Most WordPress exploits don’t take place through the core WordPress install, but through plugins, which are mostly unvetted and sometimes designed by amateur coders. Here at FOSS Force, our policy is to look for plugins designed by companies that specialize in WordPress plugins, and will use them over others if they suit our needs. This is not always possible, so we also look at how many times a plugin has been downloaded, its changelog to determine how well its being maintained, and user satisfaction.