Is That WordPress Plugin Safe? 15 Warning Signs to Skip Downloading

Even the smallest and simplest of WordPress websites needs plugins. Akismet is a must if the site has a blog. A security plugin like Defender is non-negotiable. And a solid contact form is needed if you intend on collecting leads.

For the most part, though, we know that these commonly used and referenced WordPress plugins are safe. They come with millions of downloads, high ratings, and plugin developers who’ve worked hard to build a positive reputation in the community by creating error-free plugins and providing top-notch support.

But what about everything else? How do you know if that seemingly popular WordPress plugin (that would really do wonders for your site) is safe to use? With plugins, unfortunately, being responsible for a high percentage of security breaches (Wordfence last put that number at 55.9%), it’s kind of scary to think that any decision you make to use one is a dangerous gamble.

What I’d like to do now is talk about how you can tell if a WordPress plugin is safe. Specifically, I’m going to share the 15 warning signs you should pay attention to that will let you know when it’s best to skip downloading one.

15 Warning Signs That a WordPress Plugin Is Unsafe

I always feel bad having to put this advisory out there about WordPress plugins because, really, they’re great. When they’re coded well and properly managed, they can do wonderful things inside of WordPress. But that’s sadly not always the case.

Sometimes you get a plugin that was made by a newbie developer just hoping to make some money, but who didn’t put the right amount of time into coding it. There are also times when you run into a plugin that is coded well, but an errant line of code conflicts with another plugin and tears your whole site down in an instant. And, of course, there’s always the risk of a hacker or fake WordPress developer getting their hands on it.

So, this means you need to be extra vigilant about which ones you let inside–even if the original developer’s intentions were good.

In order to be diligent, you should know how to spot the warning signs of a bad WordPress plugin. First, start by using a system of checks to make sure the plugin is the right one for your site. Then, you can start digging deeper to see if you can spot any of the warning signs.

1. The Plugin Repository Looks Odd

Let’s start with where you’re hunting down these WordPress plugins. For instance, say you were interested in finding a plugin that adds a feature that’s not too commonplace. You do a Google search for the feature (like “gender reveal plugin”) and the top results point you to a number of independent WordPress developer websites that claim to sell a plugin that does just that.

Some warning bells should be going off in your head, in that case. While it doesn’t mean that the source of the plugin can’t be trusted if you get to the site and it looks like it was built in the early ‘00s and there’s no way to contact the developer except through an email address at AOL… well, that’s a huge red flag.

In general, always look for WordPress plugins that come from reputable sources. Start with:

If you start there, you’ll greatly reduce the chances of running into a bad apple on your travels.

2. A Tarnished Developer Reputation

Next, look at the plugin developer’s reputation. You don’t necessarily need to know who the person is, where they live, what their educational background is, or anything like that (unless you’re curious). What you’re looking for here are red flags that tip you off to something not being right.

Here are some of the warning signs:

  • They are a brand new owner of the plugin and have no prior history as a developer, which might mean they purchased a somewhat popular plugin to use it as a vehicle to inject malicious code into websites.
  • A Google search of their name doesn’t pull up any results. Not even their own WordPress website.
  • Or, a Google search of their name does yield results, but you see things like, “Don’t trust [developer name]” or “[Developer name] is a fraud.”
  • Clicking on their name in the WordPress repository or CodeCanyon marketplace pulls up a website that is seriously outdated and throwing up red flags of its own.

The nice thing about the CodeCanyon marketplace is that it provides statuses and awards for plugin authors based on sales, achievements, and ratings. So, if you’re really worried about who the person or team is behind the plugin, you can look there for validation.

3. The Plugin Is Deemed Unsafe

Of course, you also should look into the reputation of the WordPress plugin itself. Like I said earlier, sometimes the developer didn’t even mean to introduce bad code into the plugin or they were just too new to know any better. So, even if they have a squeaky-clean image, the plugin might not.

There are a number of elements you can check that will help you verify the safety of a WordPress plugin, but for this one, I want to focus on explicit mentions that a plugin is not safe for use. This means going to Google and searching for words like “unsafe,” “hacked,” and “compromised” in conjunction with the name of the plugin. If you see any results that provide proof of safety concerns, walk away.

4. The Code Looks Suspicious

This one might not be the easiest to verify since not everyone knows how to write code for a plugin. However, if you’re familiar enough with what the file structure and directives look like, you can at least check to make sure all the essentials are in place.

