How to Evaluate WordPress Plugins for Vulnerabilities

One of the best things about WordPress is the sheer amount of plugins available. Whether you want to create a business or a portfolio website, sell membership plans or physical products, or even manage projects, there is a plugin for the job at hand.

But as great as plugins are, they can also be one of the main reasons why a site gets hacked. According to a survey from Wordfence, 55.9% of sites get hacked due to a plugin vulnerability.

Another bit of interesting research shows that some of the most popular plugins can negatively impact your site in terms of performance and stability.

Looking at the statistics mentioned above, you might be tempted to do away with plugins for the sake of protecting your site. While having your site hacked is by no means a fun situation to deal with, the good news is that you don’t have to resort to drastic steps and lose out on the functionality.

In this article, we’ll cover how to make sure the plugins you’re currently using aren’t among the vulnerable ones and how to evaluate whether a plugin could pose a security risk. We’ll also address the stability and speed issues along with tips on avoiding plugins that could slow down your site.

How to Evaluate WordPress Plugins for Vulnerabilities

At the time of writing this article, there are more than 50,000 plugins available in the official repository. On top of that, there are also numerous free and paid plugins on third-party websites like CodeCanyon and independent developer’s sites.

With so many plugins out there, it’s no wonder that some of them pose a security risk. Some are poorly coded. And some aren’t updated anymore but are still available for download. If you want to make sure your site doesn’t get compromised because of a vulnerability exploit in a plugin, here some tips that will help you evaluate whether a plugin is safe to install or not.

Check Whether a Plugin Is a Security Threat

Use a site like WPScan Vulnerability Database to search for the plugin name and see if any results come up that indicate the plugin is vulnerable. This service lists plugins and known vulnerabilities. You can check the database by using the plugin name or filter through all the vulnerabilities.

If a plugin you’re using or planning on using comes up, check the plugin’s homepage to see if it has been updated. If it was updated, update the plugin on your site or proceed with the installation. Otherwise, deactivate and uninstall the plugin immediately.

A plugin like Wordfence Security can also notify you immediately if a vulnerability has been found and you can also run a daily scan on your site with it. The daily scan will scan plugin files for known vulnerabilities and changes in your site’s files and folders and send you an email alert on potential security issues.

Avoid Nulled Plugins

Whatever you do, avoid downloading “nulled” plugins or supposedly “free” versions of premium plugins. Often, those plugin’s files have been modified to remove author information and can include malicious code that can infect your site with malware, redirect it to an entirely different website, or even load ads that have nothing to do with your site.

You can also use a tool like RIPS to evaluate plugin’s files if you wound up downloading a nulled version of the plugin. The RIPS scanner will check PHP files for vulnerabilities and let you know if any are found.

Choose the Right Plugins

You can minimize the risk of installing a potentially vulnerable plugin if you learn to look for warning signs. Here are a few things to keep in mind when looking for plugins to install.

Use reputable sites

When you’re looking for plugins, the first place you should check is the official repository. They vet each plugin before releasing it to the public, so there is less chance of a plugin with a vulnerability being available for download. Third-party marketplaces like CodeCanyon have similar vetting procedures in place to ensure code quality.

If you come across a free or a premium plugin from another site, do a Google search for the plugin name paired with words such “security issues” or “vulnerability.” Use the aforementioned site to scan the plugin as well.

If you cannot find any results that would indicate a plugin is vulnerable, assess the plugin’s homepage:

• Does it appear professional?
• Is the plugin developer reputable and does their name appear in WordPress circles?
• Do they offer a TOS and Privacy Policy?
• Can you find company information in the footer of the site?

If nothing seems suspicious, check how often the plugin is updated and whether the author provides active support for it.

Average user ratings

Check the number of star ratings in the official repository. Usually, plugins with 4-star ratings and above are safe to install, both in terms of performance and security. A lower rating could indicate the plugin doesn’t do what it’s supposed to well or at all, but it could also mean that the plugin is not very safe.

User reviews

While you’re checking the stars, don’t forget to check what other users had to say about the plugin. In some cases, you’ll discover they had no problems whatsoever, while in others you may discover issues that could jeopardize your site.

Updates and compatibility

A quality plugin should be updated on a regular basis. But if you notice that a plugin hasn’t been updated in over a year or more, you should continue your search. The plugin should also be compatible with the latest WordPress version.

Plugin Support

Lastly, check the support forums or plugin’s website for support and see how responsive the author is. If a plugin author is very active in the support section, chances are they are making sure all the issues are resolved as quickly as possible, and security fixes are applied when needed.

Manually Check the Plugin

If you’re familiar with the code, you can manually perform a check. You’ll need to use SSH to access your site and then change to wp-contents directory with the command:

cd ~/public_html/wp-content

Once in that directory, run the following command:

grep -R eval * | more

If any results return the eval command followed by base64_decode or gzinflate, you’re looking at a backdoor exploit, and chances are your site was already compromised.

You can also run the following command to see if any of the files on your site have been recently modified:

find . -mtime -10 -print

In most cases, compromised files will have a different timestamp than the rest of the files on your site. The number 10 will return any files that have been changed in the last 10 days on your site, and you can replace with however many days you want.

Check the results against the dates and times that the official update for a plugin has been released and be sure also to check if any other files have been modified that you don’t remember modifying or updating yourself.

