- Jun 26, 2013
- by Brad Litwin
Everybody knows the popular quote featured in Spiderman; “With great power comes great responsibility.” Well, I don’t know if plugins qualify as great power, but they can be very powerful. And with plugins comes responsibility. Before you use a plugin you should make sure you are getting it from a reputable, trustworthy source. Plugins and templates are currently an extremely popular attack vector; the more popular the platform, the more malicious plugins will be targetting that platform. So before you download and install a plugin, make sure it’s from a reputable source and author.
Beyond malicious plugins, there are many plugins that are just poorly made or poorly maintained. Even if a plugin isn’t deliberately written to make your site vulnerable to attackers, it may accomplish the same task through sheer accident. Many popular platforms such as WordPress and Drupal will do their best to let their community know about plugins or templates which are causing widespread problems, but ultimately it’s your responsibility to make sure the plugins you’re using aren’t going to cause you problems.
Once you’re aware of this issue and want to do something about it, what do you do? The first thing I’d suggest is that before installing any plugin or template pack, Google it. Look for people complaining about it or warning about problems with it. Take those complaints and concerns seriously, and consider alternatives instead. If you’ve already got plugins or templates installed in your site, hit Google now and look each of them up.
Additionally, you should make sure you keep all your plugins up to date. If there is a problem, any plugin that’s currently under active development should receive a patch to fix that problem. When updates are released for your plugins, check out the update and if it’s security related, don’t wait to install it, update right away. If it’s not security related, you may want to hold off and wait to see if other users of the plugin report any problems. Often times, feature rich updates for any software will introduce new problems and it’s usually prudent to wait a few days or even a week or two for the community and developers to find these issues and address them.