Choosing trusted plug-ins and themes
Video: Choosing trusted plug-ins and themesDid you know that installing insecure plug-ins and themes puts your site at risk? If the plug-in or theme contains any sort of vulnerability, your entire site may be targeted and attacked. Choosing trusted plug-ins and themes only takes a few minutes, and you can do most of it from the comfort of the WordPress Admin. In this screencast we will demonstrate some practical guidelines and helpful tips for choosing safe and secure plug-ins and themes. The goal is simple: review as much information as it takes to make the best choice.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Choosing trusted plug-ins and themes
Did you know that installing insecure plug-ins and themes puts your site at risk? If the plug-in or theme contains any sort of vulnerability, your entire site may be targeted and attacked. Choosing trusted plug-ins and themes only takes a few minutes, and you can do most of it from the comfort of the WordPress Admin. In this screencast we will demonstrate some practical guidelines and helpful tips for choosing safe and secure plug-ins and themes. The goal is simple: review as much information as it takes to make the best choice.
There are no hard-and-fast rules, but applying some practical guidelines will help you find a safe and reliable plug-in. Whenever possible choose plug-ins from the WordPress Plugin Directory. Look for intelligent, informative descriptions, look at the version number of the plug-in, look for an active changelog, and look at the plug-in rating. Let's see an example of this by going to the install plug-ins screen in the WordPress Admin area. We click on the Add New button and do a quick search for Google XML sitemaps.
Let's click on the Details link to see an example of a safe and reliable plug-in. Notice the description is well written and intelligent. It suits our purposes and explains everything that we need, provides related links, some fine print, and everything else we need to know about this plug-in. Clicking on the Installation page, we also see--very informative, well written, thorough. That's good. We are going to need that, especially if it's anything other than typical. Screenshots, here are screenshots of the plug-in, and what we are looking for here is quality.
We are looking for a functionality and things that may be useful for us if we decide to install the plug-in. The changelog is very important because it shows whether or not the plug-in is actively developed and maintained. The changelog for this plug-in is actually listed on this web page here outside of the Admin area, but that's okay. We just scroll down and we begin to see the amount of work that has been put into this plug-in, and we begin to understand why it is the best XML site map plug-in. According to many people, it is just amazing.
So let's return to the Admin and look at more clues for this great plug-in. It has a good frequently asked questions, FAQ, section, includes some other notes about the license, translations, and so forth. But perhaps the most valuable piece of information is in the sidebar here. This summary provides clues that will help you decide whether or not this plug-in is right for you. First look at the version number. 3.2.4 suggests that this plug-in has been around a while. Look at the author. Is it a reputable author, one that you recognize? When was it last updated? 374 days ago. That's roughly a year, and so we may be hesitant by seeing that.
It says it is compatible with the latest version of WordPress, and here is an amazing tidbit of information: it has been downloaded over 5 million times, which is an incredibly large number for a plug-in. Another important clue is here in the average rating, and 4 1/2 stars based on that many, 2,000--over 2000--votes. Definitely this would make up my mind right here. I would probably go with this plug-in maybe after looking at a couple more. But if you still can't decide after all that, look for an external plug-in page that you can do visit. If one is available, the link will be listed right here in the sidebar beneath the WordPress org link.
We can click on that go to the web site for the plug-in and learn more about the plug-in. Now, applying this strategy, let's find a good plug-in for say formatting our theme for mobile devices. So we click on the Add New link and type in a keyword to get us started, something like 'mobile' and then click on Search Plugins to bring up the results. As you can see, there's quite a bit to choose from, as is the case with most WordPress plug-ins.
So first, let's scan the list to get a general idea of what's available. There's some good ratings, looks like some new plug-ins here, and then let's begin our search by clicking on the Details link for the first result. This looks good, but it says it hasn't been tested with our current version of WordPress. Something to keep in mind is that Word press releases what are called point updates, where the plug-in will go from version 3.0.5 to 3.1, or 3.0.6.
In many cases, plug-ins will work just fine for point updates. WordPress's current version is 3, so chances are this plug-in will work just fine, and the reason that it says this message is because somebody has not taken the time to log in to WordPress.org and let the software know that it is compatible. You see a nice thorough description here, version number 1.2.4. It's been downloaded 192,000 times. Some great ratings here, four stars, based on a good number of ratings. The installation looks doable.
It includes some screenshots here of what the plug-in looks like. That's nice to know. So everything looks good, and we would continue flipping through tabs and seeing things like this right here, the changelog. Good, good changelog. Active development. We would continue shopping through a plug-ins to narrow it down and fin the best of the best of the best. Once you get that far, it becomes a matter of personal preferences, features, and so forth. For WordPress themes the same sort of strategy applies.
Look for themes that point toward active development, trusted authors, compatibility, and popularity. To see an example of this, let's return to the demo site admin area and go to the Appearance menu and click on Themes. Click on the Install Themes tab and enter your keyword or keywords. For us, it is mobile. So we click Search, and we see we have some great results. As you can see, there's not as much information available as for plug-ins, but we can get a good idea by clicking the Details link and looking at the version number, author, and ratings.
Once you decide on a theme and have it installed, a great way to check it out under the hood is to use the handy Theme Check plug-in, as seen here in the Appearance menu. Let's run a quick check on the default 2010 Theme. Let's suppress the extraneous information and click Check it! Here we see that the results are very good: Twenty Ten has passed the tests and is squeaky clean, safe to use. To see an example of a theme with less-than-stellar results, we rerun the Theme Check on a randomly chosen theme named Skulls. We click Check it! And as we see, the Skulls theme is missing a number of required items, as well as a number of recommended items.
Does this mean that you shouldn't use the theme? Well, that's up to you. But if you see anything serious, you should either investigate further or just move on to the next theme. In this screencast, we've seen some smart ways to stay savvy when adding new themes and plug-ins. From the comfort of the Admin area, WordPress makes it easy to find, install, and update safe and secure plug-ins and themes for your site.
There are currently no FAQs about WordPress 3: Developing Secure Sites.