What to Do if You’re Using a Vulnerable Plugin

If your research led you to believe you’re using a plugin that has a vulnerability, the first thing you should do is to check if there is an updated version of the plugin. If there is, immediately update the plugin.

If the plugin hasn’t been updated, deactivate the plugin and then delete it from your site. Consider contacting the plugin author and ask them to clarify if there is indeed a vulnerability in the plugin or not.

How to Evaluate Plugins for Performance Issues

Aside from posing a security risk, plugins can slow down your website. If you’ve been browsing blogs that regularly write about WordPress, you’ve probably come across the advice of “avoid installing too many plugins.”

While the advice above is not entirely wrong, it is somewhat misleading. If you run a handful of simple plugins that do their task effectively, chances are you won’t see a noticeable difference in performance.

But if you run a handful of complex plugins that load multiple stylesheets and script files as well as add several databases queries to each page, and uses an external API, then your site’s performance will suffer.

So how do you evaluate if a plugin slows down your website? Running a speed test with a tool like GTMetrix or Pingdom Tools can reveal a lot. You can see the number of HTTP requests that your site makes, all the stylesheets, script files, images, and more that affect the loading time of your site. While this won’t list out the plugins that are causing your site to load slowly, the test can be a good indicator of where the offending files are located which can help you determine problematic plugins.

Of course, as with anything WordPress related, there are also plugins that will attempt to narrow down anything that could be causing slowness on your site. Some of the plugins like Performance Profiler will give you an in-depth overview of each request that reaches your WordPress installation, whether it’s a theme, admin, cron, or AJAX request with detailed logs of exact requested URLs, the amount of memory consumed, and more.

Others, like UsageDD, will give you a snapshot of MySQL queries, the amount of memory used, the time needed to generate the page, CPU time needed to output the page and display it as a simple line at the bottom of the page.

The problem with using plugins to troubleshoot plugins was mentioned previously. If a plugin is performing a complex task or uses an external API or loads several style sheets and script files, or all of the above, your site will load slowly.

Without relying on plugins, a better course of action would be to manually download the plugin and unzip the file to examine the contents. You don’t have to be a coding expert, but if you notice several stylesheets, several JavaScript files, and the overall size of the folder going into double-digit MBs, there is a good indication that the plugin in question will have an impact on your site’s loading times.

The reason for this is not as complicated as it sounds. Each stylesheet and each script file (as well as each image) require an HTTP request that essentially requests data from the server in order to display a webpage. Each HTTP request adds precious seconds to your page loading time, resulting in your site loading slower than without those plugins.

What to Do if a Plugin Is Slowing Down Your Site

Now that you know how a plugin can slow down your site, here are a few ways to prevent those issues.

Load Files Asynchronously

An efficient way to speed up page load time is to load asset files such as stylesheets and scripts after everything else on the page has loaded. Doing so allows the pages on your site to load without being interrupted by a request for a stylesheet followed by a request for a script file or a tracking code.

Replace the Plugin with a More Lightweight One

Another way to solve the issue of page loading times is to find a lightweight alternative. While this may require some research and testing on your part, it’s well-worth the effort to eliminate the bloat on your site that can slow it down. A slow website can not only wind up with a lower SERP rating, but it can also see a decrease in conversions so asking your developer to evaluate the plugins you’re currently using can save you a lot of headache down the road.

Avoid Page Builder Plugins

Finally, avoid page builder plugins. They might seem useful and attractive, mainly because they allow you to create a decent-looking layout without hiring a developer or learning to code yourself.

However, a good majority of those plugins rely on shortcodes, which are nothing more than shortcuts for longer, more complicated strings of code. This extra code results in a sluggish site.

WordPress Plugins and Stability

Finally, we have to address the issue of plugins and stability. WordPress plugins are great for extending the functionality of your site, but they can also bring your entire site down. In most cases, this happens because a plugin is no longer developed or actively maintained and as such, it can result in your site being less stable.

However, your site can also become less stable if you avoid updating plugins because of a previous bad experience where a plugin wasn’t entirely compatible with a WordPress version.

Lastly, there is also a risk of a plugin update that contains a bug fix that actually introduces a new bug, making the plugin not function properly.

How to Keep Your Site Stable

While the above practices related to security and speed will contribute to the stability of your site, here are a few more tips that will help you keep your site stable.

Keep Plugins Up to Date

While keeping your plugins up to date is necessary for security, it’s just as important to pay attention to the description of the plugin that states up to which version of WordPress the plugin is compatible with. A regularly maintained plugin is a lot less likely to cause issues.

Run Only the Necessary Plugins

As you add more plugins to your site, they begin interacting with WordPress itself and one another, which increases the chances of something going wrong. Sometimes, plugins will conflict with each other and cause your entire site to misbehave. Using only the necessary plugins reduces the chances of plugin conflicts and contributes to your site’s stability.

Test Everything Locally

You can also create a local version of your live site or create a staged site if your hosting provider has this feature. Once it’s time to update, you can perform the updates on the local or the staged version first to ensure everything will continue working as intended. When you’ve made sure nothing will break, you can then update your live site.

Wrapping Up

Plugins can add a lot of great functionality to your website. However, they can also pose a security risk and affect the performance of your site if they are poorly coded or out of date. Use the tips above to assess every plugin before installing it on your site and remember to update them on a regular basis. Doing so will help you keep your site safe, fast, and stable.