With so many plugins and themes online, WordPress is one of the easiest ways of creating the website of your dreams. But this choice gives rise to many cybersecurity problems.

This article will explore several red flags you need to know when installing new plugins or themes on WordPress. We’ll also suggest simple ways to protect your site against any cyberattack.


Firstly, how worried should you be?

New plugins and themes are created for WordPress users across many marketplaces daily. This has given rise to a rise in cybersecurity issues.

An 8-year study by the Georgia Institute of Technology uncovered an unprecedented 47,337 malicious plugins installed on WordPress sites. To add to the worry, 94% of those plugins were still infected.

One of the most common infection methods was impersonating popular plugins and themes. Malware would spread, attacking other plugins and taking hold of the site.

So before you click download, what should you be wary of?

7 signs a WordPress theme or plugin might be malicious

1.   Low downloads

One of the easiest ways to determine if a plugin or theme is genuine or malicious is by examining its download count.

Reputable plugins have built up a legacy on WordPress, with hundreds of thousands of verified downloads acting as a great reference. But if a product has no downloads or active installations, there is little evidence to suggest that it is trustworthy.

Additionally, websites offering plugins or theme downloads may not have robust quality controls to stop hackers from setting up accounts. Low downloads suggest an opportunist hacker that has yet to be caught.

2.   Check for recent updates.

No matter how legitimate or reputable a plugin is, it can be exploited if it is not regularly updated. With every WordPress update, compatibility issues can arise with plugins and themes. And hackers can capitalise on this.

A recent example is the MonsterInsights Google Analytics WordPress plugin, which has over 3 million downloads. When the National Vulnerability Database reported a Cross-Site Scripting vulnerability within the plugin, panic ensued. Thankfully a security patch was dispatched to help repair the vulnerability. But what if the plugin didn’t receive updates?

3.   No legitimate reviews

Checking customer reviews is one of the best ways of verifying a genuine plugin or theme. When checking reviews, pay particular attention to the following:

  • Recent reviews give the plugin’s most up-to-date experiences, especially its compatibility with modern WordPress versions.
  • Total reviews: The more reviews a plugin or theme has, the better. This ensures you have a wide selection of user experiences to learn from.
  • Average rating: Clicking on the different ratings of a plugin or theme can help identify the product’s common problems (or benefits).
  • Legitimate reviews: Only trust reviews that explain or document what the app does or doesn’t do. Many hackers can use AI bots to boost engagement and post fraudulent, bland, and simple reviews to trick people into thinking a product is popular.

4.   Unusual activity or file sizes

When downloading a WordPress theme or plugin from an external site, you should examine the file size of the download.

Most basic themes can be between 1 and 10 MB, while plugins are generally 5 to 10 MB. A file size larger than this could be pretending to be something else entirely.

5.   Reduced web traffic

A sudden and unexplained drop in visitors to your site can indicate that a recently installed plugin or theme is malicious. This is because malware might redirect your visitors to dangerous phishing sites when they try to click on links.

Problematic plugins and themes can also harm your ranking across many search engines like Google or Bing, as they warn users if they suspect your site has become compromised.

6.   Slower performance

If your WordPress site has become sluggish after installing a new theme or plugin, this should be a major red flag to reverse the installation and scan for potential malware.

Online tools like Google Search Console have several website performance tools that can help you identify if your site is underperforming and what theme or plugin could cause it!

7.   Membership plugins

Be careful of plugins that enable and encourage account creation on your WordPress. These plugins allow new accounts to gain considerable control of your site, cause an infection, and overload your site.

If you notice an influx of new accounts being created with spam-like names and email addresses, consider revoking account creation access to limit any further attacks.


3 simple solutions to protect your WordPress site

1.   VPN

A VPN (virtual private network) is a helpful cybersecurity tool that can help protect all your online activity, including your WordPress site.

It does this by rerouting your IP address and encrypting your online activity, thus keeping private information away from prying eyes. A VPN can give you peace of mind when working on your WordPress site, even on public Wi-Fi networks. Our suggestion? Take out a VPN trial, and see first-hand the protection it can give your WordPress site.

2.   Security plugins

WordPress has many great antivirus plugins that help keep your site healthy and running smoothly. They can highlight any plugin or theme causing your site to underperform and flag if and when they’re out of sync with the current version of WordPress. Just remember to pick reputable plugins that are regularly updated!

3.   Perform regular back-ups

You should perform regular back-ups of all your WordPress files. In the event of a hack, you can restore your files and web pages without installing recent plugins or themes that might have compromised your security.


I am a committed and seasoned content creator with expertise in the realms of technology, marketing, and WordPress. My initial foray into the world of WordPress occurred during my time at WebFactory Ltd, and my involvement in this field continues to grow. Armed with a solid background in electrical engineering and IT, coupled with a fervor for making technology accessible to the masses, my goal is to connect intricate technical ideas with approachable and captivating content.

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.