If a plugin or theme has a vulnerability, because it doesn't have as many eyes on it as core WordPress software, that vulnerability may go undetected. The developer stopped working on the extension, but people still use it. The developer quickly fixes the problem, but users don't upgrade. So, how big is the problem? Well, in a Wordfence survey of compromised website owners, more than 60% of those who knew how the hacker got into the site attributed it to a vulnerability in a theme or plugin. Wordfence survey of hacked websites.
Wordfence survey of hacked websites (Image source: Wordfence) Similarly, in Sucuri's 2016 report, just 3 plugins were the cause of over 15% of the Canada WhatsApp Number Data breaches that were recorded . Sucuri list of hacked plugins Sucuri list of hacked plugins And here's the discovery: The vulnerabilities of these plugins had been patched long ago – the site owners had not yet updated the plugin to secure their site. Bottom line : a wildcard and can open your site to malicious actors.
Yet, much of this risk can be reduced by following best practices. Keep extensions up to date and only install extensions from trusted sources. We also need to mention these GPL clubs you might come across around the internet, where you can get any premium WordPress plugin or theme for just a few dollars. Although WordPress is released under the GPL, which is great and one of the reasons we love it, buyers beware. These are sometimes referred to as “nulled plugins”. Buying plugins from.