One of the greatest benefits of WordPress can also be the source of a potential pitfall. WordPress plugins (there are more than 46,000 available for download in the official WordPress Plugin Directory) allow designers and developers to quickly add a wide range of functions to any WordPress website. This makes WordPress the most desirable platform for creating cost-effective small business websites. However, because of its popularity, WordPress attracts more than its fair share of shady developers looking to hack and exploit unsuspecting websites. One of the most common ways to exploit WordPress installations is by hiding exploits and malware in plugins.
Exploits and Malware in WordPress Plugins
Generally, you are best advised to use WordPress plugins that have many good reviews and installs. But even here, there is a need for caution. This is demonstrated by an exploit discovered in one popular plugin by the security experts at WordFence, makers of a highly regarded WordPress security plugin. One of their clients discovered links to payday loans websites injected into their web pages. WordFence tracked it to a plugin named "404 to 301" that is highly rated in the WordPress Directory and has more than 70,000 active installs. Evidently, the makers of this plugin also gave it the ability to inject links and advertising into any website that uses it. Cleverly, the links are "cloaked" so that they can only be seen by search engines. Cloaking can cause a website to be penalized in search results by Google.
The Lesson: Even Popular WordPress Plugins Can Hide Malware
Visit the post regarding this exploit on WordFence's website. The lesson we can take from this? Use a good security plugin for your WordPress website, and check it periodically using online security check tools such as the free Sucuri SiteCheck. Also, open a free Google Search Console account for your website to get free alerts from Google whenever they detect security issues. Finally, keep your WordPress installation and plugins up to date. This can greatly minimize the potential of your WordPress website being exploited.