- Regularly install WordPress core updates and plugin updates to ensure you are running code having all the latest security patches.
- Use a modern and updated WordPress theme. Older themes often have embedded plugins that haven’t been patched and can present vulnerabilities.
- When researching the use of any plugin, check the date it was last updated and its WordPress version compatibility. Avoid older plugins, as those haven’t been tested with the current WordPress version.
- When deciding between plugins having similar functionality, choose those having greater numbers of active installs and better ratings. Generally speaking, such popular plugins are regularly updated and have a lower risk factor.
- Even inactive plugins on your WordPress site pose a security risk. Delete those that are unnecessary plugins and don’t actively use. The fewer the plugins you use, the fewer options a hacker will have.
- No plugin is 100% safe, but the WordPress Plugin repository (https://wordpress.org/plugins/) vets each one located there before offering them to users. Only download plugins from the repository site and from third-party theme and plugin developers known to be reputable.
- Use WPScan’s Vulnerability Database (https://wpvulndb.com/) to monitor plugins known to have vulnerabilities, as well as to learn when they are patched.
based on https://www.incapsula.com/blog/wordpress-plugin-vulnerabilities.html