Did your developer use reputable plugins to build your site? Or are they a time bomb waiting to be exploited?
We recently took over a client’s site where their developer had used several plugins that were no longer being maintained. Some of these plugins hadn’t been updated since 2012 – five years ago!
What’s the big issue?
WordPress plugins rely on other software libraries in the WordPress core. When software is updated due to either functionality changes, security fixes or bug fixes, the plugin software that relies on this software also needs to be kept up to date.
Often plugin and theme developers coordinate their updates with major WordPress releases to ensure they’re taking advantage of newly available features and enhancements.
However in some cases, an update can break your existing WordPress plugins if they weren’t following the best practices and coding standards. Conversely if a plugin relies on old WordPress library that becomes obsolete, the plugin will stop working, and the plugin will need to be updated to remain functional.
If plugins aren’t kept up to date in line with major WordPress releases, two things can occur:
1) A plugin remains in the WP repository, but is not updated – “Abandoned”
This can be a problem, since it means the plugin author has not made any changes for a long period of time. Sometimes that means it won’t be fully compatible with newer WordPress versions, reported bugs may not be fixed, and new security issues might not be addressed.
2) A plugin is removed from the WordPress repository
This is similar to abandoned plugins described above, but in this case, the plugin is no longer available to install from wordpress.org, and it will likely never release updates again.
Plugins can be removed from wordpress.org for a variety of reasons, including the author intentionally stopping development, converting it to a “paid only” plugin, or various other reasons that the wordpress.org staff might remove the plugin.
If this happens, your site is at increased risk of being a target for a hacker since they can determine your site is running a particular version and they already know it’s vulnerable, and how to exploit it.
How to check your own site:
WordPress will tell you when there are updates to plugins available for you to update (make sure you do a backup first). However, it doesn’t tell you that you have plugins that should be updated!
You can use the free WordFence plugin to run a scan on your own WordPress site to see if you have any plugins that are either abandoned or removed from the repository.
If you have, you’ll need to identify what functionality that plugin offers, determine that you still need that functionality and if so you’ll need to find an alternate that is currently maintained by the author. Look at the ‘Last updated” date to give you an idea of how well the plugin is being maintained.
There’s a heap of other functionality that WordFence can offer to keep your WordPress site safe, but that’s another post entirely!