At a recent WP Meetup about Database plugins I was faulted for not citing which of the plugins being reviewed had been banned by WordPress or other vendors . Yes, I was aware of banned plugins. But I had never deliberately looked for them However, a Securi note that 78% of hacked websites used WordPress confirmed that knowing more about banned plugins and how to control them was worth the while.
So a search for banned plugins lead to Aditya Kane’s list of banned WordPress plugins. From there Flywheel, Kinsta,, WordPress.com and WPEngine appeared to have broad and most extensive lists of banned and disallowed plugins. Other sources such as SimplePage.com, Mediatemple and Godaddy. provided their lists. So a thorough review of banned plugins plus strategies to identify and control them became dual priorities. The idea was to know the banned plugins and advise clients on simple security procedures to check them and their security weaknesses.
The List of Banned Plugins
Although we had expected to find a number of banned plugins, the surprise was that many of the banned plugins were cited not for virus vulnerabilities but for duplicate or redundant features and functionality. Flywheel, Kinsta,, WordPress.com and WPEngine have delivered a broad list of banned and disallowed plugins. Here is the compiled list of the banned plugins:
Please wait while flipbook is loading. For more related info, FAQs and issues please refer to DearFlip WordPress Flipbook Plugin Help documentation.
- Plugins that have been deliberately weaponized with hack trapdoors, tracking codes and/or other malaware;
- Plugins which have had major virus vulnerabilities in the recent past;
- Plugins that have not been updated in the past 2 or more years and are therefore more likely succumb to to hack attack or conflicts with either the the WordPress Core Code or fast moving theme generations or other plugins;
- Plugins that have a poor support record or low ratings at the WordPress.org directory of plugins;
- Advisories on how to identify and control such flawed plugins;
- Strong agreement among the vendors as to which plugins should be banned.
But in fact inspection of thefull banned list show only six plugins which have either contained deliberate malware code or have been sloppy with major vulnerabiilities that hackers have used. In fact, users will have to go to security vendor blog at Securi or WordFence in order to keep track of bad plugins, and their impact on Core WordPress, and plugins.
Why Plugins Got Banned
When one examines the banned list of plugins several things stand out:
- First, one would expected to see strong agreement among the vendors as to which plugins were to be banned; but only among the Backup, and Caching group of plugins was there some agreement among vendors on which plugins were to be banned;
- For most of the plugins there was no consensus among the vendors as to which should be banned;
- Also , only one vendor, Mediatemple, had an extensive list of malicious or vulnerable plugins;
- Only one vendor screened plugins for poor support or lack of updates;
- But all the vendors faulted plugins mostly for duplicate features and possible performance issues.
So in compiling the banned plugins there were two expectations – these vendors would provide a detailed list of plugins to avoid due to their vulnerabilities or malicious code. Also a second purpose was to find some guidelines for WordPress website security against such plugin and their use. However, even on casual perusal, it became obvious that the vendors were identifying plugins that were redundant because they duplicated their own managed hosting services – especially backup and performance tuning. Talk about disappointment.
How Banned Plugins and Themes Should Be Cited
Ithemes is producing a monthly or more frequent report on WordPress Vulnerabilities. The Roundup Reports do not mince words and cite in October alone 13 plugins and 16 themes for becoming infected. And as seen below, their verdicts are sharp:
No ambiguity or self-interest, just the vulnerability facts,
So in order to get a leg up on best practices regarding flawed WordPress plugins, a little DIY work would be required. Here is our list of recommendations gathered during the search for banned plugins:
- Use strong, memorable passwords[they really work and are much easier to remember]. Also if you have 5 or more passwords, use a Password Manager which encrypts your passwords in a Cloud Vault.It used to be good practice to change your passwords once every 6 months or year. Now using a password manager makes quarterly or monthly changes easier to do;
- Update your WordPress Core code, plugins and themes regularly. Regularly used to be once a quarter if not half a year. Now it is more likely once month or week. Fortunately, WordPress 5.51 makes this easier. All free plugins and themes can be designated for immediate update as the WordPress Core is. But this leaves out a sizable number of plugins on my websites, so manual updates are required. Also this immediate update can go awry. For example when the Advanced Editor Tools (formerly Tiny MCE Advanced) was auto-updated, it conflicted with the Elementor and sent many developers scurrying to find the conflicting plugin.
- Use a backup plugin. Yes, most Hosting Services provide some backups. However, being able to schedule, do partial backups, or do on-demand backups is the strength of the WP Backup plugins;
- Use a WordPress Security firewall on all your websites. These tools not only identify lurking mlaware that has managed to sneak onto your site, but also defend against DDOS(Direct Denial of Service) and other hack attacks. In addition the tools harden your website against malicious backdoor incursions. Also they fend off attacks with SSL (available as free service on most Hosting Services) and other encryption tools. Finally add a good firewall on all your mobile phones, PCs and other client devices.
- Be sure to read the excellent free blogs on WordPress Security trends from WebARX, InfoSecurity, Securi and Wordfence. .These advisories have been timely. For example in the hack-attack cases on WPBakery [4 million] and Metaslider [800,00 users] as reported in October 2020 my clients got timely cautions;
- Never use nulled out premium themes and plugins. These illegitimately “free” themes and plugins are repositories for malware containing hacking trapdoors, hidden tracking readers, and other hack attack tools;
- Actively educate your clients and employees on your Web Security strategies and guidelines.
The bottom line is do not look to accounts on “banned” plugins for insights on how to tighten WordPress security. Rather, focus on developing your own DIY WordPress Security strategy customized for your business.. For more detailed security approaches check out CodeinWP, WPBeginner , this blog or Vigorous. Ransomware is proof that criminal hackers will target businesses small as well as large. to cripple your business for their gain. Be prepared.