Plugins can do so much for your small business website. You can use them to make your WordPress site load faster, make your content shareable, collect visitor email addresses for your marketing list, and do better in search results. Even better, many of the best WordPress plugins that can upgrade your website and your business blog are free.

It’s important to make sure the plugins you choose are reputable and secure. Unfortunately, people can and do exploit plugins. Usually, this involves malicious scripts injected into plugins with security gaps.

What do these malicious scripts do?

Cybersecurity firm Kaspersky says the possibilities include site takeover, spyware installation, and cryptocurrency mining.

Is Your WordPress Plugins Open to Threats?

Choosing plugins is kind of like buying a car. You want performance, of course, but you also want something that’s safe, reliable and easy to maintain. You choose a reputable car dealer and read reviews, so you don’t buy a lemon. And you should get top-rated plugins from a reliable source, so you don’t end up with a malicious plugin.

Security experts consider WordPress.org’s plugin directory to be the safest source for plugins. With more than 55,000 plugins, you won’t run out of options, and the site solicits feedback and reviews from users.

Check those reviews before you download—not just the star ratings but also the user feedback. See what people like about the plugin. Read about any issues they’re having with the original plugin or updates. Get a sense of how well the publisher supports the plugin.

Also check out the number of active installations to get a sense of how many users trust the plugin. A good plugin can have just a few hundred users, but a plugin with thousands of users has earned a lot of trust.

Check for Compatibility with the Latest Version of WordPress 

So, you’ve found a plugin with good reviews and lots of users. Before you download it, make sure it’s compatible with your version of WordPress. (For security and performance, you should always keep your own website up to date on WordPress, too.)

To ensure your plugins and WordPress are compatible, you need to know your current WordPress version. You can find it by going to your WordPress dashboard and clicking Updates. You’ll see a notice that lets you know if you’re running the latest version and gives you the version number.

You also need to verify that the plugin you want is up to date. Most plugin authors are good about updating their products, but sometimes plugins are abandoned, or updates are slow to come. If you see a yellow box notice at the top of the plugin’s page at WordPress.org, pay attention to it.

Also check out the spec box on the page to see which version of WordPress it works with and how recently it was updated.

If your chosen plugin is compatible, go ahead and try it out. If you decide it’s not right for your site, delete it. Otherwise, you’re going to have to keep maintaining it, even though you’re not using it.

That brings us to the most common way that good plugins go bad. When users don’t update them, hackers may exploit them.

Keep WordPress and Your Plugins Up to Date

Like everything made with code, WordPress and plugins get updates for new features, improvements, and repairs. Sometimes those problems are small things that affect the way a plugin looks or operates. Sometimes they’re security holes that need to be patched to keep hackers out of your site.

When publishers announce security updates, hackers see them too. And they start checking for sites that haven’t made the updates yet.

Even if you’re happy with the current version of WordPress and your plugins, you still need to update. WordPress and some plugins let you set them to update automatically, which you should do. For the rest, you have a few options for keeping things current.

1. Make your own manual updating schedule.

This approach can work if you’re able to commit to checking your site for update notices at least once a week. If you tend to kick small tasks down the road when you’re busy, skip this approach. You could end up with site vulnerabilities.

Even if you decide not to do manual updates, it’s a good idea to know how. Sometimes you may worry that an update will break your site, especially if your plugins haven’t been updated to support the newest version of WordPress. You’ll want to back up your site before you manually update and be ready to uninstall the update if there are problems.

Just as when you check to see which version of WordPress you’re running; you’ll go to your dashboard. Click Updates in the left column, just beneath Home. You’ll see the update status for WordPress, your plugins, and your themes. If any are out of date, you can update them here.

2. Set up notifications for update and security issues.

The WordFence Security plugin scans your site for security issues, including out-of-date plugins and pending WordPress updates. The free version of this WordPress security plugin lets you get email notices whenever your site needs an update. It’s still on you to go make the updates. But this way you don’t miss issues that crop up between your regularly scheduled updates.

3. Set up automatic plugin updates.

If you have plugins that don’t have an auto-update option, consider Easy Updates Manger plugin. Yes, a plugin to update your plugins—plug inception! The free version lets you set some or all of your plugins to update automatically. This is the most efficient approach, especially if you run more than one website or run a high-traffic site with multiple plugins.