The Dangers of Abandoned Plugins

What’s A Plugin?

Most WordPress sites make use of plugins, which are third-party-provided programs which add extra functions and capabilities to your site (contact forms, special image galleries, membership managers etc.).

Plugins are either made by independent developers (who accept donations), or by larger agencies who sell them. A popular plugin can generate a lot of income for its maker. But a plugin that doesn’t gain many users often ends up abandoned.

What does this mean for you?

Abandoned Plugins Can Have Unpatched Code Holes:

A plugin that hasn’t been updated in several years may have code vulnerabilities that will never get fixed. Even the best commercial plugins need emergency patches from time to time, as some new bug in the underlying structure is discovered.

Hackers like abandoned plugins the way raccoons like abandoned garbage.Nasty New Owners:

Additionally, hackers have been known to find recently abandoned plugins, and either buy them from the original developer, or hack that person’s distribution account and take control of their software.Once in control, the hacker can write malicious scripts into what was once a trusted tool, and release it into the market.

WordPress notifies you when your plugins have updates available; it does not tell you when that plugin has been hijacked by a new owner. You could run what seems like a normal update and discover your site is now infected with the hacker’s ugly little present.

What can you do to protect yourself?

1. Don’t go overboard with plugins in the first place. More isn’t always better.

2. If you stop using a plugin, delete it right away.

3. Stick to browsing in the WordPress plugin repository, and/or buy from reputable commercial sources.

4. Look to see when it was last updated before you install it – it may already have been abandoned.

5. Check your site every six months or so, to see if your plugins are being kept up. If they’ve gone longer than that with no attention, look into replacing them.