WordPress Security Week: The Newbie Mistake Everyone Still Makes With Plugins

Please see this post for our recommended plugins:

Cool Plugins You’ve Never Heard Of

Have you seen the fun things that WordPress can do? Have a look at these little known, but totally cool plugin functions:

  • get random quotes from star trek
  • you can have a special popup just for Aunt Mary
  • you can give readers points for reading your site
  • rotate the page 360°
  • asteroid widget so users can seek and destroy parts of your site
  • plus boring things like anti-spam and security

WordPress Plugin description, dangers and usage guidelines.

The Newbie Mistake Everyone Makes

When I started and discovered the WordPress plugin repository it was like walking into a free candy store. Calorie Free Candy store. It was soooo fun!

…install and test.

…install and play.

…install and forget.




This sounds good in theory, except for one huge problem: plugins are not candy.

Story of the Balloon And the Pin

Last year I did an object lesson with my youngest. We gathered ourselves a few balloons, pins and water. We filled the balloon with water (over the sink). And put a pin in it. A tiny sharp quilting pin. Water did not leak out. Nothing broke.

When we pulled the pin out, nothing happened. Not even a drop. So… being brave, we squeezed… one drop.

So we tried another pin… (this is a great object lesson but totally not the point today!)… it took several pins before we started to get droplets of water. And the pins that were left in the balloon didn’t leak.

Of course, half the fun was stabbing the poor balloon until swoosh all over the sink.

In this story, your site is the balloon. It is secure. You keep it on a secure host with a secure password. But did you know that plugins are little pins in your balloon?

[clickToTweet tweet=”Did you know that plugins are to #wordpress what pins are to balloons? ” quote=”Did you know that plugins are to #wordpress what pins are to balloons? “]

Your site is made to accept plugins but notice one important thing: plugins are code. Code added to your site, from an unknown source is dangerous.

But WordPress.org has a simple vetting process. Most plugins, but not all, in the repository are safe to use. We even have our own plugin in the repository.

But when you remove the plugin, does it remove itself gracefully? The thing is, as a regular user you will never know if there are leftover unused tables in the database. You won’t know if there are orphan bits of code floating through your site. Those bits are dangerous.

Another striking parallel with the pins in the story and plugins: the more you use the more likely for conflicts. I recommend my clients narrow their plugin use to 15 maximum. (See below for tips)

Your Risks When Using Plugins

1. Exploitation

For every plugin you install, you are opening the door to the bank website.

Once inside your website, plugins have the power to add the needed function or destroy the entire thing. What that plugin will do, depends on the source.

Below we’ll talk about how to pick plugins that are safe. For now, choose wisely for security’s sake.

2. Long Load Times (& fewer impressions/ readers)

One of the biggest complaints that we get are slow sites. The fix almost every time is removing plugins. You can prevent those maintenance fees and headaches, if you’d be judicious in your use of plugins.

When getting a new theme, it’s especially important to inquire about your designer’s use of plugins. Be wary if they use plugins at all (with the exception of shops, directories or extra functions outside of the norm). The only time a plugin should be used in designing a site is when your site requires a function that is theme-independent.


[info_box type=”note_box”]When installing a new plugin, take a speed test before and after installation. It will tell you how the load time was impacted.[/info_box]

Now, I know you are going to use a plugin. We all do; the functions are limitless and wonderful, blah blah blah. So here’s what you need to know.

When to Use a Plugin

These are the cases, and the only cases, in which I recommend the use of a plugin.

  1.  You need a function that isn’t a part of a theme and can’t be reasonably coded into one
    ie: caching, anti-spam
  2. The function isn’t part of the core WordPress functions
    ie: backups and html forms
    already in WP: commenting, gallery, user permissions
  3. You need it to further your goals, your brand or reach your audience
    ie: social media sharing, SEO rich snippets
  4. AND it can’t be added to a core theme file or widget
    These can be added to existing widgets: analytics, ad code, images, facebook pixels, social media widgets, etc

FYI – in our All in One package, we will only install 7 – 10 plugins and they cover all the needs of every single website that we’ve ever installed. A ton of plugins are simply not necessary.

So you’ve decided to install a plugin. You know you need it, and you’re aware of the risks. Let’s review your plugin for safety and then you’re good to go.

Secure Plugin Test:

  1. Is it available on the WordPress repository? That means they were scanned and declared safe at one point. Personally, I never use plugins that aren’t available at least in a ‘lite’ version in the WordPress repository.
  2. Is it up to date – within the last 4-5 months?
  3. Read reviews – use the repository star system or Google.  Keep in mind a lot of poor reviews happen because people can’t figure out how to use the plugin. That doesn’t mean it is a bad plugin! What you’re looking for is responsiveness of the plugin support team.
  4. Downloads – how many times has it been downloaded? I look for 1,000’s at minimum… its better if you have 40,000+. The most popular ones like W3Total Cache, and SEO for WP by Yoast, and Jetpack have millions of downloads.
  5. Click on the authors name – it will take you to the author’s profile on the WordPress site. Click on the user’s website. Is it still available? Is it being redirected to a ‘sponsor’? <- Stay clear.

WordPress Security Week, Day 3 Assignment

To review:

  1. Backups
  2. Updates (Enter to Win a Year of Sucuri Firewall)
  3. today: Plugins
  4. Thursday: Users & Access
  5. Friday: Tech Stuff (simplified)

Homework: Your Individual Plugin Audit

  • remove all that you can
  • ask your developer about hard-coding any that are not necessary
  • remove analytics from a plugin and place in your code
  • remove the ad or image plugins and place in regular widget areas
  • remove email integration plugins and paste the sign-up form code directly into a text widget
  • make a list of what plugins remain and research them using the above questions in the plugin audit

Come back the rest of the week, and especially Friday to get your downloadable worksheet with all five assignments summarized for you!

All of this and more is covered in the free Essential Website Audit checklist below.