Is That WordPress Plugin Safe? 15 Warning Signs to Skip Downloading
Even the smallest and simplest of WordPress websites needs plugins. Akismet is a must if the site has a blog. A security plugin like Defender is non-negotiable. And a solid contact form is needed if you intend on collecting leads.
For the most part, though, we know that these commonly used and referenced WordPress plugins are safe. They come with millions of downloads, high ratings, and plugin developers who’ve worked hard to build a positive reputation in the community by creating error-free plugins and providing top-notch support.
But what about everything else? How do you know if that seemingly popular WordPress plugin (that would really do wonders for your site) is safe to use? With plugins, unfortunately, being responsible for a high percentage of security breaches (Wordfence last put that number at 55.9%), it’s kind of scary to think that any decision you make to use one is a dangerous gamble.
What I’d like to do now is talk about how you can tell if a WordPress plugin is safe. Specifically, I’m going to share the 15 warning signs you should pay attention to that will let you know when it’s best to skip downloading one.
15 Warning Signs That a WordPress Plugin Is Unsafe
I always feel bad having to put this advisory out there about WordPress plugins because, really, they’re great. When they’re coded well and properly managed, they can do wonderful things inside of WordPress. But that’s sadly not always the case.
Sometimes you get a plugin that was made by a newbie developer just hoping to make some money, but who didn’t put the right amount of time into coding it. There are also times when you run into a plugin that is coded well, but an errant line of code conflicts with another plugin and tears your whole site down in an instant. And, of course, there’s always the risk of a hacker or fake WordPress developer getting their hands on it.
So, this means you need to be extra vigilant about which ones you let inside–even if the original developer’s intentions were good.
In order to be diligent, you should know how to spot the warning signs of a bad WordPress plugin. First, start by using a system of checks to make sure the plugin is the right one for your site. Then, you can start digging deeper to see if you can spot any of the warning signs.
1. The Plugin Repository Looks Odd
Let’s start with where you’re hunting down these WordPress plugins. For instance, say you were interested in finding a plugin that adds a feature that’s not too commonplace. You do a Google search for the feature (like “gender reveal plugin”) and the top results point you to a number of independent WordPress developer websites that claim to sell a plugin that does just that.
Some warning bells should be going off in your head, in that case. While it doesn’t mean that the source of the plugin can’t be trusted if you get to the site and it looks like it was built in the early ‘00s and there’s no way to contact the developer except through an email address at AOL… well, that’s a huge red flag.
In general, always look for WordPress plugins that come from reputable sources. Start with:
- The WordPress plugins repository
- Plugin marketplaces like CodeCanyon
- WordPress plugin developer sites like WPMU DEV
If you start there, you’ll greatly reduce the chances of running into a bad apple on your travels.
2. A Tarnished Developer Reputation
Next, look at the plugin developer’s reputation. You don’t necessarily need to know who the person is, where they live, what their educational background is, or anything like that (unless you’re curious). What you’re looking for here are red flags that tip you off to something not being right.
Here are some of the warning signs:
- They are a brand new owner of the plugin and have no prior history as a developer, which might mean they purchased a somewhat popular plugin to use it as a vehicle to inject malicious code into websites.
- A Google search of their name doesn’t pull up any results. Not even their own WordPress website.
- Or, a Google search of their name does yield results, but you see things like, “Don’t trust [developer name]” or “[Developer name] is a fraud.”
- Clicking on their name in the WordPress repository or CodeCanyon marketplace pulls up a website that is seriously outdated and throwing up red flags of its own.
The nice thing about the CodeCanyon marketplace is that it provides statuses and awards for plugin authors based on sales, achievements, and ratings. So, if you’re really worried about who the person or team is behind the plugin, you can look there for validation.
3. The Plugin Is Deemed Unsafe
Of course, you also should look into the reputation of the WordPress plugin itself. Like I said earlier, sometimes the developer didn’t even mean to introduce bad code into the plugin or they were just too new to know any better. So, even if they have a squeaky-clean image, the plugin might not.
