How to choose secure WordPress plugins

Choosing secure plugins can be a challenge but is completely possible.

Plugins are one of the most important, complex interesting and powerful parts of a WordPress website.

Plugins are also one of the most common ways that WordPress websites are made vulnerable.

Basically, a WordPress plugin is very similar to an app on your phone.

It’s a piece of third-party software that you can choose to install or uninstall on your website in order to receive some extra functionality of some kind.

At the time of writing, there are over 55,000 plugins in the WordPress repository and that doesn’t include plugins that are sold independently. When choosing plugins, we have to make sure that we’re choosing secure ones.

I have a few tips for making sure that any plugin you use is safe.

1. Limit your plugins

Try to limit the plugins you download to ones in the WordPress repository.

All this means is that the plugin has been vetted by a team of people who understand deeply how WordPress works. When they make the cut they’re accepted into the repository. You do not have to pay for any plugin in the repository.

There are some exceptions to this, such as if a plugin company provides a way for you to purchase or download a plugin directly from their website instead. These will usually be paid plugins.

Plugins in the repository will almost always have a way for you to find support, documentation and reviews. You can easily see whether or not a plugin has been updated and what people are saying about it.

Many premium plugins may require you to download them via another website, like I said before, whereas the free version will be available in the repository.

Keep in mind, you can achieve what you may require, with using just free plugins. A paid plugin is not inherently better than a free one!

Downloading a plugin from the repository is also important because unfortunately there are people out there who will resell or redistribute bootleg plugins.

They download and repackage the plugin files but cannot offer support or updates for those plugins. They are often offering older versions without necessary performance or security patches, that’s why it’s important to always buy directly from the plugin developer.

2. Check recently updated

Only ever download plugins that have been recently updated.

“recently updated” is somewhat subjective but a good rule of thumb is, making sure that the plugin has been updated within the last few weeks.

That indicates that someone will probably be available to answer support tickets and that updates have or will include security patches.

Code has to evolve with the internet especially when you are installing plugins with WordPress, and WordPress itself consistently changes, those plugins need to change along with it.

If there’s no team that is updating and supporting that plugin, who knows – maybe the company who made it shut down or the developer just moved on to new things.

When something goes wrong you’re putting yourself more at risk if there’s no one there to update and support the plugin.

3. Compatiability

Look for the indication that this plugin is compatible with the most recently released version of WordPress.

If it’s been tested with the newest core version but has not exactly been updated, you should be okay.

WordPress core updates come up fairly frequently so it’s a good idea to use a plugin that has been tested with that base software.

4. Check reviews

Just like when you’re shopping for anything, check the reviews!

This can be tricky if it’s a new plugin that doesn’t have a lot of reviews, but, if a plugin has tons and tons of downloads, like in the thousands and lots and lots of good reviews you can tell that it’s probably a safe bet to use.

Best practices for keeping WordPress plugins secure

So, now that we know how to find good plugins to use and download, we want to make sure that we’re following some best practices to keep them secure over time.

A report conducted by in 2019 showed that out of 3,972 documented vulnerabilities, 52% of them were caused by out of date or compromised plugins.

Now that doesn’t mean that 52% of all WordPress plugins are unsafe, but it means that, out of all the times that WordPress sites became vulnerable within the study, the cause was traced back to a problem with a plugin.

The simplest and most straightforward way to prevent these kinds of problems is to update the plugins on your site consistently.

When you log in to your WordPress website, check the left-hand navigation menu – if there’s a number beside the word plugins, that’s the number of plugins that have an update ready for you to grab.

These updates typically mean that there is either a new feature in that new version or there’s a patch or a fix to a problem from a previous version.

It’s not a great idea to set plugins to update automatically or to update them immediately when they drop, we’d recommend waiting a day or two and make sure that the new version doesn’t have something wrong with it.

Sometimes a new version has a flaw that isn’t discovered until many people have updated it – this is called a “zero day vulnerability”.

Developers usually cannot provide a patch on the very same day, which is why it’s good to wait a little bit just to make sure – that way, the version that you update to is the best possible version.

You can check sites like, who report on widespread problems and zero day vulnerabilities.

Another best practice for making sure that your plugins don’t cause a problem on your WordPress website, is to remove any inactive plugins – they should either be active or deleted.

Inactive plugins don’t add the functionality to your site, but they are still code that exists on your server and can pose a vulnerability if they become out of date.

If you have any really important plugins, like security plugins, it’s a good idea to lock them down by using what’s called an mu-plugin folder (or Must Use).

Plugins in this folder, are ones that you are not going to want messed with and it makes it impossible for those plugins to be deleted from the dashboard.

This is great because this way, if somebody hacks your site and gains access to your website dashboard, it can prevent them from deleting or disabling the plugins that you have decided are essential. They would have to access your main files, which is, typically, much more difficult.

We hope that gives you a fundamental understanding about secure plugins for your WordPress website.


Caroline Hagan

Caroline brings over 20 years experience as a Designer and Developer; featured in .NET magazine, the only woman in the UK accredited for Google Mobile Sites. A STEM Ambassador and Google Women Techmaker Ambassador. Previous clients include Blackberry, FIAT, Clark Shoes and Sky.

Related Posts