Five Tips To Help You Avoid Malicious WordPress Plugins And Themes
Wordpress’s plugins and themes are one of the most powerful things about the platform - easy to use and easy to install, they can transform your website into just about anything you could possibly imagine. Unfortunately, there are plenty of people out there looking to use this functionality for nefarious purposes - here’s how to spot and avoid them.
All told, WordPress is a remarkably secure platform. Were it not, I doubt it would have achieved the level of market penetration it has. Of course, that probably has as much to do with its plugin ecosystem as anything else.
WordPress’s greatest strength, and its greatest weakness.
There exists a dizzyingly diverse selection of plugins and themes on the web. Tools that can transform your website into just about anything you could possibly imagine. As you might expect, there are also plenty of unsavory characters angling to abuse this fact - to trick unsuspecting webmasters into downloading malicious software and compromising their website.
Here’s how to spot (and avoid) them.
1. Be Careful Where You Download From
There are plenty of reputable, trustworthy plugin repositories and theme marketplaces on the web, but there are also a ton of shady back alley websites loaded with all sorts of nasty stuff. Sites like the WordPress Marketplace and ThemeForest - as well as the websites of reputable, well-known developers - are usually safe. But if you had to spend several hours on Google to find a particular repository?
There’s probably a very good reason it was so hard to find.
2. Look At The Reviews
What are people saying about the plugin or theme on the web? What about the developer of that plugin or theme? Generally speaking, if someone is a peddler of malware, it doesn’t take long for people to call them out for it. And when someone gets a reputation like that, it becomes very difficult for them to shed it.
A little bit of due diligence here can go a very long way. A quick google search on a developer’s name, a quick look through the reviews on the repository, a quick glance at other plugins they’ve developed...you get the idea. Do note that some repositories make it impossible to post negative reviews - if possible, look at multiple sources in the course of your research.
3. Read The Documentation
How well-supported is the plugin or theme? Are there changelogs for each update? Extensive documentation on how to use its various features and functions? Is developer active on their support forum?
A quality plugin or theme offers more than just functionality. It’s maintained by a developer who actually cares about offering their users something of value. A lack of documentation or support could indicate that the dev doesn’t care - or it could indicate that they’re peddling malware.
4. Do A Bit Of Historical Research
It’s also important to look at a plugin/theme’s history. How many total downloads does it have? How many active installations are there? Is it being distributed by someone you know isn’t the original developer?
5. Ultimately, Just Use Your Best Judgement
Are you stoked about finding a premium plugin or theme for free? Before you get too excited, you’d best ask yourself what the person peddling that software has to gain by doing so. Because you can bet they aren’t doing this entirely out of the kindness of their heart.
Generally speaking, if someone claims to be offering a paid-for, full-featured premium plugin or theme at no cost, walk away. There’s a good chance their version is laden with malware, or at the very least contains a backdoor that’ll allow them to freely exploit your website.