A clean WordPress site is pretty tough to achieve, especially since it is one of the most widely-used CMS and website creation platforms. There are many plugins and themes that are compatible with WordPress that it can be confusing to choose which one to put on your own website. At the end of the day, a website owner, especially those who choose not to get an expert web host, tend to just forget about the basics of WordPress security and download either the popular ones or those that sound “safe”. This is actually a bad habit and adds more challenge in maintaining a clean WordPress site.
Related Post: WordPress Security – 15 Tips To Prevent A WordPress Hack
When downloading plugins, never assume that the most commonly used ones are automatically safe. In fact, you can never be too sure since most hackers find it a challenge to find vulnerabilities in popular plugins. WordPress is a popular target for cybercriminals and its plugins are what hackers use as passes to get access into thousands of WordPress accounts. Even plugins that are meant for WordPress virus removal or are supposed to be WordPress malware removal plugins, can also contain malware that will make it difficult to recover WordPress site.
Downloading infected plugins can ultimately lead to a hacked WordPress, making the website vulnerable to many malicious attacks on the web. Let us go through some of the most popular plugins today and let us check what are their vulnerabilities.
1. WooCommerce ( View Plugin )
Since it is a popular choice for e-commerce site, the WooCommerce tends to be downloaded by a clean WordPress site. Since its launch back in 2011, it was readily accepted by website owners because of its cool features. If you will check the changelog and search for “security”, however, you will find at least 18 results. This means that you need to have 18 security fixes. If you will closely inspect, there are more fixes because not all items are considered as a security issue. A good example is for the version 2.1.8 where a patch was released for a discovered flaw. SecuPress had the patch but has no “security” patch been identified.
In 2018, there were seven vulnerabilities that were uncovered in the core WooCommerce plugin. One of its flaws allowed any user with a “shop manager” privileges to have full control of a WooCommerce-powered website.
2. iThemes Security ( View Plugin )
With almost 1 million downloads, you would think that iThemes Security is a safe download for a clean WordPress site. What is not so acceptable about it is that a complete changelog is not available for non-members. For the purpose of testing out, there are four security fixes available but it lacks some security fixes that was supposed to be there.
3. WPS Hide Login ( View Plugin )
Performing an edit on these two security plugins, the modules “Move Login” or “Moving the Login Page” was missing. The same flaw is found among other plugins that are supposed to hide the login page.
4. All In One WP Security & Firewall ( View Plugin )
The All In One WP Security and Firewall plugin is pretty popular. But even as a security plugin, there are at least 13 discovered vulnerabilities that can terribly hurt the website. It even has n identified vulnerability for injection vulnerabilities.
5. Wordfence ( View Plugin )
Hailed as the most downloaded security plugin in America, Wordfence is also one of the oldest as it was released in April 2012. The version 5.2.x, for example, has a lot of vulnerabilities. Even if it is a good thing that those flaws were already fixed, it just proves that you can never be entirely safe even with a security plugin. After all, it is coded by a target=”_blank” human so there’s got to be a room for mistake if the coder is not too careful.
6. Yoast SEO ( View Plugin )
There 10 warning vulnerabilities that existed for Yoast SEO and five more that affected their Google Analytics plugin.
7. All in one SEO Pack ( View Plugin )
Holding quite a record for being one of the most downloaded plugins, the All in one SEO Pack had also experienced bad security days.
8. Jetpack ( View Plugin )
Another very well-known plugin is Jetpack. It has gone bigger and its flaws are part of its journey. A compromised Jetpack plugin could be very detrimental to a website because of the wide range of utilities that it provides. Since there are more developers who use it and there are more uses for its features, that the probability of having bugs and faults also increases. Just in May 2018, it was used as a malicious plugin in the victim’s site.
9. NextGen Gallery ( View Plugin )
As a foremost gallery plugin in WordPress, NextGen Gallery has features that allows management of uploads, storage, and display of all images in a WordPress site. Of all its security vulnerabilities, the most serious one was identified in 2017 where there was a grave risk of data exposure that was involved.
10. Redux Framework ( View Plugin )
Although it not a plugin or a theme, Redux is a framework that is essential in creating both. Upon inspection, it is highly vulnerable to unauthorized access. It can allow a person to change site options, modify the customizer, and all other options on a website. Frameworks may not be as popular than plugins but you need to be aware that it can be used against any website. It is important therefore that its security must also be prioritized in order to have a clean WordPress site.
Last thing to take note about keeping a clean WordPress site is that you are never aware about when the hackers will attack next. The only thing you can do is to prepare against any vulnerabilities brought about by infected plugins.
Related Post: How to Remove WordPress Malware [Complete Guide 2019]
Airflour is simply the all-in-one solution and the best malware removal to have a clean WordPress site. Their web hosting security solutions are exceptional and your website deserves nothing but the best in terms of security and data protection.