Securing Your Plugins, Themes, and Services

Securing Your Plugins, Themes, and Services

Continued from part 1 of our 2 part WordPress security series.

For web scribblers who use WordPress, security should always come first since news of exploited vulnerabilities crop up with intensifying frequency. WordPress powers 74.7 million websites and is officially the world’s most popular – and most targeted – content management system. So, high ROI of a single WordPress exploit drives hoards of script kiddies to target the platform.

If it isn’t a wordpress vulnerability that sends shock waves through the community, it’s the plugins’ security holes. So WordPress security experts urge all bloggers to install updates to their plugins as soon as they are released.

With that in mind, let’s see how you can protect your blog against Vulnerabilities in third-party plugins and services.

Validating Plugins

WordPress plugins are thoroughly vetted for Malware before they make it to the repository. But plugins aren’t perfect – security weaknesses can be found in any utility. Treating plugin updates as a low-priority routine is a big mistake since a single unpatched hole can lead to your entire blog getting hijacked.

Things to consider before installing any third-party plugin:

  • Availability of credible user reviews and high rating.
  • Avoid new plugins, as well as those with few installs.
  • Study plugin documentation – is it thorough, detailed, and polished?
  • Opt for plugins from developers with a positive track record of releasing solid work.

Steering Clear of Malvertising

Many blogs monetize their traffic through third-party ads. Unfortunately, some ad services spread malicious code. If your readers find out your blog spreads malware, it’s not your ad service they’re going to blame, but you. And few things are worse than getting caught spreading malware. You can lose your readers and get punished by Google big time. So you need to make sure your ads aren’t malvertising on your behalf.

Here is how:

  • Use only established ad services like Google AdSense or Bing Ads.
  • Install an internal security monitoring solution (i.e., Sucuri, WordFence). That way, even if a popular ad network is infested through an unknown vulnerability, your monitoring solution would identify the malicious code faster than your ad provider.
  • Stay on top of the security news and updates.
  • Be vigilant – if you suspect something is off, deal with it ASAP even if it means taking down your ads until the issue is solved. You may lose a few dollars, but if your ads are spreading malware, you will lose your traffic and reputation.

Potentially Harmful Utilities

Just like you only should install mobile apps and Steam games from legitimate repositories, you want to stick to the official WordPress repository for your plugins and themes.

The Internet abounds in lucrative offers of popular “premium plugins for free,” but the websites giving away such freebies are major malware distributors. These premium plugins were hacked; a malicious code was injected. Whenever you get a premium plugin for free, you voluntarily infect your blog with a virus that’s going to hit you or your users.

So, do yourself a favor and only download plugins and themes from the official WordPress library, and steer clear of offers that sound too good to be true.

Less Is Better

When it comes to plugins, less is better. But many bloggers – especially novices – rush to beef up their sites with a gazillion plugins with fantastic functionality.

The accessibility of plugins almost makes it seem irrational to stick to the necessary minimum only. And yet, you should hold your horses.

A multitude of plugins isn’t conducive to security, nor is it necessary for the smooth operation of your blog. The more plugins you install, the more they chip away from your site’s performance and responsiveness. From the security perspective, each plugin is a security risk with holes yet to be uncovered and patched.

Finally, an excess of plugins makes blog maintenance an updates overkill, and you might skip installing important patches.

Maintenance Tips

Now that you’ve configured your blog properly and installed your utilities, you need to account for maintenance. Things get broken, outdated, or compromised. So you can’t neglect nor underestimate the importance of thorough maintenance and monitoring of your WordPress blog.

  • Uninstall Outdated Plugins

Outdated plugins and WordPress installations contain known vulnerabilities that are patched in the newer versions.

If your plugins don’t get frequent updates or aren’t tested with the current WordPress version, it is always a bad sign. Uninstall them and replace with up-to-date plugins with similar functionality. There’s ample selection of plugins on WordPress repository.

  • Keep It Clean

As your blog grows some muscle, you will add and remove content, plugins, themes, and whatnot. Keeping things tidy – and secure – is a matter of deleting everything you no longer use.

Inactive themes and plugins not only take up space and consume resources but also represent a security risk. Even if you deactivate a plugin, it’s still on your server and hackers can run a script to exploit its vulnerabilities. Instead, delete unneeded plugins completely.

WordPress security is not rocket science but a matter of not ignoring what every single security expert is saying – update! Even Equifax owes its hack to an unpatched vulnerability. So, be vigilant and don’t let small things escape you!

Endpoint Security And Disaster Preparedness

Setting up a secure password for your admin dashboard is a tactic that sets you on the right track to a robust WordPress security. But one smart tactic, or a combination of tweaks and plugins, won’t get you far.

You need to have a security strategy that not only oversees most attack vectors but also allows you to mitigate damage and restore your site quickly in the event of an accidental data loss, breach or a hijack.

Endpoint Security

Securing your WordPress blog requires more than just watertight backend protection, timely updates of the WordPress core and plugins, or an internal monitoring system. One of the frequently overlooked breach points in your blog’s security perimeter is your endpoint device.

WordPress makes it possible to access your admin dashboard from many devices such as computers, laptops, smartphones, and tablets. Losing any of the devices you use to access your blog, or having them hacked, means exposing your blog to great risks.

