Morrissey said, “I’ve seen it happen in other people’s lives and now it’s happening in mine.” I don’t think he could have imagined that line would get appropriated to talk about WordPress® security.
When you install a plugin on your WordPress® site, you get the good with the bad — along with the increased functionality, you also inherit any of its security risks. By installing a plugin, you add more code to your site. The more code your site has, the more ways a hacker has to enter your site and do with it as they please. And when someone leverages your site to attack someone else, you’re making the Internet that much worse.
It’s easy to shrug that off as alarmist, but when you’ve seen thousands upon thousands of sites compromised because of a plugin, you feel less like Chicken Little and more like someone trying to save a lot of people a lot of grief. This is all to say your WordPress site is susceptible to compromise unless you follow some best practices:
- Where’s the plugin from? Only install plugins from the official WordPress repository.
- Do you need this plugin? If not, don’t install it.
- Does this plugin seem shady? If you’re unsure, don’t install it. Or, at the very least, check out its reviews.
- When was the last time I used it? Delete plugins if you don’t use them.
- When was the last time you updated it? Update your plugins often.
By minimizing the number of plugins you use (or not using any) and continually updating the ones you do, the less likely you are to have your site compromised. If you’re careless, though, you run a great risk of getting hacked. It’s doesn’t only happen to “the other guy.” It can happen to you, and it won’t be pretty.