WordPress is beyond doubt, the most popular Content Management System (CMS) on the globe, followed by others like Joomla, Drupal and more, and part of that popularity comes because of the thousands of plugins that make WordPress more functional. Plugins give webmasters a way to fine tune their sites, but there is some risk involved.
Every plugin you use adds resource consumption to your site
The good side of plugins is that they enhance the functionality of websites, but the bad side is that with increased plugins comes increased risks – not only from potential incompatibility with the current version of WordPress, but from potential threats like ransomware and malware.
Add to that, some plugins are resource hogs and will detrimentally slow down your site’s performance, leading to shopping cart abandonment and increased bounced rates.
How to limit your exposure to risk?
All is not hopeless, as there are ways to limit your exposure to the risks associated with WordPress plugins. The first and most obvious would be to delete all those plugins that haven’t been activated, and most likely never will be.
You know what I’m talking about. A web developer will download a theme from ThemeForest or elsewhere, install and customize the site, but not use all of the plugins that came with that theme and then they sit there for years, never getting activated or updated. I hear some of you asking, “What’s the difference? If they haven’t been activated, what’s the damage?” The difference is that those plugins are still vulnerable to exploitation and should be deleted. Hanging on to plugins you’re never going to use is tantamount to house hording. It’s time to clean house!
Think of it this way. Each one of those plugins has an author, who is ultimately responsible for keeping their respective plugin up-to-date. The more chefs in the stew, the more opportunity for disaster.
Speaking of authors
There are tons of plugins floating around of questionable design, but how would you recognize them? Our recommendation would be to limit your plugin downloads to those in the OFFICIAL WordPress.org directory. It doesn’t end there though, as from time-to-time, some plugins are removed from that directory. Authors are real people; they sometimes lose interest, they move on to bigger and better things, and they even die. Where does that leave you? Fortunately, there are some key performance indicators (KPI) available to help.
When contemplating downloading a WordPress plugin
- Check out the Version. Is it updated regularly? Is it compatible with the current version of WordPress?
- How many Active installations are there? Hundreds? Thousands? Millions?
- What is its rating? 5 stars? 4 stars? I recommend reading the reviews.
What should you do when you stop using a plugin?
That’s an easy question to answer as you should immediately delete any plugins you’re not using anymore. This will demonstratively reduce your exposure to risk.
Reducing the hassle of constantly updating plugins
A good number of plugins allow you to automatically update them as revisions are released. For those that do not offer this feature, it’s best to update all of your plugins IMMEDIATELY. The longer you wait to update outdated plugins, the greater the risk. Why? Cybercriminals focus on exploiting easy targets and outdated plugins are prime territory. Security vulnerabilities are discovered every day, and those vulnerabilities are distributed very rapidly to the underground world (the dark side) of the Internet. Every second you wait to update a plugin adds to your exposure.
Protecting your site and its data
Firewalls are an essential element in protecting your site and its data from malicious attacks. The two plugins that we recommend are WordFence and Anti-Malware Security and Brute-Force Firewall.
Web application firewalls, like these analyze inbound traffic to your site and then filter out any requests deemed malicious.
Common types of attacks
What we’ve seen so far as the most common types of attacks are cross-site scripting, directory traversal, SQL injection and malicious file uploads. Trust me, once your site has been attacked, it’s a real pain cleaning it up. You’re far better off spending some time being proactive, implementing measures to protect your site from malware, rather than being reactive – attempting to clean up the mess afterwards.
Brought to you by ProlimeHost
We’ve been in the web hosting industry for over a decade, helping hundreds of clients succeed in what they do best and that’s running their business. We specialize in Virtual Private Servers (VPS) and dedicated servers, with data centers in Los Angeles, Denver & Singapore.
VPS Services: Lightning Fast SSD Virtual Servers
Our Virtual Private Servers all feature high performance Xeon processors and SSD storage in a RAID10 configuration to optimize your server’s performance, which dramatically enhances visitor experiences on your site.
That speed is backed by unparalleled 24/7 support, featuring both outstanding response AND resolution times to maximize your uptime.
Now is the time to join the ProlimeHost virtual private server revolution.
Dedicated Servers: Backed by a 99.9% SLA network uptime guarantee
We only use enterprise-class hardware in our dedicated servers and offer a four (4) hour hardware replacement. Throw in IPMI for remote management, support for public and private networks, free operating system (OS) re-installs, and SATA, SAS & SSD (including NVMe) storage. Call +1 877 477 9454 or email us at Sales@ProlimeHost.com. We’re here to help.