Last week, there was a controversy around a popular WordPress plugin, created by Pipdig. The plugin was found to contain code that enabled the author to change a site’s admin password, erase the entire database, arrange DDoS attacks, change settings and manipulate blog content.
Inserting code like this into a plugin is obviously inexcusable. As far as I’m aware this is the first case of such blatant abuse in the WordPress community. But this raises an issue that I think not enough WordPress users are aware of:
A plugin, when installed and activated on your WordPress website, can do almost anything. Using a plugin requires significant trust in the author’s intentions. It’s like giving someone a key to the house and the combination to the safe.
So, in short, the answer is almost always “no”. Check user reviews, stick to the official plugin repository, check the code if you can. Running third party code is always a security risk.