At a recent WP Meetup about Database plugins I was faulted for not citing which of the plugins being reviewed had been banned by WordPress or other vendors. Yes, I am aware of banned plugins. But I had never deliberately searched for them. However, a Securi note that 78% of hacked websites used WordPress confirmed that knowing more about banned plugins and how to control them was worth the while.
So a search for banned plugins led to an interesting phenomenon. “Banned” plugins from Flywheel, Kinsta, WordPress.com, and WPEngine have broad lists of banned and disallowed plugins, but the shortcoming details are sparse and some of the bans appear to be self-serving. Other lists such as Mediatemple and Godaddy have similar shortcomings.
So a thorough review of banned WordPress plugins plus strategies to identify and control them became a high priority. The idea was to identify valid banned plugins and advise clients on simple procedures to check for them and correct for their proper usage.
What are valid Banned Plugins
Although we had expected to find a number of banned WordPress plugins, the surprise was that many of the banned plugins were cited not for virus vulnerabilities but for competitive or redundant features and functionality. From the flawed lists and disallowed plugins
one would expects to find the following characteristics:
-
- Plugins that have been deliberately weaponized with hack trapdoors, tracking codes and/or other malaware;
- Plugins that have had major virus vulnerabilities in the recent past;
- Plugins that have not been updated in the past 2 or more years and are therefore more likely to succumb to hack attacks or conflicts with either the the WordPress Core Code or fast moving theme versions and other plugins;
- Plugins that have a poor support record or low ratings at the WordPress.org directory of plugins;
- Advisories on how to identify and control such flawed plugins;
- Strong agreement among the vendors as to which plugins should be banned.
But in fact, inspection of the recent flawed/banned list show only six plugins that have either contained deliberate malware code or have been sloppy in patching major vulnerabilities that hackers have used. In fact, users will have to go to the security vendor blogs at Securi or WordFence in order to keep track of bad plugins, and their impact on Core WordPress, and plugins.
Why Plugins Got Banned
When one examines the banned list of plugins, several things stand out:
- First, one would expect to see strong agreement among the vendors as to which plugins were to be banned; but only among the Backup and Caching group of plugins was there some agreement among vendors on which plugins were to be banned;
- For most of the plugins there was no consensus among the vendors as to which should be banned;
- Also, only one vendor, Mediatemple, had a large list of deliberately malicious plugins;
- Only one vendor screened plugins for poor support or lack of updates;
- All the vendors faulted many plugins for duplicate features and possible but poorly documented performance issues.
So in compiling banned plugins there were two expectations – these vendors would provide a detailed list of plugins to avoid due to their vulnerabilities or malicious code. Also, a second purpose was to find some guidelines for WordPress website security against such plugins and their use. However, even on casual perusal, it became obvious that the vendors were identifying plugins that were redundant because they duplicated their own managed hosting services – especially backup and performance tuning. Talk about disappointment.
How Banned Plugins and Themes Should Be Cited
IThemes produces a free email report on WordPress vulnerabilities, their Roundup Reports. They do not mince words and cite in October alone 13 plugins and 16 themes for becoming outdated or infected. As seen below, their verdicts are sharp:
No ambiguity or self-interest, just vulnerability facts.
DIY Summary
So here are some best practices regarding flawed WordPress plugins – a little DIY work would be required. Here is our list of recommendations gathered during the search for banned plugins:
1 -Use IThemes Security RoundUp Report and check at Securi or Wordfence if still in doubt;
2 – Use strong, memorable passwords[they really work and are much easier to remember]. Also if you have 5 or more passwords, use a Password Manager which encrypts your passwords in a Cloud Vault. It used to be good practice to change your passwords once every 6 months or year. Now using a password manager makes quarterly or monthly changes easier to do;
3 – Update your WordPress Core code, plugins and themes regularly. “Regularly” used to be once a quarter if not half a year. Now it is more likely once a month or week. Fortunately, WordPress 5.51 makes this easier. All free plugins and themes can be designated for immediate update as the WordPress Core is. But this leaves out a sizable number of plugins on my websites, so manual updates are required. This immediate update can go awry. For example, when the Advanced Editor Tool (formerly Tiny MCE Advanced) was auto-updated, it conflicted with the Elementor plugin and sent many developers scurrying to find the conflicting plugin.
4 – Use a backup plugin. Yes, most Hosting Services provide some backups. However, being able to schedule, do partial backups, or do on-demand backups is the strength of the WP Backup plugins;
5 – Use a WordPress Security firewall on all your websites. These tools not only identify lurking malware that has managed to sneak onto your site, but also defend against DDOS(Direct Denial of Service) and other hack attacks. In addition, the tools harden your website against malicious backdoor incursions. They also fend off attacks with SSL (available as free service on most Hosting Services) and other encryption tools. Finally, add a good firewall on all your mobile phones, PCs and other client devices.
Be sure to read the excellent free blogs on WordPress Security trends from WebARX, InfoSecurity, Securi and Wordfence. .These advisories have been timely. For example in the hack-attack cases on WPBakery [4 million] and Metaslider [800,00 users] as reported in October 2020 my clients got timely cautions;
6 – Never use hacked/nulled out premium themes and plugins. These illegitimately “free” themes and plugins are repositories for malware containing hacking trapdoors, hidden tracking readers, and other hack attack tools;
7 – Actively educate your clients and employees on your Web Security strategies and guidelines.It’s just good business.
The bottom line is do not rely on lists of “banned” plugins for reliable insights on how to tighten WordPress security. Rather, focus on developing your own DIY WordPress Security strategy customized for your business. For more detailed security approaches check out CodeinWP, WPBeginner , this blog or Vigorous. Ransomware is proof that criminal hackers will target businesses, small as well as large, to cripple your business for their gain. Be prepared.