These days the websites on the internet comprise a large number of WordPress websites; over 37% of the total websites on the internet are WordPress websites alone. This is a staggering number, as there are several web technologies that are available, but WordPress has become the choice of so many people. While this is good for standardization of content management systems and for developing standard practices for management of websites, it also makes WordPress websites a target for cyberattacks.
One of the major routes through which attacks on WordPress websites take place is plugins. Plugins on WordPress can be installed from the WordPress marketplace or using zip files. The developers can also develop their own plugins and install them on the sites. The problem arises when a malicious agent modifies any established plugin in such a way that it allows the agent to access the websites on which the plugin has been installed. This access is unauthorized and grants the attacker a backdoor to the website. Using this backdoor, the attacker can pretty much do anything they want: launch ransomware attacks, make the site go down, or steal sensitive data.
The plugins on the WordPress marketplace used to be considered safe, and the plugins installed using zip files or downloaded from questionable or pirate sites used to be malicious. However, this has changed in recent times. Even plugins from the official WordPress marketplace could be compromised. Through this article I am trying to bring to attention the fact that even WordPress marketplace plugins can affect the websites in a negative way.
Installing compromised plugins or even letting plugins update themselves automatically could also grant backdoors to attackers. Hence, we developers and cyber security and dev ops operatives have to be careful even when installing plugins from the official sources.
But how can we be careful? I have found that there are many WordPress plugin watch services that can be used every time we try to install any plugin on our WordPress websites. We can just enter the plugin name with the version that we are trying to install, and the plugin watch services will be able to inform us whether the plugin has been compromised or not. It seems that these websites are using data from past attacks to detect whether any particular version of any particular plugin has been compromised or not. Here are a few I will suggest:
1. Wordfence Plugin Vulnerability Reporter
2. Patchstack Plugin Vulnerability Database
There may be several other such services that may help us detect plugin vulnerabilities before we install them on our websites. I know that it is a lengthy process to first check the plugin and then install and use it on our sites, but having dealt with many hacked and malware-ridden WordPress sites, I will say for sure that the extra steps are worth it. Thank you for reading.
There may be several other such services that may help us detect plugin vulnerabilities before we install them on our websites. I know that it is a lengthy process to first check the plugin and then install and use it on our sites, but having dealt with many hacked and malware-ridden WordPress sites, I will say for sure that the extra steps are worth it. Thank you for reading.
Ayush Raj 
Leave a comment