You can use the WordPress Codex guide to Writing a Plugin to do this. Remove the required code from the file and focus just on what remains. If anything looks suspicious, get out of there and find a new plugin.

5. Not Enough Downloads

In WordPress, you will be able to see the number of active installations:

Active Installations

This is great since you’re not just seeing how many people may have downloaded and later removed the plugin. It’s the number of websites that currently have it installed, which is a good indicator of trustworthiness.

Plugin marketplaces include numbers like total sales, which are good too, though you’ll have to rely on other data to confirm that they really mean anything:

In general, I would suggest avoiding WordPress plugins with less than 1,000 downloads. Really, you should want a higher number than that (probably more like 5,000), but sometimes that’s not possible if it’s a brand new feature that hasn’t caught on yet or a plugin that handles something not commonly used.

6. Incompatible with the Latest WordPress Version

When scoping out WordPress plugins in the repository, there are two statistics you will want to look at as it pertains to the WordPress version:

The “Requires WordPress Version” will let you know how far back your WordPress version can go in order to work properly with the plugin. That said, you really should never be letting your site run on an old version of WordPress.

“Tested up to” is the other field to look at here. This one will tell you if it’s compatible with the latest and greatest core update. If it’s not, but the last WordPress update recently went out in the last couple of days, give it a couple more. If the plugin hasn’t updated to the latest version by then, skip it.

And, if you see this message, run:

7. Not Updated Recently or Frequently Enough

It’s not just important that a WordPress plugin has been updated recently. It also needs to be updated frequently.

In both WordPress and plugin marketplaces, you can find out how long it’s been since the last update. Anything older than three months really shouldn’t be used. That said, there are some plugins that are highly simplistic in nature and may not need much change with each new core release. So, three months is ideal, but one year should be the breaking point.

8. The Ratings Aren’t Great

Ratings and reviews are really important in this day and age. Think of websites like Yelp or TripAdvisor that can instantly turn you off to a restaurant simply by showing you anything less than a four-star rating. The same happens with WordPress plugins and rightfully so:

You can’t tell me that this abysmal plugin rating doesn’t make you instantly want to hit the back button. Even if poor ratings came from a time when the plugin was new and still in progress, that’s still not a very good reflection on the developer or the tool.

However, let’s say you see the poor ratings, but you just can’t believe that they’re a valid warning sign since you’ve heard so many people talk positively about the plugin. That’s when you need to turn to the reviews people left alongside the ratings.

What you’re looking for here, specifically, are the dates that the bad ratings were left (as well as what was said). If you should find that all bad ratings occurred prior to 2015 and it looks as though everyone is really impressed with the latest iteration, the plugin may be worth installing. It may also be that the developer found a bunch of people to plant positive reviews, too. So watch out for a lot of entries that just say “Good” or “Great plugin”. The WordPress community is usually more descriptive in their feedback.

One other thing to consider here is how the plugin owner responds to negative reviews. WordPress is slow to remove negative comments because they believe “the way you react to those poor experiences [comments] is going to impact your reputation, and that of your plugin, a heck of a lot more than that review.”  That’s why it’s important to not only check what a reviewer says, but also the authors response. Did they offer to investigate and fix a fringe issue? Were they willing/able to provide a patch? Was the bad review actually the result of misuse, user error or a conflict out of the authors control?

Of course, if you see any reviews or comments that mention security concerns, walk away. That is non-negotiable.

9. Support Is Non-Existent

Even though you are a WordPress developer and have a good handle on troubleshooting within the CMS, you shouldn’t have to figure out why your plugin won’t install, doesn’t work as promised, or has caused the white screen of death. When security is a primary concern, support needs to be there.

So, it’s really nice that we have this information easily at our disposal to peruse in WordPress. There are three things I would look for with this:

  1. Look at the percentage rate at which they actually respond to support requests.
  2. Read through some of the developer’s responses to make sure they’re actually helpful.
  3. Scan through the response dates. If the developer hasn’t provided any support responses (or even comment responses) in the last three months, that’s not a good sign.

If support matters to you, don’t let this one go unnoticed.

10. There’s No Documentation

For some WordPress plugins, it might not make sense to write up a bunch of documentation on how to install or configure it. Screenshots might not be needed either if it’s a set-it-and-forget-it kind of plugin (like Akismet).

However, for plugins that require some work to get them moving or that tackle a highly technical function or feature, there need to be screenshots at the very least as well as documentation in case you have questions about it. If none are available, verify that it’s not tucked away somewhere on the website. And if you’re still at a loss, don’t download it. It’s the same as getting no support from the developer.

