User scripts, plugins, extensions, and security

When operating a dedicated server with more website users than just yourself, you always run the risk of getting attacked because of a security hole in a user-installed script. That situation is now compounded by the fact that users also install plugins and extensions for their blogs and content management systems like WordPress and Joomla.

Are extensions and plugins a security risk? How can you make sure they do not hurt other users or the server? Like with any security issues, there are general precautions you can take.

1. Make sure the user has no additional privileges outside of his or her chroot environment.
2. Remind users to check the permissions on scripts so that attackers cannot use them to piggyback onto another system.
3. Do not allow root login under any circumstances.
4. Keep an eye on logs to see if any scripts are behaving unusually.
5. Disable scripts with known problems, and direct users to viable alternatives.