So you need to exercise appropriate precautions and account for endpoint security.

Endpoint Security Tips:

  • Secure your devices by using a strong PIN or password, and enabling two-factor authentication to unlock your device such as biometric ID, if possible.
  • Set your devices to auto-lock after a set time on idle.
  • Don’t access your WordPress backend from public computers, as these often are riddled with spyware and keyloggers. Likewise, their browsers can be configured to automatically store your login credentials, in which case you’d be giving away your login details to an awful lot of strangers using the computer after you.
  • Don’t check your email from public computers, either, for the same reasons. Your email is vital to your WordPress security – anyone gaining access to it could reset your WordPress password.
  • Do not access your WordPress admin dashboard nor your email from public Wi-Fi hotspots, unless you are using a trusted Virtual Private Network (VPN) with robust encryption and OpenVPN protocol.
  • Only install apps and games on your smartphone from the official app store.

Disaster Preparedness

Hope for the best but prepare for the worst. Assume that, even with the latest updates and the best of manual tweaks, there is a vulnerability that escaped your scrutiny.

When the worst happens, do you have the backups to fall back to, or do you know where they are? Are they even current? How long will your blog be down while you mitigate the damage? What if your hosting provider goes out of business suddenly? Or you just lose data by accident?

When you know the answers to all these questions, you have a security strategy.

Disaster Preparedness Tips:

  • Have a plan. Break down a huge task of restoring your blog from a hack/accident/act of God into smaller, digestible chunks.
  • Consider having a failover service that would redirect your traffic while your blog is down.
  • Have a temporary notification page you can display to your readers telling them that you won’t be down for long.
  • Be ready to start and restart your blog’s services, such as your database and web service, if needed.

WordPress Backups

Without a current backup on hand, you’ll have to clean your blog manually or pay someone to do it for you. On the other hand, if your web hosting gets compromised, there’s little you can do but move to another hosting service. In this case, a current backup is also crucial. An ideal backup tactic would be to combine several backup storage locations so that if one location gets compromised, you can always use the alternative source.

Likewise, backups should be incremental and automatic. When your backups are current and readily available, you will restore your data and re-deploy your blog almost immediately, with minimum downtime. On the contrary, a slow recovery from a hack could have a negative SEO impact on your blog’s rankings, organic search traffic, and revenue.

Backup Tips:

  • Have a plan and a step-by-step “note to self” on where your backups are, and how to restore them quickly.
  • Automate your backups. Manual backups aren’t reliable as you will inevitably forget to backup at some point.
  • Schedule backups to run during hours with the lowest traffic since backups can consume a lot of system resources.
  • Check up on your scheduled backups. If you run out of storage space, backups could fail. A gazillion of other things could cause a backup failure, so be vigilant.
  • Have incremental backups – daily, weekly, and monthly you can fall back on in case disaster happens. There are too many unknowns in a disaster equation, and having ample backups to restore from is a key to minimizing downtime.
  • Have multiple backups stored in various places such as with your web host and a secondary service, or even locally on your hard drive or external drive.

Backup Options:

  • Most web hosting providers offer native backup solutions. Use that as a secondary backup storage. Note that, with some providers, you may need to set up your backups manually, especially with the Virtual Private Server systems (VPS).
  • Cloud-based backups are efficient since they can be automated and convenient to restore from, especially with the native WordPress cloud backups available as a part of the WordPress Security plugin.
  • Internal monitoring systems like Sucuri and Wordfence also let you set up and manage your backups.

Wrapping Up

The WordPress threat landscape is continuously changing, so you need to be on top of the security best practices, expert findings, patch releases, and community discussions. In other words, be proactive, not reactionary.

By securing your blog properly, you will be able to develop a solid reputation, build traffic faster and avoid costs associated with site cleaning and recovery after a hack.

That’s it. Hope this helps.

By Alex Grant

Money Big Data

How Bitcoin Brought The Lightning Network To El Salvador

The Lightning Network El Slavador made waves last month after becoming the first country to adopt bitcoin as legal tender. El Salvador’s Congress voted by a “supermajority” in favor of the Bitcoin Law which states, ...
Anita Raj

A Winning Data Strategy Series Part 4: Are Your Data-driven Insights Driving Business Results?

Are your data-driven insights driving business results? This is the fourth piece of a 5-part series on plugging the obvious but overlooked gaps in achieving digital success through a refined data strategy. How would you ...
Security Cloud

The Problem with Cyberhygiene

Cyberhygiene Dangers It is a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it is introduced to us by others. In the simplest of examples, imagine ...
Gary Taylor

5 Reasons Why Virtual Desktop Infrastructure Will Go Mainstream Post 2020

Virtual Desktop Infrastructure Growth Virtual Desktop Infrastructure (VDI) technology enables remote users to access their desktop from anywhere using an internet connection. This technology has been around for a couple of decades but never received ...
Business Voip

Cloud Governance Best Practices & How “Legacy Governance” Hurts

Cloud Governance Best Practices The cloud can provide your organization with substantial benefits -- if you adopt an effective cloud governance model. Businesses established before the cloud era (or those that took their IT governance ...


The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy


    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks


    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.