The Downside of the WordPress Plugin Directory

One of the most powerful and useful parts of WordPress and other popular CMS software offerings is the seemingly endless number of available plugins to extend functionality in nearly any way you like. WordPress provides the Plugin Directory, where developers can publish their open source plugins free of charge for other users to download and use at no cost. In fact, I’ve contributed to the Plugin Directory with a number of offerings over the years, including Document Gallery, Hello Simpsons Chalkboard Gag, and Prezi Embedder. But, with all this power does come a downside…

As a site owner planning to use one of these plugins, you either have to read every line of code from the plugins you are planning to to use (and understand the code enough to spot any possible security vulnerabilities), or you have to trust that the plugin developer has made the code secure. If the developer was careless, your site could quickly be compromised (hacked!).

Recently a hacker scanned my site, looking for any plugins that he or she believed had security holes. This is a common practice where hackers look for sites that they know how to break into, then use this knowledge to — you guessed it — break in. As it happens, I did not have any of the plugins they were looking for, but the scan gave me a nice list of plugins to avoid. I thought I would include the list here so that others can be wary if they are considering using one of the following:

Disclaimer: This is a list of plugins that the hacker believed had vulnerabilities. In many cases, these plugins list security fixes in their change logs that may (or may not) have resolved whichever issue the hacker was planning to exploit. It is also possible that the hacker was mistaken on some of the plugins in the list and they were never really vulnerable. This is by no means even close to a complete list of plugins with security vulnerabilities and you should always do research on any plugin prior to installing it on a production site.

Leave a Reply