The Hidden Security Risk to Your WordPress Site

WordPress is a great solution for most website needs. It’s easy to install, versatile, and it’s backend makes it easy for relative neophytes to add and edit content to websites without needing an advanced degree in Computer Science. This is reflected in its market share: some 40% of all websites are powered by it.

The popularity and utility of WordPress is something of a double-edged sword. While its popularity means it’s well-supported and has a staggering number of available themes and plugins, it’s also a favorite target for hackers. This isn’t to suggest that it’s less secure than other content management systems, but a single compromised plugin or theme is more likely to hit more targets due to its higher user base.

As it turns out, the biggest threat to a WordPress site’s security is something that users do to save money.

According to a recent study by WordFence, a WordPress security provider, the single largest security threat comes from pirated, or “nulled” plugins and themes, where the functionality to check if a license is valid and paid for is removed, and often replaced with a backdoor to compromise the site.

The study showed that nulled plugins and themes accounted for malware found on 206,000 sites, or 17% of all infected WordPress sites analyzed by the company in 2020. The real number is likely significantly higher.

The simple reality is that while WordPress itself is free and runs on open-source (free) technology, many of its plugins and themes are not. Some of the most popular and widely used ones are the results of thousands of hours of development time, constant updates, and user support, all of which depend on paid software licenses to help keep the lights on and the software up to date.

While the temptation to find a “free” copy of a piece of software is understandable, and may seem like something of a victimless crime (it isn’t), not using them is a wise decision in terms of simple self-preservation as much as ethics. Any plugin or theme that has certain features removed has, by definition, been hacked, and installing it onto a website is opening the door for hackers and malware.

That means the data for all users on the site is up for grabs, including passwords, payment information, and any confidential data being transmitted. The risks and potential liability simply and massively outweigh the expense of paying for a software license.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.

CLOSE