Join Jeff Starr for an in-depth discussion in this video Choose trusted plugins and themes, part of WordPress: Developing Secure Sites .
- [Instructor] As you might expect, using insecure plugins and themes puts your site at risk. Indeed, WordPress itself is very secure, but if you install a plugin or theme that contains any sort of vulnerability, your entire site may be targeted and attacked. Choosing trusted plugins and themes only takes a few minutes and you can most of it from the comfort of the WordPress Admin Area. In this tutorial, we'll demonstrate some practical guidelines and helpful tips for choosing safe and secure plugins and themes. The goal is simple: review as much information as it takes to make the best choice.
There are no hard and fast rules, but applying some practical guidelines will help you choose safe and reliable plugins. When choosing plugins, look for trusted plugins that are hosted at the WordPress Plugin Directory. And check out the plugin's ratings and reviews. Also, look for plugins that are actively developed. Check the version number and time since the last update. Compatibility is also important. Check the latest compatible WordPress version and check the minimum required WordPress version.
Also look for trusted authors, you can get an idea from the number of active installs. And maybe do a quick search to learn more about the author. Other signs of quality include: intelligent, useful descriptions, an active development changelog, straightforward installation steps, resolved support threads, and so forth. Let's apply this strategy while checking out a few WordPress plugins. Here on the Add Plugins page, we can do a quick search for something like, "google xml sitemaps", just for example.
Let's click on this plugin's 'more details' link to see if it's a safe and reliable plugin. This plugin is a good example of the type of quality plugins that we're looking for. Notice the description is informative and well-written. The installation is straightforward with no weird steps. And we can check for any screenshots here, to get a better idea of what's inside. Also, look for signs of active development in the changelog. If any additional tabs are present, you can check them too.
Lastly, in the sidebar here, check out the statistical summary and see if everything looks good. Is it a trusted, or well-known author? When was the last update? Then check the WordPress version requirement, and the compatibility requirement. Then, how many active installs? And what's the rating, based on how many votes? You may also want to visit plugin's home page at WordPress.org.
Here we can dig further into what the plugin has to offer. For example, we can examine support threads, look closer at any screenshots, check out the reviews, and more. You may also want to look for an external plugin page that you can visit. If one is available, the link will be listed here in the sidebar. Basically, you want to investigate any leads that you can find until you are convinced as to the quality of the plugin. Now, applying this strategy, let's find a good plugin for say, formatting our theme for mobile devices.
So we go to Plugins, Add New, and type something like, "mobile app" here in the search field. As you can see, there's quite a bit to choose from, as is the case with most WordPress plugins. First, let's scan the list and get a general idea of what's available. There's quite a bit to choose from, so let's dig a little deeper. Here we see a plugin called "WordApp Mobile App Plugin". It has a solid description and straightforward installation steps, but the screenshots aren't exactly what we're looking for.
It does have an active changelog, and some decent plugin statistics. So we might add this plugin to our list of contenders. Next, we have Mobile App API. This plugin looks pretty basic, not a very thorough description, and sort of incomplete stats here with lots of missing tabs and details. So probably, we'd pass on this plugin, unless we get desperate. This plugin by Wiziapp looks pretty good. It has a solid description, clear installation steps, an active changelog, and some solid stats.
So we would add this plugin to our list of potentials. In this manner, we would continue shopping through the plugins to narrow it down, and find the best of the best of the best. Once you get that far, it becomes a matter of personal preference, features, and so forth. To be super cautious, you may also want to check out the plugin at an exploit database, such as the one at NIST.gov. For WordPress themes, the same sort of strategy applies. Look for signs of quality such as active development, trusted authors, compatibility, popularity, appearance, and features.
Plus, check the theme's website and look for channels of support, help forums, and so forth. To see an example of this, let's go to the appearance screen in the WordPress admin area. And click on the Add New button. Here we can search for quality WordPress themes. For example, let's search for "mobile" and check out the results. Now for any of these themes hosted here in the WordPress theme directory, we can hover over, and click 'Details & Preview'. As you can see, themes do not provide as much information as we get with plugins.
But you can get a good sense of where to begin based on the version number, author, and rating. And of course, the preview itself usually speaks volumes about the quality of the theme, so scrutinize accordingly. Once you decide on the theme and have it installed, a great way to check it out under the hood, is to use the handy Theme Check plugin, as seen here. Let's run a quick check on the default 2016 theme.
Just click 'Check it' and we see that the results are good. 2016 is squeaky clean and safe to use. To see an example of a theme with less-than-stellar results, we re-run the theme check on a randomly chosen theme named "Skulls". As shown here, the "Skulls" theme is missing a number of required items, as well as a number of recommended items. Does this mean that you shouldn't use "Skulls"? Well, that's up to you, but if you see anything serious, you should either investigate further, or just move on to the next theme.
In this video, we've seen some smart ways to stay savvy when adding plugins and themes. From the comfort of the admin area, WordPress makes it easy to extend functionality with quality plugins and themes that are safe and secure.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security