I run a WooCommerce site and have installed a bunch of plugins to help with different things—some for small theme changes, others for bigger tasks like handling third-party payments. Most of them have thousands of downloads and high ratings, but I haven’t personally checked their code to make sure nothing shady is going on.
Even if I did, they update all the time, and keeping up with every change would be a full-time job.
Now that my store is picking up, security is a big concern. How do you guys handle this? Do you check every update manually? Just trust the big-name plugins? How do you make sure an update doesn’t sneak in something bad?
@Cedar
I use Wordfence on some of my sites, but maybe I should install it everywhere. Most of my sites don’t handle much data, but they share the same hosting space, so if one gets hacked, the others could be at risk.
@Cedar
If a plugin turns out to be malicious, how do people find out?
On Chrome, for example, bad extensions get disabled automatically. But I don’t think WordPress has anything like that—so how do people know and what happens next?
If you use Jetpack, you might start getting security alerts for bad plugins. Maybe even automatic removals in the future. This could be a big deal, especially for people who don’t know much about plugin security.
@Kameron
Wordfence helps with that. If a plugin is compromised, you’ll get an alert if you have their plugin installed or follow their newsletter.
Yesterday, one of my plugins got pulled from the repo because WordPress is investigating it for security reasons. I uninstalled it right away and found an alternative.
@Cedar
A lot of plugins that get temporarily pulled from the repo aren’t actually dangerous—it could just be a legal issue. We see a lot of takedowns over trademark disputes, for example.
The safest approach is to replace them with custom-built plugins. That way, you only need to audit them once. If you need to add features later, you only review your own code instead of relying on updates from someone else.
Looking at downloads and reviews is a good start. The WordPress community is pretty active, and bad plugins don’t stay hidden for long.
It’s also good to check how often the developer updates the plugin and whether they respond to support requests.
That said, it’s smart to avoid installing too many plugins. As your site grows, you might want to balance plugins with custom development. Keeping an activity log can help too—it lets you see what’s changing on your site and who’s making the changes.
Something that annoys me as a developer is when plugin authors hide their code by removing all the formatting.
For example, I had a frontend issue with a plugin that was completely broken by Yoast. When I tried to check their code to see what was causing the problem, it was a mess on purpose.
That was the last straw for me—I removed Yoast from all 50+ WordPress sites I manage and switched to All-in-One.
I don’t mind paying for tools, but if a company expects my loyalty, they should be transparent too.