How to analyze security aspects of WordPress plugins

Plugins are software that complements the core WordPress for various features. The platform complements extensive ecosystem and it is necessary to know how to analyze the safety aspects of WordPress plugins. So be good at making safe choices.

wordpress-plugins-directory

WordPress.org Plugin Directory

At the moment, more than 40,000 plugins are available which together have been downloaded over a billion times. With this volume, challenge is been increasing for the security team who is responsible for the analysis and especially for users who do not know how to make the best choice within so many options.

With this article, we intend to lead you with useful information and tips on security for WordPress that will help you in analyzing the safety aspects in plugins. We do not mean the choice of plugins that implement security rules on the platform, but the suggestions that can be applied to any kind of plugins and help you in the selection process with security as a focal point in the choice.

The tips below will lead this article and are oriented to assist you in the safety analysis of WordPress plugins.

  1. Be selective and careful with your choices;
  2. Keep plugins up to date;
  3. Delete, or update, inactive plugins;
  4. Delete plugins that occurrences in WPScan Vulnerability Database, and without correction;
  5. Make regular analysis with WP Scan;
  6. Premium plugins may also have security problems;
  7. Check input, output and credential properly.

How to be selective and careful when choosing a WordPress plugin?

With more than 40 000 option, and many of which serves similar functionality you need to be selective and adopt criteria for selection of WordPress plugins. There are simple and easy analysis criteria that are highlighted below.

Download statistics versus number of active installations

wordpress-active-installsPopular plugins download stats fill the eyes, but can be deceiving. A total active facility is a more important number for you to consider as the end user. They actually say how many WordPress installations are with said active plugin in use. The WP-PageNavi plugin, for example, is a success in both scenarios. Further by delivering a functionality, content pagination, native WordPress , meaning its use is totally in vain and unnecessary.

More than a million sites with active plugin. An average of more than one thousand downloads per day and an overall total of more than six million.

wordpress-download-stats

Download Statistics

Compatibility, support, translation and reviews of WordPress plugins

The free plugins available on the official directory have information that are insights for analysis of various selection criteria to be adopted.

Reviews of tests are interesting to analyze the expectation of use and user experience with the plugin. In WordPress plugins, security issues should be focused for software compatibility, support and developer experience.

If the plugin requires a too old WP version, it is better to not to use the plugin. The danger at this point is the lack of development and use of new functions and classes and perhaps the length of use of resources that are or will be very soon obsolete. Another important factor is the information to which version of CMS that the plugin is compatible. This version must always support the current version of WordPress, this shows that the plugin is updated frequently and is developed according to the new guidelines.

The developer experience can be analyzed by the amount of downloads for plugins and its quality available. When I say quality I mean the total activations in use, reviews, and translations, called answered support, compatibility with the current version of WordPress, for example.

The so-called free plugin support is quite relative and analysis needs to be done to add other factors. The developer has other chores to support themselves financially so their commitment is not total, and sometimes not partial. Plugins that make use of the freemium model, usually have professionals dedicated to answering questions from users who use the free version to always ensure a great experience with the product.

Free or paid (premium) plugins ?

Paid plugins, usually called premiums, can also present problems as far as the free. One advantage is its support which is made by another channel where there are professionals dedicated to provide service and solutions to fix problems.

An advantage of the free plugins is, when they are popular, it is easy to find someone who uses and who can share user experience with you. Also your page in the official directory is no information as mentioned above to help us in analyzing your selection.

Most important of all is, you need to consider and keep in mind when analyzing WordPress plugins is that, they need to work today and in the future.

Why should we keep plugins up to date?

To be a criterion of extreme importance. Analyzing security criteria for WordPress plugins begins with its own installation. It is necessary, required and necessary to keep WordPress components up to date.

WordPress offers new versions of its software after every three or four months. They include security fixes, new features and other updates that are obsolete and plugins need to follow this evolution. If there are no updates available for the plugins in use, it is a great sign of concern that they have not evolved, becoming obsolete and very likely vulnerable.

