Hosting your plugin demo on it’s own standalone site is optional but strongly recommended.
Protect Your Live Site(s) From Hacking
By definition, most plugin demos allow random Internet users to log into the demo site’s WordPress back-end. And although this is a very stripped-down back-end (that allows users to do little more than run your plugin and Logout), there’s still the chance (as with any other web-site), that malicious users will find a way to hack into the site and trash it.
Obviously then, if the demo site does get hacked, and you host that demo site along with any other live sites you have (for example, the sites from which you sell and support the plugins you’re demonstrating) – then you’re just going to make a bad situation worse, by compromising those live sites too.
De-Hacking a Demo Site
If a demo site does get hacked, cleaning it up is usually reasonably easy. You can for example simply delete it. And then re-install WordPress, WP Plugin Demos, the plugin you want to demonstrate, and any demo data/content you may have.
Whereas de-hacking a live site can be a massively time-consuming (as in days, weeks and months) – and sometimes totally impossible – task.
A Basic Hosting Plan is Usually All That’s Required
Demo sites need not be expensive to host. They usually have very little traffic – so your web hosting company’s smallest hosting plan will almost certainly do.
Extra Security Precautions
As with any WordPress site, you can cut the risk of your demo site being hacked by following these two simple precautions:-
Use a genuinely random and long “admin” username and password.
You probably won’t be logging into the demo site very much. So long and hard-to-guess is much more important than short and easy to type/remember.
Install “Login LockDown” (or any similar plugin).
These (mostly free) plugins eliminate the risk of robots and patient hackers bombarding your site with username/password guesses until they get lucky. So they’re well-worth the few minutes taken to install and configure them.