November 08, 2018

The fact that WordPress is open source and has such a huge, vibrant developer community is great. For the most part, the huge number of plugins available come with the security afforded by millions of downloads, high ratings, and reliable developers who have worked hard to become known figures in the community.
However, not all plugins are safe and automated protections you may rely on, aren’t effective as pointing out which aren’t. This is because a plugin is a package of PHP code that may also contain files such as images or JavaScript. The code in a WordPress plugin has privileged access to the site and its database. Any JavaScript code is trusted by visitor’s browsers. Because of this, it’s important to make sure that it doesn’t contain security vulnerabilities or malware.
Almost all of the most popular plugins in the official repository are perfectly safe. Plugins with many thousands of users are intensely scrutinized and problems come to light quickly. But there are tens of thousands of WordPress plugins and it’s wise to be vigilant.
The best way to find out if a plugin is safe is to check the code, but it isn’t reasonable to expect that of most WordPress hosting clients. This article looks at how you can identify unsafe WordPress plugins without looking at the code, by identifying the top red flags for knowing what to avoid.

 Need more performance from your WordPress site? Check out these simple site speed optimizations

1. Is The Plugin From A Reputable Source?

To be safe, you should install plugins from the official repository or from the website of a developer with a good reputation in the community. Google the name of the developer to find out what has been written about their plugins. If you find mostly negative commentary or no information at all, you may want to find an alternative.
Check the version of the WordPress Plugin you're installing

2. Has It Been Updated Recently?

Abandoned plugins don’t get security updates and may be incompatible with your version of WordPress. Even if a plugin has not been abandoned, infrequent updates are a bad sign.
The plugin’s page on the official repository will tell you when it was last updated and which versions of WordPress it is compatible with. Avoid plugins that haven’t been updated in the last few months. Even if an old plugin seems to work properly, there may be hidden issues.

3. Does It Have Ongoing Support?

Does your WordPress Plugin have ongoing supportCheck the support section of the plugin page on WordPress to see if the plugin has continuous and active support. You’ll be able to see how many issues have been identified and how many have been solved by the developer community within the last few months. Moreover, by clicking “view support forum”, you’ll be able to see how active the plugin community has been and how much support it has from other users.

4. Is It A “Free” Premium Plugin?

Many developers of premium plugins also release a free version with limited functionality. It is perfectly fine to use these plugins. But if you find a fully functional premium plugin offered for free, do not install it. Plugin pirates install malware in these so-called “nulled” plugins.

5. Did The Plugin Recently Change Owners?

This isn’t always an indication of a problem: developers sell or transfer plugins for many reasons. But in recent months there have been incidents of popular plugins ending up in the hands of unscrupulous developers.

 Nexcess offers secure WordPress hosting that doesn’t sacrifice on performance.

6. Does the Developer Have a Bad Reputation?

Before installing the plugin, it can be a good idea to check up on the reputation of the developer. A quick google search of their name can merit a lot of results here. Similarly, it can merit nothing at all. This, in itself, can be a red flag and suggest the developer is either new to the WordPress scene or isn’t trusted.

7. Is It Popular With WordPress Users?

Rating of the WordPress plugin on whether it is unsafePlugins with few users are more likely to cause problems. There are millions of WordPress sites, so if only a handful of WordPress users have installed a plugin, you should be cautious. There are a couple of possibilities: the plugin targets a narrow niche or it is being avoided by other WordPress users. It may also be a brand new plugin, but that should be a red flag too.
As a rule, stick to plugins that are installed on lots of WordPress sites: problems are more likely to have been noticed and ironed out.

8. Is It Compatible With the Latest WordPress Version?

Checking for updated compatibility is a good step towards being able to judge the reliability and safety of a plugin. The “Requires WordPress Version” will let you know how far back you need to go in order to have the plugin properly work with your website. Making sure you have the latest version is as much about security as it is about optimizing your WordPress site for performance.
Avoid this message for WordPress plugins
Finally, if you happen to see the message above, it’s definitely not a good idea to install the plugin. There’s a reason why the developer hasn’t updated it, and it’s probably not one you want to know.

The WordPress Community Is, In General, Reliable

There are thousands of honest, competent, and generous plugin developers. But there are some bad apples, as there are in any large community. Before installing a plugin, run through these seven simple checks to keep your WordPress site safe.

Blog Post SummaryLooking to get started with WordPress Gutenberg? Learn how to use it with our Guide to Gutenberg. We’ll take you through the entire process of setting up your first page with blocks.
Are you a developer looking to code your own applications with WordPress? Explore the benefits for headless WordPress and see if it’s the right choice for you.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.