Having an updated WordPress core site doesn’t do anything for security if you are running plugins that are not secure. Plugins run at the same authority as WordPress itself and it only takes one bad plugin to risk your whole site’s security so you want to be sure that the plugins that you have are not risky. While there is no good assurance for plugin security other than a security code review which could be very costly, there are some basic due diligence items that you can research and determine a plugin’s stance in relation to security and vulnerabilities.
- Review the author’s homepage and background. Do they have a history of secure code? Do they have independent 3rd parties review the code for security vulnerabilities? Do they state that the code is secure?
- Identify who is behind the plugin. Is it a professional plugin author that has time and expertise to create a secure plugin and maintain it? Is it someone that is learning how to code by providing a neat plugin?
- Are there any open vulnerabilities for the plugin? Use your favorite search engine and search for [plugin name] + vulnerability or [plugin name] + exploit. Not every plugin will have a vulnerability so don’t be fearful if you don’t find anything.
- Review the plugin’s changelog. Does it involve patching of security vulnerabilities? Once again, not every plugin will have a vulnerability so don’t be fearful if nothing is listed.
- Determine if the plugin is maintained. If the author(s) don’t update it to maintain compatibility or feature updates, then it might be abandoned and in the case of a security issue were to come up, you would be out of luck for a provided fix and left to address it yourself.
- Review the user ratings and comments. Are they responsive and have high support levels? While this is not specifically a security question, it does provide insight into the responsiveness and professionalism of a company. It could translate into security responsiveness if an issue were to come up.
What other due diligence review items do you go through?