at the top of the plugin’s page at WordPress.org, pay attention to it.
Also check out the spec box on the page to see which version of WordPress it works with and how recently it was updated.
This example plugin may not work properly with the current version of WordPress. It could also have security weaknesses that hackers can exploit. In fact, attacking sites with old, out of date plugins—including abandoned websites—is a favorite tactic of attackers looking to hijack sites for their own nefarious projects.
If your chosen plugin is compatible, go ahead and try it out. If you decide it’s not right for your site, delete it. Otherwise, you’re going to have to keep maintaining it, even though you’re not using it.
That brings us to the most common way that good plugins go bad. When users don’t update them, hackers may exploit them.
Keep WordPress and Your Plugins Up to Date
Like everything made with code, WordPress and plugins get updates for new features, improvements and repairs. Sometimes those problems are small things that affect the way a plugin looks or operates. Sometimes they’re security holes that need to be patched to keep hackers out of your site.
When publishers announce security updates, hackers see them too. And they start checking for sites that haven’t made the updates yet—often using bots that can scan and identify vulnerable sites quickly and at scale.
Even if you’re happy with the current version of WordPress and your plugins, you still need to update. WordPress and some plugins let you set them to update automatically, which you should do. For the rest, you have a few options for keeping things current.
1. Make your own manual updating schedule.
This approach can work if you’re able to commit to checking your site for update notices at least once a week. If you tend to kick small tasks down the road when you’re busy, skip this approach. You could end up with site vulnerabilities.
Even if you decide not to do manual updates, it’s a good idea to know how. Sometimes you may worry that an update will break your site, especially if your plugins haven’t been updated to support the newest version of WordPress. You’ll want to back up your site before you manually update and be ready to uninstall the update if there are problems.
Just as when you check to see which version of WordPress you’re running, you’ll go to your dashboard. Click Updates in the left column, just beneath Home. You’ll see the update status for WordPress, your plugins and your themes. If any are out of date, you can update them here.
2. Add a security plugin. Wait, why do you need a security plugin?
A security plugin adds another layer of protection for your site by scanning your site for security issues, including out-of-date plugins and pending WordPress updates, and sending you email notices whenever your site needs an update.
It’s still on you to go make the updates. But this way you don’t miss issues that crop up between your regularly scheduled updates.
If your hosting plan doesn’t include a security service like SiteLock, you can add it to your site. The basic plan includes a daily malware scan, automatic removal of any malware the scan detects, bot-attack protection and a basic content delivery network that secures your site with the latest TSL/SSL certificates automatically.
Other SiteLock security plans include firewalls for your web applications, protection from DDoS attacks, database scanning and continuous (rather than daily) malware scans.
3. Set up automatic plugin updates.
If you have plugins that don’t have an auto-update option, consider the Easy Updates Manager plugin. Yes, a plugin to update your plugins—pluginception! The free version lets you set some or all of your plugins to update automatically. This is the most efficient approach, especially if you run more than one website or run a high-traffic site with multiple plugins.
Ready to set up your site and start customizing it with plugins?
Check out HostGator’s WordPress Cloud Hosting plans. They include SiteLock for free, to protect your site from malware, bot attacks, and other vulnerabilities.