Talking to your clients about WordPress plugin security - Heart Internet Blog - Focusing on all aspects of the web

It’s safe to say that most clients don’t have a deep understanding of WordPress plugin security and that they don’t take it as seriously as they should.

Most likely it’s because they have little to no idea about the risks they’re exposing their sites to with every plugin they install.

They might not know that vulnerable plugins are the top way that attackers gain access to WordPress sites, and that hackers can steal or expose all their customers’ data and cripple their business.

And they might also not be aware of how often this happens.

In 2018, Wordfence, a WordPress security firm, discovered that the WP GDPR Compliance plugin has a serious vulnerability that enabled unauthenticated attackers to escalate their privileges, permitting them to further infect vulnerable sites.

As their “technical contact”, your clients might assume that it’s your responsibility to keep their sites secure and/or to fix any security issue that might arise.

Whether it is or not, educating your clients (and potential clients) about plugin security can save you time and headaches, while also keeping them happy and their businesses (and yours) safe and thriving.

So in this post we’ll show you how to talk to your clients about WordPress plugin security to ensure you both have peace of mind. Or, better yet, why not share this article with them?

Ready? Let’s get started.

Only use the necessary plugins

The more WordPress plugins you install, the more vulnerable your website is to an attack. Since you’re running more code, your odds to having a security vulnerability exploited go up.

In addition, you’re so busy growing your business that you likely don’t have time to keep updated on or respond quickly to plugin vulnerability reports.

So whenever you find an interesting new plugin, take a moment and ask yourself if you really need it before you install it.

Always get your plugins from a trusted source

It’s tempting to look for free plugins online. The problem is that if they’re not from a reputable site, they might contain malware that can compromise your site’s security.

If possible, try to limit your plugin downloads to the official plugin directory.

If you find a great plugin on another site, take a few moments to review it to ensure it’s a reputable and trustworthy source before downloading and installing the plugin on your website.

Here are a few key things to look at to determine whether the site can be trusted.

  • The site looks professionally designed
  • There’s a company name in the header as well as in the footer
  • The plugin has a clear, grammatically correct description
  • The terms of service and a privacy policy are readily available
  • Contact information like physical address, email address and phone number is visible. If there’s no contact information anywhere, don’t trust it
  • It uses an SSL certificate that shows visitors the site is secure
  • If you run a search on Google for that website name alongside one of the keywords “malware”, “hacked” or “exploit”, none of the results reveal reports of malicious activity.

Choose reputable plugins

It’s not only the source that you need to pay attention to, but also the actual plugin.

If you go to the plugin directory, you’ll notice that many plugins have detailed descriptions as well as ratings and reviews.

Here’s an example:

A page detailing the akismet plugin


When you review the plugin, pay close attention to:

  • When it was last updated. The more recent the last update, the better.
  • The number of active installations. The higher the number, the more reliable it is.
  • The average plugin rating and reviews. Obviously, the higher the rating, the better.

Keep your plugins up to date

52% of reported WordPress security vulnerabilities relate to WordPress plugins.

Now, with the increasing number of attacks and vulnerabilities, anyone, including you, can be a victim of these breaches. In fact, the easiest target for hackers is site owners who don’t keep their plugins up to date.

That’s why it’s of utmost importance to update your plugins to the latest version as soon as possible, particularly if it includes a security fix. This is critical to avoid being compromised by hackers.

Delete plugins you don’t use

If you have plugins you no longer use, delete them. Removing them reduces your risk since hackers cannot exploit code you don’t have on your website.

Install a security plugin and use security software

The steps we’ve outlined above should help protect a site against most plugin security issues, but if you want to make a site really secure then you should seriously consider using a security plugin and security software.

We recommend using the Sucuri WordPress plugin, which partners nicely with Website Security from Heart Internet (which is also powered by Sucuri.)

The free plugin provides malware scanning, while Website Security offers malware removal, and (in the top package) attack prevention and site backup.

Your turn

These are the most important things that we believe your clients should know about WordPress plugin security in order to keep their websites safe.

Is there anything we missed? Let us know in a comment below.

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!


Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

Comments are closed.

Drop us a line 0330 660 0255 or email