10. It’s Too Big

Performance is incredibly important in WordPress, so you should make conscious decisions about what you put inside of it that could adversely affect its speed and, consequently, security. Slow WordPress plugins are a problem, but sometimes it’s just because of how bloated they are in size.

When dealing in free WordPress plugins, I’d advise you to download them to your desktop (rather than directly into your WordPress). Take a look at the file size. Can your server reasonably hold this with everything else that’s already on there? If not, find something else.

11. It Doesn’t Play Well with Others

WordPress plugin conflicts can occur for a variety of reasons. Sometimes they conflict with other plugins and sometimes it’s a theme or the WordPress core itself they just don’t play well with.

Again, do your research before you install the plugin to your site. See if the user comments say anything about known conflicts in WordPress. Google should be able to tell you the same.

If you’re feeling confident enough that the plugin won’t cause your site harm, I’d still recommend installing it on a testing sub-site. Just to be on the safe side. Having to deal with bringing your site back up online or fixing a broken feature on the site just isn’t worth your time if you can verify the safety of the plugin that way.

12. The WPScan Website Says It’s a Problem

The WPScan Vulnerability Database keeps a log of all known vulnerabilities (with corresponding dates) of WordPress plugins.

You can use the search function to locate the specific plugin you’re interested in using on your site. This will instantly clear its name of any wrongdoing. I would also recommend signing up for email alerts. That way, if it (or any of your other plugins) should show up on the vulnerability list, you won’t have to actively dig around for that information.

13. Your Web Host Says It’s Disallowed

Did you know that web hosting companies will sometimes keep a list of disallowed or banned plugins? Usually, these have to do with plugins that overlap with the functionality they provide to users (like caching plugins), but that’s not always the case. Sometimes they will outright ban a plugin with known security issues.

Here are some examples of disallowed plugin lists:

14. Your Favorite Blog Says They’re No Good

Actually, with this one, it doesn’t even need to be that your favorite WordPress security blog says that the WordPress plugin is unsafe or no good. If the blog flat-out never mentions them as a trusted or secure plugin, then why bother using it? You trust these guys enough to read their articles on a regular basis, so you should have faith they’ll steer you in the right direction.

15. Your Checkup Tool Indicates There Are Problems

Finally, look at what your checkup tool says (if you’re not using WP Checkup yet… what’s going on?) Yes, this will require you to actually install the plugin on your site. However, it will let you know if there’s anything suspicious going on with it.

Just remember to run the checker before installation so you have a baseline to compare it against. If the tool throws any new security warnings after installation, you know what caused the problem. Delete the plugin and all its files immediately. And never look back.

Wrapping Up

A WordPress plugin can go sour in so many different ways, so you need to do your due diligence before you entrust any of them to your site. Then, you must keep on reviewing them to make sure they don’t go off the rails while you’re not looking. If you spot any of these 15 warning signs, skip downloading that new plugin.

 

Brenda Barron
Over to you: Are there any WordPress plugins you would never ever worry about causing a problem with security?

11 Responses

  • The Incredible Code Injector

    BRENDA

    Regarding “Not Updated Recently or Frequently Enough”: I recently sent this notice to the WordPress Repository about a simple but ancient plugin …

    “I have been using the Simple Breaks plugin for four years, and it still works fine. But it’s been five years since its last update, and three years since its creators supported it. So I have some questions:

    1. Should I delete it because of its age?
    2. If I delete it, is there an alternative plugin that will recognize the Simple Breaks shortcode and keep them functioning?
    3. Is there simple way to remove the thousands of bits of Simple Breaks shortcode from my sites, or do I have to do that manually?”

    The response was this:

    “If it works, then it works. Code doesn’t have to be new to be good. WordPress strives to maintain backwards compatibility at nearly all costs, and so old plugins work just fine too, very often.”

    This seems the opposite advice of your “one year should be the breaking point.”

    Should I listen to you or to the WordPress advisor on this? If you, what then should I do about the Simple Breaks plugin and its shortcode?

    Thanks in advance!

    NEAL

    • Support Gorilla

      Hi Neal,

      I hope you’re having a great day!

      I think the core point in that case would be this statement from Brenda’s article: “That said, there are some plugins that are highly simplistic in nature and may not need much change with each new core release.”

