Hebble & Stone

4 min read

The WordPress logo beside an electrical plug.

That WordPress plugin may be your biggest security risk

Every plugin you install is a door into your site. Some doors are well-built, watched over by people who care, and locked when they need to be. Others are propped open with a brick and a hopeful sign.

WordPress powers about 40% of the public web. That's millions of community organisation websites, and the reason it's the single largest target for automated attacks online. When we audit a small charity's site and find it's been quietly compromised, nine times out of ten it's a plugin that let the attacker in.

Why plugins, specifically?

The WordPress core is well-maintained. A small team of paid professionals reviews every change before it ships, and security patches go out fast. The plugin ecosystem is the opposite: tens of thousands of plugins written by everyone from full-time developers to a hobbyist who hasn't touched the code in seven years.

When you install a plugin, you're giving its author the same permissions as you'd give yourself. That's fine, until the plugin stops being maintained, or until the maintainer's account is compromised, or until the next update introduces a vulnerability that won't be patched.

If a plugin hasn't been updated in two years, treat it like a stranger who's been quietly living in your office.

The questions to ask before installing one

  1. When was it last updated? Anything older than 12 months is a warning. Older than 24 months is a no.
  2. How many active installations does it have? Fewer than 10,000 means very few people are looking for problems with it. That's not always a deal-breaker, but it changes the maths.
  3. Who maintains it? Is it a single hobbyist, a small studio, or a commercial company with a paid product? All three can be fine, but you want to know what you're depending on.
  4. Does it really need the permissions it asks for? A "show my Instagram feed" plugin asking for full admin access is a red flag.
  5. Could you do without it? The safest plugin is the one you never installed. We've found sites running 40+ plugins where five could've done the job.

What to do about the ones you already have

Open your WordPress admin and head to Plugins → Installed Plugins. For each one:

  • If it shows "Last updated: more than 2 years ago", uninstall it, even if you "might use it later". You can always reinstall.
  • If you don't remember what it does, uninstall it.
  • If it's marked "deactivated", uninstall it. Deactivated plugins still have their code on the server and can still be exploited.
  • If it's a contact form, gallery, SEO or backup plugin with an established commercial company behind it, keep it, but make sure auto-updates are turned on.

The two we'd never run without

The exception to "fewer plugins is better": a properly-configured security plugin and a backup plugin. We like Wordfence for the first and UpdraftPlus for the second, but the specific names matter less than the principle: have something watching the front door and something that lets you go back to yesterday's site if today's is on fire.

Want a fresh pair of eyes on yours?

Our security audit goes through every plugin you have installed, what it's doing, and whether it's still earning its keep. It's free for non-profits and small community groups. Tell us about your site and we'll come back within a couple of working days.

Back to all posts