WordPress Themes and Plugins - what you need to know

WordPress Themes and Plugins - what you need to know

If your website is built in WordPress then you'll be aware that the plugins do some wonderful stuff. Anything from online shopping carts to contact forms and more. Plugins allow your site to be more than a ‘hey here I am website’, sometimes referred to as  ‘brochure websites’, something I object to as even simple websites do so much more see Why there is no such thing as a ‘brochure’ website for an explanation.

Themes also do some brilliant things as well as control your website’s look and allow you to add your branding.

Don’t let this put you off WordPress though, but you do need to keep the security of these up to date. They're like the apps on your phone. Plugins and themes are a potential back door into your site, so as well as keeping them up to date as we explain with What are security updates and why do I need them there is more to be aware of

Commonly supported 

Make sure the themes and plugins you install are widely supported and have been updated recently. You can check this when you install a plugin either via the WordPress interface itself or via WordPress.org website:

Yoast - (at the time of writing this) was at 27,405 installs👍, updated 5 days ago 👍, compatible with your version of WordPress 👍. 

I wouldn’t install anything that’s not been updated for six months, has fewer than a few thousand installs and is not compatible with the most recent version of WordPress which you should have. 

What's the worse that can happen if you install a poorly supported theme or plugin?

In 2017 I was using the Display Widgets plugin for a number of websites. When running updates on those websites, I noticed one would not update, and after some research discovered there had been a vulnerability detected with this plugin by David Law who reported the floor. It turned out the plugin had been bought by another company who had allowed security holes into the software, which had led to many sites becoming compromised with malicious code to publishing spam on a number of WordPress websites. Here’s the whole story of how the vulnerability was discovered an action taken in this plugin: https://www.wordfence.com/blog/2017/09/display-widgets-malware

WordPress is now the most widely used website platform, so many owners and developers are invested in the secure and smooth working of WordPress. Therefore there are millions of developers worldwide who can spot security issues with plugins if they’re using them. Unlike Drupal whose modules are peer-reviewed before release, the security of WordPress plugins is reliant on people spotting issues after release onto their platform ready for install. Luckily with Display Widgets, which I removed from the affected sites we look after, no site became victim of the vulnerability. It does however highlight that you need to install your plugins and themes with caution and care, keep the security up to date, WordFence is a good plugin to keep you alert of problems if they occur, if they do you need to take action immediately.

If you would like an expert to take all this worry off your hands talk to us