How to Audit & Cleanup WordPress Plugins & Themes –

How to Audit & Cleanup WordPress Plugins & Themes - ManageWP

In an interview with Smashing Magazine, Sucuri CoFounder Tony Perez was asked the following question.

What Makes WordPress Vulnerable?

“Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez

The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions.

Making sure that your WordPress plugins and themes are being audited on a regular basis will improve your security posture, minimizing possible vulnerabilities and threats. Both plugins and themes can be used as a backdoor by hackers seeking to gain access to your website.

Outdated or poorly maintained plugins and themes are what every hacker is looking for: an opportunity to force entry. Malicious users run automated scripts (a.k.a. bots) to identify if there is a website vulnerability present. It has nothing to do with who you are, or how big your website is. If malicious actors find a vulnerability in one of your WordPress themes or plugins, you can bet that they will exploit them.

How to Perform a WordPress Plugin & Theme Audit

You can assess the security of your WordPress plugins and themes by measuring the following indicators:

Does the plugin or theme have a large install base?

This can help you determine the reputation of the developer. If the theme or plugin has a large user base, there is a better chance of it being supported by reliable resources.

Are there a lot of user reviews, and is the average rating high?

The assessment here is a common sense call. Try and read both good and bad reviews to get a grasp the average user experience.

Are the developers actively supporting their plugin and pushing updates or security patches?

Ensure that the developers are actively working on any plugins and themes that have been installed on your WordPress website. Check to see that patches being regularly provided to users are happening. When was the plugin last updated? If it was over 6 months ago, you may want to consider an alternative plugin or theme that is being supported

Does the vendor list terms of service or privacy policy?

If they do, it’s a good sign that the plugin or theme is legitimate. You’ll want to carefully read over the terms of service, because they may include unwanted extras or “features” that were not advertised for the plugin or extension.

Does the vendor include a physical contact address in the ToS or a contact page?

It’s important to be able to reach the author/developer in case you need additional assistance or information. Having a physical address serves as a credibility indicator, and indicates that it may come from a reliable source.

Does the plugin have a support page?

Plugins and themes from the



This article was written by Pilar Garcia and originally published on ManageWP.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

You have to agree to the comment policy.

Scroll to Top