There are a number of elements you can check that will help you verify the safety of a WordPress plugin, but for this one, I want to focus on explicit mentions that a plugin is not safe for use. This means going to Google and searching for words like “unsafe,” “hacked,” and “compromised” in conjunction with the name of the plugin. If you see any results that provide proof of safety concerns, walk away.
4. The Code Looks Suspicious
This one might not be the easiest to verify since not everyone knows how to write code for a plugin. However, if you’re familiar enough with what the file structure and directives look like, you can at least check to make sure all the essentials are in place.
You can use the WordPress Codex guide to Writing a Plugin to do this. Remove the required code from the file and focus just on what remains. If anything looks suspicious, get out of there and find a new plugin.
5. Not Enough Downloads
In WordPress, you will be able to see the number of active installations:
This is great since you’re not just seeing how many people may have downloaded and later removed the plugin. It’s the number of websites that currently have it installed, which is a good indicator of trustworthiness.
Plugin marketplaces include numbers like total sales, which are good too, though you’ll have to rely on other data to confirm that they really mean anything:
In general, I would suggest avoiding WordPress plugins with less than 1,000 downloads. Really, you should want a higher number than that (probably more like 5,000), but sometimes that’s not possible if it’s a brand new feature that hasn’t caught on yet or a plugin that handles something not commonly used.
6. Incompatible with the Latest WordPress Version
When scoping out WordPress plugins in the repository, there are two statistics you will want to look at as it pertains to the WordPress version:
The “Requires WordPress Version” will let you know how far back your WordPress version can go in order to work properly with the plugin. That said, you really should never be letting your site run on an old version of WordPress.
“Tested up to” is the other field to look at here. This one will tell you if it’s compatible with the latest and greatest core update. If it’s not, but the last WordPress update recently went out in the last couple of days, give it a couple more. If the plugin hasn’t updated to the latest version by then, skip it.
And, if you see this message, run:
7. Not Updated Recently or Frequently Enough
It’s not just important that a WordPress plugin has been updated recently. It also needs to be updated frequently.
In both WordPress and plugin marketplaces, you can find out how long it’s been since the last update. Anything older than three months really shouldn’t be used. That said, there are some plugins that are highly simplistic in nature and may not need much change with each new core release. So, three months is ideal, but one year should be the breaking point.
8. The Ratings Aren’t Great
Ratings and reviews are really important in this day and age. Think of websites like Yelp or TripAdvisor that can instantly turn you off to a restaurant simply by showing you anything less than a four-star rating. The same happens with WordPress plugins and rightfully so:
You can’t tell me that this abysmal plugin rating doesn’t make you instantly want to hit the back button. Even if poor ratings came from a time when the plugin was new and still in progress, that’s still not a very good reflection on the developer or the tool.
However, let’s say you see the poor ratings, but you just can’t believe that they’re a valid warning sign since you’ve heard so many people talk positively about the plugin. That’s when you need to turn to the reviews people left alongside the ratings.
What you’re looking for here, specifically, are the dates that the bad ratings were left (as well as what was said). If you should find that all bad ratings occurred prior to 2015 and it looks as though everyone is really impressed with the latest iteration, the plugin may be worth installing. It may also be that the developer found a bunch of people to plant positive reviews, too. So watch out for a lot of entries that just say “Good” or “Great plugin”. The WordPress community is usually more descriptive in their feedback.
One other thing to consider here is how the plugin owner responds to negative reviews. WordPress is slow to remove negative comments because they believe “the way you react to those poor experiences [comments] is going to impact your reputation, and that of your plugin, a heck of a lot more than that review.” That’s why it’s important to not only check what a reviewer says, but also the authors response. Did they offer to investigate and fix a fringe issue? Were they willing/able to provide a patch? Was the bad review actually the result of misuse, user error or a conflict out of the authors control?
Of course, if you see any reviews or comments that mention security concerns, walk away. That is non-negotiable.