      The guy who wrote you back from wordpress.org is right and Brenda is right too. There’s no “unbreakable rules” here or “does and don’t” that must be followed by any cost. The “warnings signs” given by Brenda is a great “checkpoint” that I’d recommend to follow but there are and always will be exceptions. Simply put, some plugins are really either that simple that nothing has to be changed in them over the years and they don’t pose any security threats, some are simply using only well established WP core routines and a simple – “universal” so to say – PHP code… in such cases those “warning signs” can often be (either all of them or just some of them) ignored.

      If I was about to recommend some “good practice”, I’d say: “in general” follow Brenda’s advice and “in particular” (if you got doubts about some specific plugin) try to find out if the plugin can be made an exception (e.g. consult with its developer if possible or just ask us on our Support Forum – if it’s not a premium plugin to which we might not have access to).

      Best regards,
      Adam

        • Support Star

          I really can’t tell how something like that could work. In cases of great issues though, there are announcements for plugin authors and if a plugin is found that violates some regulations, then WP team is removing it from the repository.
          Still, it’s a matter of what each plugin actually does, as it could be something very simple, like the plugin you’re talking about, or something far more complicated.

          Take care,
          Dimitris

    • Support Star

      Hello Neal :)

      This really depends on the plugin itself. In case it’s outdated, author can’t be reached, but you still need/want to use the plugin, then somehow the codebase of the plugin should be reviewed, so you can ensure that it still follows proper standards/functions/actions etc.
      If an alternative can be found, where author is actively maintaining it, will make things much easier of course.

      Warm regards,
      Dimitris

  • HummingBird

    I have to say I don’t agree with the not allowed plugins on some of the hosting site. I run a Web hosting server and have 20 sites myself. Wordfence and Caching plugins are a must. I even have a firewall installed on the server (CSF) & (ModSec) and that catches most of the Bad and ugly stuff. But Wordfence is a Must have for the Bots and Fake Search engines.
    As far a Author not updating their plugins and Abandoning them that is my Biggest frustration with the WordPress repository. Their should be a rule that says update or verify your plugin is still able to run on the current version of WordPress or the plugin gets a warning attached then in another set of months it gets a drop warning. Also the support site if you have a large number of open tickets (posts) you will be a shut down warning.
    Going back to wordfence they have another great feature that tells you when an installed plugin gets dropped from the WordPress repository.
    Great article gave a lot of great pointers to look out for.
    thanks
    Mitch

  • Mr. LetsFixTheWorld

    One thing that frustrates me about this whole process of plugin evaluation, is that there are individual “Gatekeepers of the Holy Data”, where ratings and statistics are only available to them, and our ability to evaluation plugins is limited to their imagination and resources.
    For example, this article provides tips about how to evaluate data at WP.org. Ideally, we should be able to aggregate data from WP.org and other repositories via webservices, and run them through our own algorithms of suitability.
    Individuals would then be able to create sites that provide an overall rating. Over time we would gravitate toward sites that provided the best evaluations of plugins for us – those sites could even offer premium evaluations based on tougher to find data. That might lead to sites like WP.org, in return, displaying the aggregated ranking from some preferred sites. In other words, WP.org would still show their 1-5 user ratings but might show the “FooRating of 1.2” as a credible indicator of overall quality.
    Ratings like that could come with explanations – *why* was this plugin rated like this? Such reasoning and explanations would follow the tips provided in the current article.

    Unfortunately individuals like myself do not have the clout to suggest or pursue a request with WP.org to open their data. While an “open” organization, I’ve found it very difficult to discuss anything with them related to how they themselves operate. It’s very corporate in that regard. Perhaps WPMU DEV would have more of a voice with them in proposing such an initiative.

    Instead of, or in addition to, asking them to open their data, a motivated entrepreneur could write code to scrape the plugins (and themes) pages, parsing for relevant data. That’s an awful way to gather data. But as indicated above, WP.org has the (lack of) dexterity of big government when it comes to site management, and for better or worse the WP.org site itself doesn’t change much at all. So code based on scraping like this is not likely to break anytime soon. I’d do this, because I think about it every day when I look for plugins. But it’s a significant effort and I don’t yet have that motivation to trade other projects out to bring this one in.

    All of this dove-tails with exchanges that @james and I have had about popular plugins going stale. WPMU DEV could become an industry hero by providing information of value to every WP site, and by helping to preserve the value of plugins that, while otherwise of good quality, would fall into disuse as we follow the good advice provided in this article.

Comments are closed.