Website plugins

11.07.2016 |

Episode #9 of the course Cyber security for small business by Cat Paterson



If you’re a WordPress user, you’ll know that there are literally hundreds of website plug-ins to choose from, almost verging on kid-in-a-sweet-shop-level of awe, shiny object syndrome tugging on your magpie instincts with tremendous strength.

But just before you go and buy up every plug-in without thought, plan or simply take a moment to think about security and the potential problems you may face.

It’s well-known that your site can suffer big-time if you install too many plug-ins, never mind the hit on your bank balance. The maximum recommended number of plug-ins is between 10 and 12 installed and in operation at any one time.

There’s another consideration, though. Yep, you guessed it—how secure is your new plug-in going to be?

Due to the very nature of plug-ins, some can be far less secure than others. I admit that there is no fool-proof method for spotting an insecure plug-in, but you can mitigate some of the risk by thinking about these things:


Plug-in security checklist

1. What do you need in a plug-in? Instead of buying two or three, would one do the job?

2. Check the reviews carefully. If a plug-in is rated 4 or 5 stars but there are only two reviews, it might be best to step away and find an alternative until you have more details.

3. Google the name of the plug-in with the word “security” or “vulnerabilities.” Anything that is of concern should be flagged up in a Google search: “[plugin name] + security.”

4. Check when the owner last updated the plug-in; within the last month is a good rule of thumb. If they no longer support it, there are guaranteed to be holes in their code that haven’t been patched against the latest threats, and it may no longer be compatible with WordPress.

5. Take the time to read the comments, as I find that users are fairly honest and vocal online if they have any issues.



If you are a Squarespace user, all of the hosting and security is handled by the team at Squarespace. There are no plug-ins to worry about or conflicting software—it’s all built and tested by their in-house team.

The most common breach type on Squarespace sites is by disgruntled employees or website developers who, for one reason or another, have not had their access rights removed at the end of employment or end of client agreement and have made changes without the permission of the owner.

There are measures that can easily be put into place to stop this type of activity before damage is done.


In the next and final lesson, you will learn about website back-up and get a ton of additional resource links to further your knowledge.


Recommended book

“Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground” by Kevin Poulsen


Share with friends