Chris

Lee

Content

Copywriting

Design

Stop relying on plugins for everything


November 12, 2018

I believe WordPress plugins should be used very sparingly, for three reasons:

  • Your backend is easier to manage
  • Your site is less vulnerable to disruption
  • You learn more

Your site is easier to manage.

This is the Plugins page of my site’s WordPress backend:

It all fits on one page. The orange box contains all my plugins: four.

This is the Plugins page of a client’s WordPress backend after I have already uninstalled some:

The orange box doesn’t fit on one page. There are over 20 plugins. The red box at the top, absent on my site, contains distracting prompts from various plugin creators, requesting either reviews or investment for more features.

If any of these plugins break, part of the site’s functionality will be disrupted. Each additional plugin boosts the risk of this happening.

Your site is less vulnerable.

I consider each of the prompts to be disruptive to workflow, so the fewer of those the better.

But WordPress plugins can present serious security vulnerabilities too, especially when they’re not kept up to date. If a webmaster doesn’t update their plugins often, the site becomes more and more vulnerable.

How can a plugin be a security vulnerability?

The list of hacked, dangerous, and vulnerable WordPress plugins over at firstsiteguide lists five main vulnerabilities and exploits. Here they are with a brief intro:

  • Arbitrary file viewing: improper coding lets an attacker view the source of any file on your site, rather than just plugin files.
  • Arbitrary file upload: again, improper coding lets the attacker upload any type of file rather than just the intended ones (images, etc). This means they can upload anything into your site files, including executable code which can wreak all manner of havoc.
  • Privilege escalation: attackers can grant themselves a higher user level, meaning they have admin access to your site. From here they can unleash mayhem.
  • SQL injection: attackers can delete, update, or insert entries into your site’s database. This is where everything about your site is stored: the content, the settings, the configurations. A malicious attacker can irreversibly destroy everything.
  • Remote code execution: allows the attacker to do any of the above, remotely.

As you can see this is  pretty severe. Your site can be hijacked, deleted, compromised, or disrupted in various other ways. Often these attacks are hard to reverse, as your admin access to the site will likely be deleted.

The longer a plugin has not been updated, the more likely it is that security vulnerabilities it may have had will have been found and utilised.

Each plugin multiplies the risk of this happening. The most vulnerable and most hacked WordPress plugins are listed in the guide I already linked to.

Why does updating plugins help?

Hopefully by now you’re not asking yourself “should I update my WordPress plugins?” any more. The answer is yes.

Asking why is fair enough, though.

Think of it as a game of cat and mouse: a plugin developer releases their plugin into the world. Honest users download and install it. Over time, issues become apparent, users report them, and the developer fixes them.

Then they release an updated version with these fixes built in.

Anyone downloading after this point has the newest version which (hopefully) has all known bugs fixed. Diligent users who update their previous versions also have these fixes. Lazy users don’t, and they are still exposed to these bugs.

Not all bugs will be security vulnerabilities, but if they are and you don’t update, you’re still exposed to them. And the longer the bug has been around, the more likely there are bad eggs out there just waiting to exploit it.

What does a WordPress hack look like?

I’ve seen a client site hacked and replaced with a parking page promoting ISIS, something along the lines of the below:

I’ve also seen tons of pornographic content tucked away on pages of the client site that weren’t linked to from the top nav, or anywhere else on site. Meaning they were effectively invisible.

You learn more

This is my favourite reason.

A plugin is designed to do something for you. Whether it’s something incredibly elaborate like creating a functional contact form and hooking it up via SMTP to your email account, or something ridiculously easy like changing the colour of your links.

Each time you install a plugin you deny yourself the opportunity to learn a new skill.

Fair enough if you’re a webmaster who just wants to get their site up and running.

BUT, if you are advertise as a  web designer and you rely on plugins to achieve all of the functionality on sites you build, I think this is dishonest.

There are obviously plugins that are fair game: WooCommerce for example. Or Contact Form 7. These are big name players who update often and offer functionality that is hard to replicate.

I fully welcome people to disagree with me and say either “hey, plugins are fine, leave me alone” or “WooCommerce? HA! Learn to code it yourself you lazy f*ck”.