9. Support Is Non-Existent
Even though you are a WordPress developer and have a good handle on troubleshooting within the CMS, you shouldn’t have to figure out why your plugin won’t install, doesn’t work as promised, or has caused the white screen of death. When security is a primary concern, support needs to be there.
So, it’s really nice that we have this information easily at our disposal to peruse in WordPress. There are three things I would look for with this:
- Look at the percentage rate at which they actually respond to support requests.
- Read through some of the developer’s responses to make sure they’re actually helpful.
- Scan through the response dates. If the developer hasn’t provided any support responses (or even comment responses) in the last three months, that’s not a good sign.
If support matters to you, don’t let this one go unnoticed.
10. There’s No Documentation
For some WordPress plugins, it might not make sense to write up a bunch of documentation on how to install or configure it. Screenshots might not be needed either if it’s a set-it-and-forget-it kind of plugin (like Akismet).
However, for plugins that require some work to get them moving or that tackle a highly technical function or feature, there need to be screenshots at the very least as well as documentation in case you have questions about it. If none are available, verify that it’s not tucked away somewhere on the website. And if you’re still at a loss, don’t download it. It’s the same as getting no support from the developer.
10. It’s Too Big
Performance is incredibly important in WordPress, so you should make conscious decisions about what you put inside of it that could adversely affect its speed and, consequently, security. Slow WordPress plugins are a problem, but sometimes it’s just because of how bloated they are in size.
When dealing in free WordPress plugins, I’d advise you to download them to your desktop (rather than directly into your WordPress). Take a look at the file size. Can your server reasonably hold this with everything else that’s already on there? If not, find something else.
11. It Doesn’t Play Well with Others
WordPress plugin conflicts can occur for a variety of reasons. Sometimes they conflict with other plugins and sometimes it’s a theme or the WordPress core itself they just don’t play well with.
Again, do your research before you install the plugin to your site. See if the user comments say anything about known conflicts in WordPress. Google should be able to tell you the same.
If you’re feeling confident enough that the plugin won’t cause your site harm, I’d still recommend installing it on a testing sub-site. Just to be on the safe side. Having to deal with bringing your site back up online or fixing a broken feature on the site just isn’t worth your time if you can verify the safety of the plugin that way.
12. The WPScan Website Says It’s a Problem
The WPScan Vulnerability Database keeps a log of all known vulnerabilities (with corresponding dates) of WordPress plugins.
You can use the search function to locate the specific plugin you’re interested in using on your site. This will instantly clear its name of any wrongdoing. I would also recommend signing up for email alerts. That way, if it (or any of your other plugins) should show up on the vulnerability list, you won’t have to actively dig around for that information.
13. Your Web Host Says It’s Disallowed
Did you know that web hosting companies will sometimes keep a list of disallowed or banned plugins? Usually, these have to do with plugins that overlap with the functionality they provide to users (like caching plugins), but that’s not always the case. Sometimes they will outright ban a plugin with known security issues.
Here are some examples of disallowed plugin lists:
14. Your Favorite Blog Says They’re No Good
Actually, with this one, it doesn’t even need to be that your favorite WordPress security blog says that the WordPress plugin is unsafe or no good. If the blog flat-out never mentions them as a trusted or secure plugin, then why bother using it? You trust these guys enough to read their articles on a regular basis, so you should have faith they’ll steer you in the right direction.
15. Your Checkup Tool Indicates There Are Problems
Finally, look at what your checkup tool says (if you’re not using WP Checkup yet… what’s going on?) Yes, this will require you to actually install the plugin on your site. However, it will let you know if there’s anything suspicious going on with it.
Just remember to run the checker before installation so you have a baseline to compare it against. If the tool throws any new security warnings after installation, you know what caused the problem. Delete the plugin and all its files immediately. And never look back.
A WordPress plugin can go sour in so many different ways, so you need to do your due diligence before you entrust any of them to your site. Then, you must keep on reviewing them to make sure they don’t go off the rails while you’re not looking. If you spot any of these 15 warning signs, skip downloading that new plugin.