There are loads of WordPress plugins out there that are running on deprecated code because developers don’t consistently update them along with official WordPress releases. Others may consist of sloppily written code or shortcuts that open your WordPress site up to unnecessary security risks.
Attackers often use these vulnerabilities to inject their own code and gain access to the backend of your website and your databases. They could also take your site down altogether. And even the most popular plugins aren’t invincible.
Yoast SEO and Google Analytics by Yoast are two of the most highly used plugins in the world, and just last year an XSS vulnerability was discovered in them. XSS attacks are performed on dynamic web pages. When content is not properly escaped, it allows a string to be interpreted as code. A hacker can input malicious code and initiate a variety of crippling system problems, including stealing user login details, gaining access to a site’s content, and inserting subtle phishing code that could transmit sensitive data to outsiders.
So how can you protect your WordPress site?
- First of all, choose your plugins carefully and keep them updated. Regularly install WordPress core updates and keep your plugins up to date to make sure you’re running all the latest security patches.
- Use a modern and updated WordPress theme. Older themes often have embedded plugins that haven’t been patched and can present vulnerabilities.
- When researching the use of any plugin, check the date it was last updated and its WordPress version compatibility. Avoid older plugins, as those haven’t been tested with the current WordPress version.
- When deciding between plugins having similar functionality, choose those having greater numbers of active installs and better ratings. Generally speaking, such popular plugins are regularly updated and have a lower risk factor.
- Even inactive plugins on your WordPress site pose a security risk. Delete those that are unnecessary plugins and don’t actively use. The fewer the plugins you use, the fewer options a hacker will have.
- No plugin is 100% safe, but the WordPress Plugin repository vets each one located there before offering them to users. Only download plugins from the repository site and from third-party theme and plugin developers known to be reputable.
- Use WPScan’s Vulnerability Database to monitor plugins known to have vulnerabilities, as well as to learn when they are patched.