Every plugin you install is a trust decision. You're giving a third-party developer the ability to run arbitrary PHP code on your server, with full access to your database and filesystem. Most plugins are safe. But the risk is real, and it compounds with every plugin you add.
The supply chain problem
WordPress has over 60,000 plugins in the official repository. The quality varies enormously:
- Many plugins are abandoned — last updated 3+ years ago, no longer compatible with current WordPress, and never patched when vulnerabilities are discovered
- Some plugins are acquired by new owners (sometimes bad actors) who inject malware into an update
- Popular plugins with millions of installs can have critical vulnerabilities that sit unpatched for weeks or months
A compromised plugin update is particularly dangerous because WordPress auto-updates plugins by default — meaning malware can land on your server without you doing anything. To understand just how deeply malicious code can embed itself, read about how malware hides inside WordPress plugins.
How to vet a plugin before installing
Check the last updated date
A plugin last updated 2+ years ago is a risk. Security vulnerabilities in PHP libraries and WordPress core APIs accumulate over time. If the developer isn't actively maintaining it, those vulnerabilities won't be patched.
Rule of thumb: Don't install plugins that haven't been updated in the last 12 months unless you can review the source code yourself.
Check the active install count and support forum
High install counts and an active support forum are positive signals. A plugin with 500,000 installs and regular forum activity is likely being actively maintained.
Look for how quickly the developer responds to security reports in the support forum.
Search WPScan and CVE databases
Before installing any plugin, search wpscan.com/plugins for its name. This database catalogues known vulnerabilities with severity ratings, affected versions, and patch status.
WO Security Shield integrates with the WPScan vulnerability database and alerts you automatically when a plugin you have installed has a known CVE.
Review the plugin's permissions
Does a simple contact form plugin need file_get_contents(), exec(), or system() calls? Check the source code for functions that have no business being in that type of plugin.
// Red flags in plugin source code
exec( $user_input ); // Command injection risk
eval( base64_decode( $data )); // Classic malware pattern
file_put_contents( $path, $content ); // Arbitrary file write
Managing plugins you already have
Audit your installed plugins quarterly
Go to Plugins → Installed Plugins and look at the "Last updated" column. Remove anything you don't actively use — inactive plugins are still attack surfaces if they're still on disk.
Enable vulnerability alerts
WO Security Shield scans your installed plugins against the WPScan CVE database on every scan and sends an immediate alert when a new vulnerability is disclosed for anything you have installed.
Keep auto-updates on — but monitor them
Auto-updates protect you from known vulnerabilities being exploited at scale. The risk of a supply-chain attack via a malicious update is real but rare. The risk of running a plugin with a known unpatched critical vulnerability is much higher.
Enable auto-updates and use WO Security Shield's file integrity monitoring to detect unexpected file changes after any update.
The two-plugin minimum rule
Every plugin you add multiplies your attack surface. Before installing a new plugin, ask:
- Can I achieve this with native WordPress functionality?
- Can I achieve this with a plugin I already have installed?
- Is this plugin actively maintained?
If the answer to all three is no, don't install it.
For a broader look at how attackers exploit update channels to distribute malware at scale, see our analysis of WordPress supply chain attacks. Plugin security is a continuous practice, not a one-time audit. WO Security Shield automates the monitoring so you're always notified when something in your plugin stack becomes a liability.
Real-World Plugin Compromise Timeline
Understanding how plugin compromises actually happen helps you recognise the warning signs:
Month 1: Developer creates useful plugin, gets 10,000+ installs
Month 6: Developer loses interest, stops maintaining it
Month 12: Someone offers to "buy" the plugin for $5,000-$20,000
Month 13: New owner pushes an "update" containing malware
Month 13: 10,000 sites auto-update and get infected
This isn't hypothetical — it happens multiple times per year in the WordPress ecosystem. The plugin repository doesn't notify users when plugin ownership changes.
Plugin Vetting Scorecard
Use this scoring system before installing any plugin:
| Criteria | Score | How to check |
|---|---|---|
| Last updated within 6 months | +2 | Plugin page on wordpress.org |
| 1,000+ active installs | +1 | Plugin page stats |
| 10,000+ active installs | +2 | Plugin page stats |
| Responds to support tickets | +2 | Check the support forum |
| No known vulnerabilities | +2 | Search WPScan and Patchstack databases |
| Open source / viewable code | +1 | Check if source is on GitHub |
| From a known company/developer | +1 | Research the author |
| Score 7+: Safe to install | ||
| Score 4-6: Proceed with caution | ||
| Score 0-3: Find an alternative |
How to Monitor Installed Plugins
After installation, ongoing monitoring is just as important as initial vetting:
Watch for These Red Flags
- Plugin is suddenly removed from wordpress.org — This usually means a security issue was discovered. Remove it immediately
- Ownership changed hands — Check the developer name on updates. If it changed, investigate before updating
- Update changelog is vague — Legitimate updates describe what changed. "Performance improvements" with no details is suspicious
- New permissions requested — A contact form plugin suddenly wanting to modify core files is a red flag
- Unexpected outbound connections — Your site suddenly contacting unknown servers after a plugin update
Automated Monitoring with WO Security Shield
Rather than checking these manually, WO Security Shield automates plugin security monitoring:
- Scans plugin files against known-good versions after every update
- Alerts you when a plugin is removed from the WordPress repository
- Detects unexpected file changes in plugin directories
- Identifies plugins with known vulnerabilities before they're exploited