There has been a lot of noise made recently about the state of security in WordPress plugins and how they will destroy your site in an instant. I want to set the record straight about this right now.
It’s all true! and the sky is falling!
Ok. Perhaps not Chicken Little.
First of all, let’s get some facts out there.
Myth: 7/10 plugins have security holes
Fact: It’s entirely possible. I can’t survey all 25,000 plugins in the WordPress repository but I’ve looked at several of them over the years and I can say that many do not follow basic sanitization/validation of input and output (some of my work is included in this). This leads to scary vulnerabilities like XSS attacks, SQL injection and other frightening terms. You should be wary.
Myth: Too many plugins will slow my site down
Fact: True – ish. The more code your server has to slog through the longer it takes to display a single page and that’s bad. But this “too many” could be a single plugin that does something crazy and takes a long time, or it could be the 50 plugins you’re tinkering with. It depends on the plugin(s) and your server. Host A might be able to handle your 50 plugins, but your buddy running on Host Q can’t run the same setup. The core issue here is two-fold, in my opinion. What work is the plugin doing when it runs?, and secondly how well is the plugin written? Both issues will seriously impact your site in terms of time to load, stability and security.
Myth: I need plugin X to get feature Y
Fact: Maybe, maybe not. One of my pet peeves with this is things like Google Analytics or other plugins that do basically 1 thing. I love me some Google Analytics, let’s start with that. But do you need a plugin to include it? Probably not. Your GA code (or similar trackers) would be installed on every single page of your site, so it could be included directly into your theme files or use the feature built into your (good) theme or SEO plugin to accomplish it rather than added another plugin. Putting it into the theme makes the most sense to me, but there may be extenuating circumstances.
Myth: WordPress is insecure!
Fact: Yep, it’s possible. Since it’s designed and coded by people (Great people who really know their work btw) it probably has some security issues. Worse, it let’s ANYONE with an iota of coding skill add to it – Looking at you plugin and theme “developers”. Does this make WordPress insecure? Is it the fault of WordPress.org that your site got hacked? Not entirely no. WordPress includes many tools and methods that developers (from novice to pro) can take advantage of to help mediate the risk. Usually when security holes are found the coder hadn’t followed good programming practices – either from WordPress or the coding community at large.
So – now what?
I’m going to tell you the same thing everyone else does. There’s no magic bullet or secret voodoo involved here. It’s simple common sense.
- Back it up! Keep a current copy of your site and database. How often you do this depends on your site. If it changes often, back it up more often to minimize loss. How do you back it up? I don’t know what’s right for you. Your host probably has a backup service. There’s plugins that do it and there are 3rd party paid services that do it. Or you could learn how to do it yourself. After you learn, it’ll probably take about 10 minutes per backup.
- Update WordPress! There’s tons of debate on this but I fall on the “do the update” side. WordPress updates for 2 reasons. Major releases (3.4, 3.5, 3.6) are usually about features – with security rolled in. Minor releases (3.5.1, 3.5.2) are usually bug fixes and/or security related. Just about every release includes some security fixes or tweaks. Thus – update WordPress.
- Update plugins! Good plugin developers work like the WordPress core devs. They fix security issues and bugs as they become aware of them. Reviewing code, listening to customers and watching the internet for reports. Good plugin developers issue releases when they fix those bugs and include them along with other features. Now, plugin developers don’t have the testing and quality control all the time and sometimes their updates introduce MORE issues. So I advocate a short delay on plugin updates but it depends on the plugin (could you live without it for a couple of days) and what the details of the update are.
- Clean it up! All those inactive plugins and themes you played with and then deactivated? They don’t affect your site much. WordPress looks at them when you display the list of installed plugins, but even that is cached. They might provide a vector for a security attack. If you’re not using them, delete them. You can always re-install.
- Lock it up (down?)! Do some research on permissions. Leaving all files set to 777 means that any user who gets access to your machine could manipulate or run or compromise a file. Find out the difference between 777 and 644 and when to use each – and the others. Learn how to secure your wp-admin with .htaccess or at least get someone to do it for you. If it’s necessary. Not sure… Good, go look it up!
- Scan it! There’s a number of security plugins (some not so great) and services that will scan or monitor your site for changes and intrusions. Have a look at a couple and decide if it’s necessary. Sucuri is a great company leading the charge to protect the internet. Even their free scan is worth having a look at and running once in a while. This is an added plugin I do recommend you install: Sucuri Security.
You don’t have to be an expert – I’m not, and you don’t have to go all bunker-in-the-desert-crazy on securing your website, but since you put all this time and effort into it, don’t you think you should do the basics?