How One Plugin Can Sabotage Site Security

If you’ve ever created a website through a modular Content Management System (CMS) such as WordPress, you’ll know the combination of intimidation and excitement provided by a seemingly unlimited pool of plugins. The options really are amazing. Whatever feature you want to implement, there’s every chance that someone has already done it and made it available for everyone.
But we teach kids to be careful around strangers for a reason — most are harmless, but it just takes one with malicious intent to spell disaster, and it’s far better to be safe than sorry. There are too many people out there ready to exploit people who are overly trusting, and the same can be said when it comes to digital security.
When you’re thinking about interesting options you could provide for your website’s users, understand that you need to vet any prospective additions before you proceed. Just one plugin can be enough to sabotage your site’s security. How? Allow me to explain.
One weak link destroys a chain
Or, to put it another way, even the smallest crack in a defense can be used to gain entry if someone knows where to apply leverage. You can think of someone feverishly trying to open some shrink-wrapped childproof packaging, flipping it around and studying it closely to find something they can snag with a fingernail — one tiny tear is the key to the whole thing.
When you set up a website in a reputable CMS, you start with a solid level of security. Provided you install updates as prompted and don’t give out admin access to anyone who asks, everything comes down to having strong passwords. That’s because the CMS developer will have security experts hired specifically to make sure that the main system doesn’t have any significant vulnerabilities that could be exploited.
The moment you start installing plugins, you start taking risks. All it takes is one plugin with a major design flaw to compromise your site. If the plugin has permissions on your website and someone gains access to it, then they can access your system — all without having to contend with the actual security of the CMS. The entirety of the chain needs to be strong, or no part of it will be.
(Almost) anyone can make a plugin
You might think design flaws aren’t a big concern because plugin developers know what they’re doing, and that’s true — in general. Usually, they’re experienced developers working on side projects or trying to port across their work from other projects to reach wider audiences. But not always. In truth, there are enough guides out there for someone with no meaningful development experience to throw together a basic plugin and make it available online.
The problem with that is that we tend to automatically trust plugin marketplaces, assuming that anything listed will be safe because it’s been checked, even though we know that digital ecosystems are full of mediocre or outright harmful apps despite being curated. Anyone can easily upload a plugin, make it look like a product from a reputable developer and wait for someone to take the bait.
That’s why you need to read reviews and keep a close eye on the details of anything you install. Confirm that the developer is listed and visit their website to get a better idea of their reliability. Can you trust that developer? What do other people say? Do they appear to update regularly and be aware of potential security issues?
Increased exposure = increased risk
So far I’ve mentioned concerns about the potential weakness of particular plugins, but that doesn’t mean that sticking to good plugins from quality developers will be enough to keep your site safe. Look at it this way: if you install one plugin from a questionable developer, there’ll be a good chance that it will prove a security liability, but if you install twenty plugins from good developers, there’ll be a good chance that one of them will have a minor issue.
Even the best developers overlook things, and with plugins often needing to work together, there’s a lot of testing to be done to make sure that no issues arise. Additionally, the more plugins you install, the more likely you’ll be to miss an important update for one in particular, rapidly creating a security problem.
If you have just a handful of plugins, you can stay up-to-date with each one of them, following development, updates and community feedback. Just don’t let plugin bloat set in, you’ll run out of time to be so careful.
When in doubt, take it out
Installing a plugin doesn’t trap you in a long-term commitment to using it, even if you paid for a license — forget about any notion of sunk cost and make decisions based on current information. The security of your site is incredibly important and may even directly support your livelihood (depending on the nature of your business), so don’t take unnecessary risks. Recovering from a hack can be very frustrating.
While the rise of standardized full-service CMS hosting has led to a marked rise in direct selling for entrepreneurs, don’t make the mistake of assuming that it’s 100 percent safe to buy an existing site. Just as anyone can make a plugin, anyone can make and sell a site. If you end up working on a website you didn’t build, have a developer assess it first (and run some checks).
In general, review your plugin library on a regular basis, confirm that you don’t see anything suspicious and follow some security blogs to ensure that you stay apprised of major vulnerabilities. If you notice something concerning about any plugin you have installed, no matter how trivial — disable or delete it. Security is paramount.
Author Bio
Patrick Foster is a writer and ecommerce expert from Ecommerce Tips — an industry-leading ecommerce blog dedicated to helping you succeed online. Check out the latest posts on Twitter @myecommercetips.