Right now, we are in sort of a Wild West era for marketplaces. Hopefully in the near future security requirements will be put in place for all plugins, apps and programs that we use from a marketplace. Until then, you would be wise to remember that just because it is available, that doesn't mean it is secure.
For WordPress admins specifically, here are some recommendations from the Checkmarx folks:
1. Download plugins only from reputable sources. For WordPress, this means WordPress.org. Since anyone can develop a WordPress plugin, hackers can also exploit this vulnerability to hide their own nefarious plugin. Although going through a reputable marketplace will not guarantee only harmless plugins, you should consider this as a first line of defense.
2. Verify the security posture of the plugin by scanning it for security issues If you have the source code - and most probably you do since the plugins are open-source - run a static source code analysis tool which will provide you with the plugin's "bill of health." Advanced scanners can even point you with the optimal and quickest fix recommendations. If you cannot manage the plugin's source code, you can run any of the WordPress dynamic security scanner plugins. The downside? These test only specific scenarios and so the scanners lose out on coverage.
3. Ensure all your plugins are up to date Do not ignore all those notification emails of an upgraded plugin version. You can even use a purposeful WordPress plugin that notifies admins on updates to other installed plugins. There are also third-party services that provide a plugin update notification and management offering.
4. Remove any unused plugins The code of old, unused plugins remains on the server - even if the plugins are inactive. Schedule plugin spring cleaning as part of your WordPress site admin activities.
Sign up for Computerworld eNewsletters.