A client recently approached us with a common request. They wanted a brief audit of their WordPress site. Nothing urgent, they said. They were confident their security was solid. They had a developer who built it years ago, and it had never caused any real problems.
We logged in. Within the first few minutes, something stood out.
Five custom plugins sat in their plugin directory. Each one looked like it had been purpose built, probably years ago, to solve a specific gap the site had at the time. They were not from the WordPress repository. They had no update history. There was no documentation, no version control, and no indication that anyone had reviewed them since they were first installed.
This is where the audit got interesting.
The problem with custom plugins that nobody maintains
Before we go further, it is important to be clear about something. Custom plugins are not inherently dangerous. Developers build them every day for legitimate reasons, and a well coded custom plugin can be exactly what a site needs. The issue is not that these plugins were custom. The issue is that they were abandoned.
When a plugin, custom or otherwise, sits untouched for years, it becomes a liability. WordPress core evolves. PHP versions change. Security standards shift. A plugin written in 2016 or 2017 may not account for any of the coding practices or threat vectors that are considered baseline requirements today.
Now multiply that risk by five.
And then add the other 60 or so plugins this site was also running.
That is not a typo. This site had approximately 65 plugins active at once. Each plugin represents a point of potential failure. Each one is a door. Some of those doors are steel reinforced and regularly inspected.
What we found inside the custom plugins
We ran an initial scan on one of the five custom plugins. What came back was a clear indicator of how far below current standards these plugins were sitting.
Unsanitised output throughout the codebase.
In WordPress development, sanitisation is the process of cleaning data before it is output to the browser or stored in a database. When a plugin outputs data without sanitising it first, that data can be manipulated. Attackers can inject malicious code into that output, which then runs in the browser of anyone who visits the page. This is the foundation of cross site scripting attacks, one of the most common and damaging vulnerability types in WordPress.
The plugin we scanned had this problem throughout its codebase. Not in one isolated function. Throughout.
Given the age and construction style of the remaining four plugins, it is reasonable to expect similar issues would surface under a full audit of each one.
The gravity forms data flow with no security layer
The second finding was more immediately concerning from a data perspective.
This site was using Gravity Forms, which is a legitimate and widely used form plugin, to collect and transmit information. Nothing unusual about that. However, one of the custom plugins was intercepting that form data and sending it to a third party endpoint.
There was no authentication on that flow. No verification that the receiving endpoint was legitimate. No token, no signature check, no encryption layer on the transmission itself. The data was simply leaving the site and going somewhere else, with nothing in place to confirm where it was going or who could intercept it along the way.
Depending on what that form was collecting, and we were not able to determine the full scope in a brief audit, this represents a significant data exposure risk. In Australia, the Privacy Act 1988 and the Australian Privacy Principles place clear obligations on organisations that collect personal information. A flow like this, where data is transmitted to a third party without any verifiable security, is the kind of thing that attracts regulatory attention after a breach, not before one.
This is the gap between feeling secure and being secure.
You are never truly secure, but routine monitoring changes everything
Here is the honest truth that no one in this industry likes to say clearly. There is no such thing as a permanently secure website. Security is not a destination. It is an ongoing process.
The site we audited was not built by careless people. The original developers solved real problems with those custom plugins. The Gravity Forms integration presumably worked exactly as intended when it was set up. But websites exist in a threat landscape that changes constantly. What was acceptable practice five years ago may be a critical vulnerability today.
The difference between a site that gets quietly compromised for years, as we have seen in other cases like the dual malware infection we documented previously, and a site that catches issues early, is routine maintenance and monitoring. Full stop.
According to our own work documented at kinskiandbourke.com, malware can sit on a WordPress site for years before the owner becomes aware of it. In that case, the infection had been active long before any maintenance request came through. The cost of cleaning up after a prolonged infection, both technically and reputationally, far exceeds the cost of preventing it.
What routine WordPress maintenance actually covers
A proper WordPress maintenance plan is not just plugin updates. That is one component. The work that actually protects you looks like this:
- Malware scanning and removal with firewall implementation and suspicious activity monitoring
- Code level review of custom plugins and theme files for unsanitised output and outdated functions
- Data flow auditing to identify any third party transmissions that lack proper authentication
- Plugin rationalisation to reduce the attack surface by removing what is not needed
- Core and plugin updates with compatibility testing and rollback capability
- Uptime and performance monitoring so issues are caught before customers experience them
As outlined in our maintenance plans, the goal is zero successful hack attempts on maintained sites. That outcome requires proactive, layered security, not a one time setup and a hope for the best.
What this audit tells you about your own site
If your site has custom plugins that have not been reviewed recently, this post is relevant to you. If your site is running a large number of plugins from various sources, this post is relevant to you. If your forms are transmitting data to third parties and you are not entirely certain what security is on that flow, this post is especially relevant to you.
The audit we ran was brief. The findings were significant. A full review of this site would almost certainly surface more.
Your site deserves the same scrutiny. If you would like us to take a look, our maintenance plans are designed for exactly this kind of ongoing protection. You can review what is included and get in touch with our team to find the right fit for your site.
Photo by Monstera Production