Pagoda Blog

How to Spot an Unsafe WordPress Plugin

February 21, 2019

You can’t have a WordPress site without plugins but the sheer number of options from countless developers is a small business owner’s nightmare. While there are plenty of articles out there recommending the top plugins for WordPress websites and the best plugins of the year, if you stray from these popular recommendations, the waters get murky fast. How can you tell the trustworthy ones from those with shoddy code and potential threats to your website? While many plugins are safe, you should always be cautious and do your due diligence before downloading anything onto your site. Fortunately, you don’t need to be a developer to know how to spot an unsafe WordPress plugin. You just have to know what to look for and take the time to dot your i’s and cross your t’s.


Here are 7 ways to spot an unsafe WordPress plugin so your website continues running smoothly and securely.


1. It has an unsafe reputation

When you do an initial search for a WordPress plugin it may not turn up any obvious red flags. To expose any skeletons in the closet, the first step is conducting a simple Google search with the name of the plugin in addition to the words  “hacked,” “unsafe,” or “compromised.” Sometimes this provides enough information to convince you to walk away. Other times, you may need to do further research.


2. It’s blocked by your web host

This is a deal breaker. Web hosts keep a list of banned plugins due to security or functionality issues. (Not all plugins are compatible with every web host.) Do a search for your web host and “disallowed” or “banned” plugins for a full list of those to avoid.


3. Bad ratings

Reviewing a plugin’s user ratings is a quick way to get an idea of usability and customer satisfaction. Often, the ratings will be pretty cut and dry—a majority of 5-star ratings and a handful of negative ratings—but if there’s a split between the 5-stars and 1-stars or your colleagues have told you that they swear by this plugin, you’ll need to do some more digging. Take the time to read through the reviews and note when they were posted. If all the negative reviews, for example, occur prior to 2016, then you can assume there was a bug and the developer fixed it. Also be wary of an abundance of one-word reviews. This could be a sign that the developer paid for fake positive reviews. The more detail, the more likely the reviews are legitimate.


4. Less than 1,000 downloads

A plugin may have good ratings but that doesn’t say much if only a handful of people have used it. To ensure your plugin has been duly tried and tested, view the number of downloads or active installations and steer clear if it has less than 1,000. You can easily view the number of active installations on thousands of plugins by searching in the WordPress plugins repository.    


5. It won’t work with the latest WordPress version

Before you download, you need to ensure your chosen plugin is compatible with the latest version of WordPress. (And of course you have the latest version because you know how important it is to keep your technology up to date.) If it requires an older version to run, this is a red flag that the developer isn’t actively keeping the plugin up to date, scanning for viruses and bugs in the code, or optimizing for usability. Never download a plugin with the following warning message attached: “This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”


6. There’s no customer support

You don’t want something to go haywire with your plugin and have no one to turn to for help. Even free plugins should come with some level of customer support to ensure you don’t get stuck with a broken website. You can determine the level of customer support by reviewing how often they respond to support requests, reading through the actual responses (are they helpful?), and checking to see that customer support has been active within the last three months.



7. It’s been flagged by the WPScan Vulnerability Database

The WPScan Vulnerability Database keeps an updated list of all reported vulnerabilities for WordPress plugins. You can quickly check the status of any plugin using the search function. The database will show you any vulnerabilities and when they were reported. We recommend also signing up for the free email alerts so that you’re automatically notified if one of your plugins has a security issue down the line.


Not all WordPress plugins are created equal

When selecting your WordPress plugins it can be tempting to simply follow the suggestions of a fellow business owner or to download the first relevant plugin that comes up in a Google search. You should always take the time, however, to do your research and ensure that anything you’re downloading onto your site won’t cause security or usability issues. If you look for the red flags above you should have no problem finding reputable, safe WordPress plugins to optimize the functionality of your site.


Related reading:


WordPress Security Tips to Protect Your Website From Hackers

Should Your Website Use HTTP or HTTPS?

14 Windows 10 Tips & Tricks to Optimize Your Workflow


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and learn how to protect and grow your business with monthly IT tips from our experts.



Want IT to serve you better?





About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn