How can plugins compromise WordPress security?

By Lee Published 19 September 2021 Updated 15 April 2026 6 min reading time
How can plugins compromise WordPress security?

WordPress plugins let you add features to your site without writing a line of code, and that convenience is a big part of why WordPress powers so much of the web. But the same plugin ecosystem that makes WordPress so flexible also gives attackers a reliable way in. Plugins are now the most common entry point for WordPress compromises, and the numbers have been climbing for years.

This post covers how attackers exploit plugins, what you can do to reduce your exposure, and which other WordPress security areas are worth paying attention to alongside your plugin hygiene.

Why plugins create security openings

Attackers look for weaknesses in plugin code and use them to get a foothold on your site. The methods vary: some inject malicious files through upload functions, others display fraudulent ads to visitors (a technique known as malvertising), and some use plugin flaws to take over a site entirely. Running too many security plugins at once can also cause conflicts that degrade performance and leave gaps in your defences.

The scale of the problem is significant. According to Patchstack, 90% of WordPress vulnerabilities are related to plugins or themes. In 2021, the ProfilePress plugin was found to allow malicious file uploads, giving attackers a route to hijack affected sites. Around the same time, Wordfence discovered an actively exploited flaw in the Fancy Product Designer plugin, with an estimated 17,000 sites at risk. New vulnerabilities surface every day.

Checking plugins for known vulnerabilities

Before installing a plugin, and periodically while using it, it is worth checking whether any vulnerabilities have been reported. The WPScan Vulnerability Database lets you search by plugin name and see any known issues. If a vulnerability exists and an update is available, apply it. If no update exists yet, removing the plugin temporarily is the safer option.

Running a full site scan alongside this gives you a broader picture. A good malware scanner will flag plugin-level threats as well as other issues across your installation. Our post on security plugins for WordPress covers some of the tools worth considering.

Choosing plugins you can trust

The WordPress plugin directory is the safest place to source plugins. Every plugin listed there has been reviewed before publication. With over 58,000 options available, you will find a vetted solution for most use cases.

If you are considering a plugin from outside the directory, take a closer look before installing it. The following checks are worth running:

  • Find the developer. Search for the developer’s website. No credible web presence is a warning sign.
  • Check CodeCanyon. This is one of the main third-party marketplaces for WordPress plugins, and it vets submissions before listing them.
  • Look at download numbers. A plugin that has been available for years but has very few downloads warrants extra scrutiny.
  • Confirm compatibility. Check that the plugin has been tested with the current version of WordPress. Plugins only listed as compatible with older versions may not receive ongoing maintenance.

Keeping plugins updated and removing what you do not need

Outdated plugins are one of the most common ways attackers get in. Enabling auto-updates is the most reliable way to stay current. In your WordPress admin area, go to Plugins > Installed Plugins and select Enable auto-updates for each plugin you want covered. Apply the same approach to your WordPress core installation and your active theme.

Inactive plugins are just as much of a risk as outdated ones. If a plugin is sitting deactivated on your site, it can still be exploited. Remove anything you are not actively using: go to Plugins in your dashboard, deactivate the plugin, then click Delete. Fewer plugins also means a lighter site. Slow loading pages push up bounce rates, and you can check where your site stands using Google PageSpeed Insights.

Abandoned plugins and why they matter

An abandoned plugin is one that has not received an update in two years or more. No updates means no bug fixes, no security patches and no response to newly discovered vulnerabilities. Attackers know this, and abandoned plugins are a frequent target.

You can check the status of your plugins on the WordPress plugin directory page for each one. A plugin being abandoned does not guarantee the code is currently broken, but the longer it goes without maintenance, the greater the risk that an unpatched flaw will be discovered and exploited. Removing abandoned plugins is the prudent call.

Using a web application firewall

A web application firewall (WAF) monitors and filters traffic between the internet and your site, blocking common attack types such as file inclusion exploits and cross-site request forgery before they reach your application. A WAF adds a layer of protection that sits above individual plugin vulnerabilities. You can deploy one through a cloud-based provider or a hosted solution depending on your setup.

Other WordPress security areas worth addressing

Plugin security is the biggest single risk area, but it is not the only one. These threats affect WordPress sites regardless of which plugins you run.

Brute force attacks on your login page

Attackers use automated bots to run through enormous numbers of username and password combinations until one works. A strong, unique password is the baseline defence. A password manager makes it practical to maintain strong credentials across multiple accounts without needing to remember each one. Limiting login attempts through a security plugin and enabling two-factor authentication both reduce the risk further.

SQL injection through form inputs

SQL injection is an attack where a criminal submits malicious database commands through a form field on your site. WordPress uses SQL for database management, and if form inputs are not properly restricted, an attacker can read, alter or delete your site’s data, or insert malicious links. Restricting the characters allowed in form submissions is one way to reduce this exposure.

Denial-of-service attacks

A denial-of-service (DoS) attack floods your server with traffic until it can no longer respond to legitimate visitors. The best protection at the hosting level is a reliable infrastructure that can absorb or deflect that kind of load. Our post on preventing hackers and cyberattacks covers broader defensive measures worth reading alongside this one.

Plugins add real value to a WordPress site, but each one you install is a potential entry point. Stick to vetted sources, keep everything updated, remove what you are not using, and treat abandoned plugins as a liability rather than a convenience. Those habits, combined with solid login security and a WAF, cover the majority of the risk. If you want to go further, our WordPress hosting includes tools to help you manage and protect your site at the platform level.

About Lee

Lee heads Marketing, SEO, and Web Development at Unlimited Web Hosting UK, with over 17 years of industry experience.

UWH
SAVE 16%

WordPress Hosting

Standard WordPress Plan

£7.99 £6.66/mo

VIEW PLANS

You May Also Like

Related articles you might find interesting.

WordPress

Boost WordPress speed with caching

5 min read. 31 March 2025. Angus.
WordPress

Unlimited Web Hosting Has Been Nominated for Monster’s Award 2022!

2 min read. 13 December 2022. Lee.
WordPress

WordPress staging sites: what they are and how to use them

5 min read. 10 September 2021. Lee.

Running a WordPress site?

Get fast, secure and reliable WordPress Hosting with optimised for performance with AccelerateWP.

Get WordPress Hosting

Need multiple accounts?

Create fully isolated individual accounts for your clients and manage them all from one dashboard.

Get Reseller Hosting