Many CMSs, mainly open source, offer hundreds of plug-ins to enhance the functionality of the websites and the CMS. Some are useful, many are not. A certain degree of redundancy exists. They are often created by the community or anonymous third- party companies, which makes it almost impossible to track security standards, especially in the PHP world, thorough testing and coding standards are not a priority. Those plug-ins usually become a back-door to access the company’s data on the servers.
According to Imperva “98% of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog”. Security breaches caused by using unsecured plug- ins might compromise enterprises in a far different way – allowing hackers to change content on websites, exploit personal data or even install malware – in the age of GDPR, this should not be ignored.
Other plug-ins, especially those available for commercial CMSs, are difficult to adjust or enhance. At best, the support of a developer is needed. At worst those plug-ins don’t work, causing code breaks requiring PHP or Java specialists to locate and fix errors.