WordPress Plugin Security: Prevention and Recovery



WordPress plugin security must be at the top of your list when maintaining your WordPress (WP) website. I share steps here for prevention of hacks and for recovery if you do get hacked.

While plugins are critical to the user experience, they also give cybercriminals and hacks entry points. I wrote a companion piece, linked at the end of this post, that describes known vulnerabilities in ten popular WordPress plugins:

  • Page Builder
  • Site Kit
  • Popup Builder
  • Duplicator
  • Profile Builder
  • ThemeGrill Demo Importer
  • ThemeREX Addons
  • GDPR Cookie Consent
  • WP Database Reset
  • InfiniteWP Client

How to Improve Security of your WordPress Site

Keeping a plugin secure is primarily the vendor’s responsibility. But there are several things you can do to make sure your plugins aren’t “low-hanging fruit.” The following tips will help you avoid the worst-case scenario.

  • Choose Plugins Wisely. Maintain a healthy dose of paranoia when selecting your WP plugins. Do your homework and scrutinize the developer’s reputation. Read user reviews and look at the rating scores beforehand. Pay attention to the number of active installs – it can speak volumes about the reliability of the plugin. It’s also a good idea to Google the name of the plugin and check if it were exposed to vulnerabilities in the past. If possible, stick with the official WordPress Plugins Directory to find the tools you need.
  • Keep Your Plugins Up to Date. This one is of paramount importance. Even if a vendor promptly identifies a security loophole in their product and rolls out a patch, you will not be safe until you update the plugin.
  • Use the Latest Version of WordPress. Out-of-date WordPress versions may have bugs that provide attackers with opportunities to get in. From there, crooks can affect all your site’s components, including specific plugins. Although site takeovers through vulnerable plugins take place in the reverse order, it is in your best interest to thwart either scenario.
  • Use a Security Plugin. Although protecting your plugins with a security plugin sounds like a tautology, this is an amazingly effective defensive strategy that will safeguard your entire WordPress set-up. These tools can scan your website for malware, known weaknesses, and misconfigurations that may be exploited by cybercriminals.
  • Follow Safe Password Practices. Proper authentication hygiene will help you avoid a single point of failure (SPOF). Passwords are keys that open the doors to different areas of your website. Be sure to make them impossible to guess and hard to brute-force.
  • Adhere to the Principle of Least Privilege. Authorized users should not have more permissions than they need. Avoid assigning admin or editor roles to everyone. If a single user account is compromised, you do not want this incident to entail a full website hack.
  • Tidy Up the Users List. If there are inactive users enrolled in your WordPress website, you cannot go wrong if you remove them. In case this is a no-go for one reason or another, changing their role to “Subscriber” could be a reasonable tradeoff.
  • Turn Off User Enumeration. Consider disabling the WordPress username enumeration via your site’s .htaccess file. This will make it harder for attackers to obtain the list of users and probe each account for loopholes.
  • Restrict Access to Plugins’ PHP Files. Competent attackers may try to exploit PHP files of WP plugins by sending fraudulent HTTP or GET/POST requests to them. These tricks can allow malefactors to get around security mechanisms such as authentication and input validation checks. Therefore, it is recommended to define rules that will return an error page in response to such requests.

What to Do If a WordPress Plugin Is Hacked?

Even if your WP plugin security is covered from every angle imaginable, you still need to have a Plan B that will help you recover from a potential compromise. It is important to understand that a plugin hack is hardly ever the ultimate goal of malicious actors. Instead, they want to take over your whole WordPress website. Therefore, the remediation goes well beyond addressing plugin security issues alone.

  • Reset Your Passwords. You cannot know for a fact which credentials the adversary has used to access your site. It could have been the password for the WordPress dashboard, the database, or your account with the hosting provider. Therefore, you need to reset all of them to stop further exploitation.
  • Enable Maintenance Mode. You do not want your visitors to know that the site has been hacked, do you? So, head to your admin panel and turn on maintenance mode. This way, people will be seeing a message about regular maintenance until you sort things out.
  • Update All Plugins. Doing so will patch the vulnerabilities that the threat actor may have exploited to infiltrate the site behind your back.
  • Remove Plugins You Do Not Use. Because WP plugins are susceptible to numerous attack vectors due to security loopholes, you would be better off deleting unnecessary ones. This will minimize the risk of exploitation.
  • Scan Your Site for Malware. Use an effective security plugin to run a malware scan and eliminate the pests it detects. Harmful code and backdoors are often deposited onto sites in the aftermath of hacks, so this recommendation makes a lot of sense!
  • Clean Up Your Sitemap. This is primarily a way to prevent your website from being blacklisted by search engines. Once your sitemap contents are back to normal, resubmit it via your Google Search Console.

General Security

Instead of checking every line of code for unauthorized changes, correcting these tweaks, and sanitizing your entire database along with the sitemap, you can take a shortcut and restore your WordPress website from a backup. Of course, this option only applies if such a backup is available. If it is not, the best time to start using this fundamental security measure is now.

Keep in mind that a hack can badly harm your site’s reputation, entailing a burdensome and lengthy recovery. So, be proactive and keep your incident preparedness at a consistently decent level.

Read more about 10 popular WordPress plugins and their known vulnerabilities.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar