Many CMSs, mainly open source, offer hundreds of plug-ins to enhance the functionality of the websites and the CMS. Some are useful, many are not. A certain degree of redundancy exists. They are often created by the community or anonymous third-party companies, which makes it almost impossible to track their compliance with security standards. Especially in the PHP world, where thorough testing and coding standards are not a priority. Those plug-ins are potential back doors to the company’s data on the servers as they usually have full access to all data.
According to Imperva, “98 % of WordPress vulnerabilities are related to plug-ins, which extend the functionality and features of a website or a blog”1. Security breaches caused by using insecure plug-ins might compromise enterprises in a completely different way allowing hackers to change content on websites, exploit personal data or even install malware. In the age of GDPR, this can lead not just to bad PR but also to significant fines by the data protection authorities.
Other plug-ins, especially those available for commercial CMSs, are difficult to adjust or enhance. At best, the support of a developer is needed. At worst, those plug-ins don’t work and cause code to break, requiring PHP or Java specialists to locate and fix errors.