How to Audit & Cleanup WordPress Plugins & Themes

In an interview with Smashing Magazine, Sucuri CoFounder Tony Perez was asked the following question.

What Makes WordPress Vulnerable?

“Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez

The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions.

Making sure that your WordPress plugins and themes are being audited on a regular basis will improve your security posture, minimizing possible vulnerabilities and threats. Both plugins and themes can be used as a backdoor by hackers seeking to gain access to your website.

Outdated or poorly maintained plugins and themes are what every hacker is looking for: an opportunity to force entry. Malicious users run automated scripts (a.k.a. bots) to identify if there is a website vulnerability present. It has nothing to do with who you are, or how big your website is. If malicious actors find a vulnerability in one of your WordPress themes or plugins, you can bet that they will exploit them.

How to Perform a WordPress Plugin & Theme Audit

You can assess the security of your WordPress plugins and themes by measuring the following indicators:

Does the plugin or theme have a large install base?

This can help you determine the reputation of the developer. If the theme or plugin has a large user base, there is a better chance of it being supported by reliable resources.

Are there a lot of user reviews, and is the average rating high?

The assessment here is a common sense call. Try and read both good and bad reviews to get a grasp the average user experience.

Are the developers actively supporting their plugin and pushing updates or security patches?

Ensure that the developers are actively working on any plugins and themes that have been installed on your WordPress website. Check to see that patches being regularly provided to users are happening. When was the plugin last updated? If it was over 6 months ago, you may want to consider an alternative plugin or theme that is being supported

Does the vendor list terms of service or privacy policy?

If they do, it’s a good sign that the plugin or theme is legitimate. You’ll want to carefully read over the terms of service, because they may include unwanted extras or “features” that were not advertised for the plugin or extension.

Does the vendor include a physical contact address in the ToS or a contact page?

It’s important to be able to reach the author/developer in case you need additional assistance or information. Having a physical address serves as a credibility indicator, and indicates that it may come from a reliable source.

Does the plugin have a support page?

Plugins and themes from the official WordPress repository include a support page where users can go to ask questions to the developer or report issues. It’s a good idea read up on what kind of issues people are reporting—and check to see how often the developer responds to (and patches) bugs or complaints.

Now that we have identified how to choose the safest possible plugin and theme for your WordPress website, let’s move on to how to secure your WordPress installation.

Have a WordPress Backup Solution

Every website should be backed up on a regular basis. Look for the following requirements in your backup solution:

If you would like to learn more about backups and other website security practices, our 12 Best Practices for Maintaining and Securing Your Website blog post is an excellent start.

Remove Outdated or Unused Plugins & Extensions

When it comes to website security, less is more. Remove unused third-party components and keep things tidy to reduce vulnerabilities.

You can think about your WordPress installation as your house: the more things you have, the more difficult it is to notice when something is out of place, or when an item goes missing.

To audit your website, use this quick checklist from Sucuri’s How to Perform a Website Audit blog post, along with the assessment points we just went over.

Ongoing Security Audit Checklist:

Conclusion

“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.

WordPress’ ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.” ~ Tony Perez

*This article includes content originally published on the Sucuri blog

Photo by Helloquence on Unsplash

Pilar Garcia

Pilar is a Paid Acquisition Specialist at Sucuri. She is driven by data, research, and content creation. When she is not doing gap analysis or market research, she is spending time with her son, traveling, or reading.

1 Comment

  1. ThaiWP

    Thanks for sharing great security tips and the checklists. One thing I would add is to remove outdated and unused themes as it also has vulnerability the same as unused plugins. Getting a security plugin such as WordFence would help audit your site security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!