You put a plugin on your WordPress blog, and soon your site is hacked and defaced – coincidence?

I’ve talked in the past of the dangers of using ‘just any’ theme out there, and of course you should always update your blog as soon as a new security problem is fixed.

But are plugins an issue?

Now I’m not reporting about a specific plugin here, one that is doing bad things. However, the potential IS there, and here’s some reasons why:

• A plugin, when activated, has access to all of WordPress, and to your site. MYSQL info, Admin passwords (encrypted, although it’s not hard to replace it with one of your own choosing via their plugin – or even add a new user), user lists, and even files on your site.
• Even a deactivated plugin still can be called on your site. At the very least, you can call a plugin directly via a URL and get an error message which reveals a bit about your site; at worst, the plugin will actually do something independent of WordPress.
• Open source does not mean ethical, legal, honest. I can conceive of a plugin that has buried in it is some nasty code. And to add insult to injury, by calling it Open Source, this bombshell can appear on the WordPress plugins site, ready to automatically download and install.
• Even a ‘good’ plugin may have problems due to security (after all, look how often bugs crop up in WordPress itself). For example, if the plugin author doesn’t follow strict security rules when writing the plugin, there can be leaks. Combined with it being Open Source, someone may read the source code and use those leaks to crack open a site.

So with so many potential issues, what should you do?

• Go for trusted. If a plugin has been in use for months, and the programmer is respected, that’s a plus. If the plugin is brand new and unknown, that’s a minus. Not that new plugins can’t be good – but unless you know about plugins in general, you might have a problem, which leads to our next point.
• Ask your tech person. Someone who knows PHP and WordPress tech can tell you if the plugin is odd or not. It’s time consuming to go through a plugin line by line (I know, I do my fair share when vetting them for my ActiveBlogging members), but essential.
• Use few plugins. The fewer you use, the fewer security issues you have to check over.
• If you program your own plugins, program securely. Learn about PHP security. Read all you can on the topic. And make your plugins bullet-proof. Even a line like this at the top helps:

  if (!defined('WPLANG')) exit();

  This call checks if the WPLANG value is defined, which it is in WordPress; but if you call this plugin directly, it isn’t, and fails silently.

• Delete unused plugins. Log into your site and remove any you aren’t using if at all possible.

The issue of security is a huge one – and like anything on your website you need to be on guard against broken ones. It’s a real shame, but that unfortunately is the price you pay to be on the ‘wild west’ of the Internet.