Why inactive plugins also bring problems?

Their codes are on the server and available to be explored. It just means that the features offered by the inactive plugins are not in use but are considered by the core platform.

The existence of the codes on the server can be exploited by attackers. If its use is disposed on the horizon, consider the exclusion. The rule is clear: keep the plugins, all up to date. When we say all plugins, we mean the active and inactive plugins.

Have WPScan and WPScan Vulnerability Database as an ally

wpscan-vulnerability-database-example

WPScan Vulnerability Database as an ally for security analysis of WordPress plugins

To analyze the security of WordPress plugins effectively, you need to be great allies. The WPScan is a powerful tool and helps us a lot while doing this task.

If you are a developer or have expertise, consider analyzing your WordPress installation through WPScan. It will check for vulnerabilities and deliver you a detailed report of the actions that needs to be taken to correct the existing breaches.

Even non developers can benefit through WPScan Vulnerability Database. This site is a large database of safety occurrence data in plugins, themes and the very core of WordPress. Their search engine is simple and helps anyone to analyze the security of WordPress plugins.

The use of WPScan and hence the WPScan Vulnerability Database ensures the choice of a WordPress plugin without occurrences of security problems. Even if the plugin has any occurrence, it is necessary to analyze the versions and look for a new one that has corrected the problem. If the problem has not been corrected, disregard use.

If you need and want to stay connected in every instance added to the database, register your email and be notified of new additions to WPScan Vulnerability Database.

Consider:  Input, Output and Credential

It is very important that the WordPress plugins treat this triad well because of its great importance for safety.

Before entering and saving the data, it needs to be treated to prevent attacks of all kinds and ensure that only treated and secure information will be considered. WordPress and PHP have specific functions for this.

The output data is related to display data to users through an interface. This information is retrieved by functions that also need to receive treatment before they aggregate HTML tags as tag values to tags attribute values. The WordPress functions available for data output dealings are simple to use and avoid, for example, XSS attacks (Cross-site scripting).

The last tip of said triad comes to the question of the credentials, or if the user logged into the WordPress dashboard is allowed to handle the information in question. The user actually be authenticated does not mean that it can handle all the information and resources available, it must also take into account their capacity and function.

A popular WordPress platform accounts for over 24% of the worldwide web so it is natural that attackers would want to explore its user base anyway. The plugins that are being widely used is a way for them.

The most basic and necessary advice to be followed is to make use of plugins that are downloaded only from reliable sources. I can name three types of sources, one of them is the official directory of WordPress.org; website companies that sell premium plugins; the site of companies offering plugins to integrate their solutions to the ecosystem of WordPress.

The latter I find questionable. If the plugin is free, why not make it available in the official directory of WordPress.org? I like the MailChimp approach accordingly where it lists all the WordPress plugins that can be integrated with the platform and redirect the user to the page of the plugin in the directory.

Plugins can affect your website in a number of ways, namely:

  • Access the information on your site;
  • Having access to the database;
  • Add banners and advertisements;
  • Send mass emails from your server;
  • Redirect your site to spammers links;
  • Add references links to other sites without their consent;
  • Take down your site with the massive use of resources;
  • And the list goes on.

How to get rid of bad WordPress plugins?

Analyzing the security of WordPress plugins is a way to get rid of bad WordPress plugins that can disrupt the day to day operation of your business. Some tools can assist you in this process and help you to be more careful and ensure that the securities of WordPress plugins of your choice are well treated.

Some tools for security analysis of WordPress plugins

  1. WPScan ;
  2. VirusTotal ;
  3. Sucuri SiteCheck ;
  4. WordPress Exploit Scanner.

WordPress is a secure platform. His universe of plugins add exciting features and possibilities of use is fantastic. But it is necessary to adopt criteria that help you in the selection process and decision-making and ensure safe plugins to be used.

What are the criteria’s you use to analyze security WordPress plugins?