Sucuri Blog – Unmasking “Free” Premium WordPress Plugins

Sucuri (a web monitoring and malware clean up service) have posted an excellent article about WordPress plugins and their security implications:

If you don’t realise the security threat to your website, other sites in your FTP area and potentially the host server, that plugins can pose, this is essential reading.

Here are some paragraphs from their summary where some very salient points are made:

“Everyone knows that using pirated software is bad. Not just ethically bad. It’s stupid. Why trust people who don’t respect property, and whose business is stealing? Just ask yourself a question, where did they get so many paid software titles, and why do they give it away for free?”

“It’s not always about the money. Oftentimes, it’s likely just a lack of knowledge.”

“Think about what you install on your server. Any third-party software that you install can do pretty much anything with your site, and in some cases, with your server.”

“So if you install a plugin or theme, you’d better trust its author and the site where you downloaded it from. On the road between the software developer and you, anyone could potentially make changes.”

“Please, be pragmatic. Get software only from reputable sources. If you need a plugin, try searching for a free one in the official WordPress repository. There are 30,000+ plugins there. This repository has very strict inclusion terms, and should be your only source of free plugins.”

“If a plugin you need is not free, then buy it directly from its developer.”

“And finally, do you really need one more plugin? Can you do without it? Even 100% legitimate plugins have overhead: they make your site slower, they may not get along with your existing plugins, and they may have known and unknown security holes. The more third-party software installed on your server, the more you expose your site has to potential security issues. Try to stick to a bare minimum.”

This entry was posted in External News, News, Security News. Bookmark the permalink.

Comments are closed.