How to Make Sure a WordPress Plugin Is Virus-Free

Published by
James Parsons
on December 25, 2014
Written by
Posted in How-to

WordPress is a fantastic blogging platform for many reasons. Among these are the fact that it has so many plugins, extensions and themes that you can make the platform look and act in virtually any way you could desire.

The problem with being such a robust, powerful and popular platform is that it becomes a target for hackers and viruses. WordPress is like the Windows XP of blogging platforms; used by an insane number of people and left unprotected by far, far too many of them. When one single exploit can infect millions of people, it pays to be cautious.

Step 1: Trust the Source

When you’re downloading a plugin or a theme, you might be tempted to use a third party site to do it. This is important for some, and less important for others. The theme you want, for example, might only be found on the site for the developer of that theme. A premium version of a free plugin might only be available from that developer’s website.

When you’re looking for a plugin or a theme, make sure you trust the source. Avoid downloading your themes in .exe format from, or something equally low quality.

When in doubt, look for the plugin on the official WordPress plugins directory.

Step 2: Opt for Popular

Another form of protection is to opt for themes with high ratings for quality and popularity. When a theme has millions of downloads with an average 4 star rating, you can assume it’s probably not a virus. It’s easy enough to fake reviews or downloads, but in that high a volume it’s highly unlikely.

This isn’t always possible, unfortunately. Some good plugins and themes have low numbers, either because they’re new or they’re such a niche use that they aren’t attracting the sort of attention necessary for social validation.

Note that this isn’t a 100% guarantee of safety. It’s always possible that the developer themselves was compromised and an “update” uploaded that contains a virus.

Step 3: Virus Scan

Every computer needs to have antivirus software installed. It doesn’t matter if you’re using an expensive corporate enterprise solution or a free version of Windows Anti-Malware, you need something.

When you download a plugin, you have to go through a few hoops to upload that plugin to your site, where it can take effect. Before you do this, scan the files with a virus scanner. Your antivirus software should allow you to scan certain files specifically; if not, you can find a free online scanner elsewhere.

Once you have scanned the files, you can be reasonably sure that there are no infections in the code of the plugin. There still might be malicious code, just no embedded viruses.

Step 4: Authenticity Check

WordPress has a plugin called the Theme Authenticity Checker, or TAC, that is a plugin itself that scans your themes. It searches for code that doesn’t do what it’s supposed to do, or that is obfuscated for some reason. Very rarely is there a good reason to obfuscate code, so this plugin is pretty good at catching out plugins with malicious embedded code.

You can find the TAC here, and it’s simple to download and install. You may also want to scan this plugin with a virus scanner, to make sure it hasn’t been compromised itself.

Step 5: Ongoing Protection

This is where another virus scanner comes in handy. Specifically, a scanner you can install as a plugin. This works to detect any potential intrusions from a third party source, or any infections that might occur because of an update to a plugin. The last thing you need is for a formerly trusted plugin to infect your installation.

This particular antivirus plugin scans your code every day and alerts you if anything comes up. You can whitelist specific files to avoid false positives as well.

General Security Tips

WordPress, again, is a largely popular platform with a wide usership, which means it’s frequently targeted. In this era of widespread hacks and cyber-terrorism, you can’t afford to leave yourself vulnerable. Here are some more tips to keeping it safe for you and your users.

  • Keep your installation up to date. The platform itself only issues updates when critical features or security holes are patched. It’s safe to say that if there’s an update you haven’t applied, that update is fixing a dangerous security hole – or several – that can destroy your site if exploited.
  • Keep your plugins and themes up to date. The larger the disparity between plugin update and platform update, the more likely it is that there’s a conflict that can be exploited to gain access to your site. Once that happens, you need to do a lot of work to make sure your site is secure once again.
  • Use security themes and plugins to make it harder to gain access to your site. This means getting code from trusted sources, keeping a backup of your data regularly, containing your installation such that an infection is limited in scope, and limiting the number of possible points of infection.
  • Keep your password secure. Don’t use one of the common passwords, and don’t use a password for longer than six months. Use longer passwords that don’t include words. Finally, avoid using passwords to any account that may have been compromised in the past.
  • Set file permissions. There are a bunch of tips about how to do this in the Hardening WordPress section of the WP Codex.
  • Keep your own computer secure. You can have the most secure website in the world, but if your computer is infected and a virus logs your password keystrokes, the hacker doesn’t have to do anything to gain access to your site.

Finally, you should at least learn the basics of how a virus works and how to cleanse a system. You might not have to do it, but if you do, the knowledge of how to stop the spread of a virus and keep it from making things worse is invaluable.

Written by James Parsons

James Parsons

James is a content marketing and SEO professional who enjoys the challenge of driving sales through blogging while creating awesome and useful content.

Join the Discussion

No comments yet. You could be the first!

Leave a Reply