At least, not before you’ve done your due diligence.
We’ve all been there. You need a quick solution to a feature you, or a client, want to add to a website. So you hit up the WordPress plugin repository, or a site like Envato Market, find one that seems like a good fit, and click install. But did you ever realize you might actually be introducing a vulnerability to your or, worse, a client’s site?
WordPress, the very common content management system, is open sourced, and so has a lot of eyeballs on it fixing security issues and potential vulnerabilities. While no system is perfect, the WordPress core is actually pretty solid from a security stand point, and assuming you know what you’re doing when you install it you can make it even better. (You can find a good guide to increasing the security of a WordPress site here: https://codex.wordpress.org/Hardening_WordPress. Be sure that whoever you choose to design and administer your WordPress website is familiar with this document and takes it seriously.) But all of those security efforts can be undermined by simply installing the wrong plugin.
Imagine, for example, you’ve gone to the trouble of really locking down your database. You install a plugin that helps you build an email marketing list. It’s a simple widget that allows the site visitor to enter their email and stores it in your database along with some preferences about the types of communications they’d like to receive. What you don’t know is that this plugin didn’t properly sanitize the inputs of this form, and is vulnerable to SQL injection attacks. What this means is that an attacker, instead of entering the email you’re intending to collect into the form field, enters something like, ‘; DROP TABLE wp_posts_;– . This might look like gibberish, but the attacker just deleted your entire posts table. Imagine if they said DROP ALL TABLES instead… Is your database backed up regularly? This is why it’s important to vet your plugins and make sure your getting something of quality that won’t put the rest of your site at risk.
Here are some simple steps to take when evaluating a plugin:
1) First is to check the plugin author’s website. Good plugins will have good, professional websites dedicated to them.
2) Also check to see the last time this plugin saw an update. If it is updated frequently, there’s a good chance the plugin author is serious about supporting a quality product.
3) Check the WPScan Vulnerability Database (https://wpvulndb.com/). This site keeps track of known vulnerabilities in WordPress and the thousands of themes and plugins out there. The database is by no means exhaustive, but it’s a great place to search before installing a plugin just to help be sure no major security vulnerability has been discovered through its use.
Bottom line: Don’t install plugins on your site without taking a good hard look at them first.