One of the greatest things about WordPress is the ability to find a plugin for just about anything. In fact, their developer community is second to none when it comes to CMS add-ons.
Since plugins are a big draw to the WordPress platform, it’s common for many site admins to add a lot of plugins to their site. I call this the plugin honeymoon period, because it’s inevitable that at some point one of their plugins is going to fail. And many times when the plugin fails, the site will fail with it.
5 Questions To Ask To Minimize WordPress Plugin Risk
Every time you add a new plugin to WordPress, you increase your site’s risk of failure. Each plugin adds new code that usually overrides some part of WordPress’ core functionality. There are several questions site admins should ask when considering plugins.
1. Is the plugin being actively developed?
There’s a lot of abandonware in the WordPress plugin world. One of the first things you should do when considering a plugin is to see when it was last updated. Yoast frequently updates his WordPress SEO plugin and it’s highly rated, making it much more trustworthy. However, if you come across a plugin that hasn’t been updated in years, you may want to keep looking.
2. How secure is the plugin?
The security of the plugin is difficult to discern. However, one the best ways to approach this is to consider what the plugin does in WordPress.
If the plugin affects user accounts, logging in, caching and other sensitive areas of WordPress, you may want to do some research into how it works. It’s also a good idea to search and read reviews of each plugin you’re interested in using in order to help determine if the plugin has ever been compromised.
3. Can you trust plugins that are not downloaded from WordPress’ Plugin Directory?
WordPress and its community do a very good job of spotting and reporting security and stability problems within it’s Plugin Directory. Unfortunately, that doesn’t apply to plugins that are distributed offsite.
Downloading and using plugins from sites other than WordPress’ Plugin Directory is a very real threat to your site. Depending on the author and their intent, they could easily include code that spams your site, or even worse, gives spammers backdoor access to it!
When considering plugins that aren’t in the Plugin Directory – similar to what has already been discussed – research the author to determine if he’s trustworthy and to make sure the plugin is still being actively developed. A good example of a plugin and author that can be trusted is Rocketgenius and their Gravity Forms plugin.
4. Will this plugin cause any conflicts with other plugins I’m using?
It’s easy to find and activate plugins that seem completely different from each other, only to find out later that they override the same codebase in WordPress. When this happens, either one of the plugins overrides the other, or worse, it breaks the site.
One of the ways to avoid this is to use plugins sparingly. Aside from that, try to use plugins that do very specific things. In addition, activate plugins one at a time, and then test your site to make sure that everything is working perfectly before activating another plugin.
5. How will this plugin affect the performance of my site?
It’s common for admins to add several plugins and then get everything on their site working perfectly, only to find out that their site is now incredibly slow. Plugins are notorious for degrading site performance. So much so, that some hosting providers, like WPEngine, actually ban some plugins from being used.
The best way to test if a plugin hurts the performance of your site is to first create a baseline speed using a tool like GTmetrix. Then activate one plugin at a time, testing the speed each time. Also, don’t just rely on a speed tool, make sure you test it yourself in a browser for any noticeable differences.
Run lean and stay alert
WordPress plugins in and of themselves aren’t bad. If site admins adhere to WordPress plugin best practices, then they can greatly reduce the risk that inherently comes with using them. In summary, always keep the following in mind when using WordPress plugins:
- Use as few plugins as possible
- Research the trustworthiness of the author
- Confirm that the plugin is actively supported/developed
- Pay close attention to your site performance when plugins are added
- Actively monitor and keep your plugins up-to-date
- Keep frequent backups of your site in case of a disaster
Has your site been compromised because of various WordPress plugins? If so, tell us what happened and how you resolved the issue in the comments below.
Analyze over 20 different technical SEO issues and create to-do lists for your team while sending error reports to your client.
Some of the best plugins are never updated. The don’t need to be because they were written correctly the first time around, so I’d be careful about using that as a judge of quality.
I’ve used plugins like you just described, only to have them break years later after a major WP update. And since it was basically abandonware, it was never fixed. However, I agree with you, in that there are a small handful of plugins that I still use that are no longer updated, but still work quite well because they were coded well to begin with.
The reason why the “use as little as possible” motto gets tossed around is the result of folks who have little understanding of how their site reacts to their hosting environment.
i.e. The first time WordPress user on a 1-click shared hosting account that is plugin “tire-kicking” and never uninstalls what they aren’t using. Thus bogging down an already slow shared system.
The other point is, not every plugin is of WooCommerce or Yoast size. Plenty of add-on’s to larger plugins are in fact, plugins as well. Plenty of sites run fast with 50+ plugins.
Possibly. I’ve only heard from people who have had extensive experience running, developing and hosting WordPress sites “toss” that around. It’s absolutely true that you can have a fast WP site running 50+ plugins, but each plugin you add is one more potential source of breakage when and if you update WP and/or any of the 50+ plugins you’re running. 50+ plugins is a disaster in the making, regardless of a webmaster’s experience or inexperience.
“but each plugin you add is one more potential source of breakage when and if you update WP and/or any of the 50+ plugins you’re running.”
Well yes, true, but it’s like saying leaving your house every morning increases your chances of getting killed. 😉
“50+ plugins is a disaster in the making, regardless of a webmaster’s experience or inexperience.”
This is the kind of statement that shouldn’t be used lightly. Look at any well known e-commerce plugin. There’s the big core e-commerce plugin, then there’s the add-ons you install as — plugins. This doesn’t mean it’s disaster in the making, it just means you have to understand you have a lot. If you’re installing plugins from reputable developers that support their products, there’s less of a fear factor.
WordPress itself is just a security disaster waiting to happen. I think this month there have been 3 zero day plugin vulnerabilities. The intermingling of code and templating language is just horrible practice from a security stand point.
Great article by the way.
wordpress is a disaster waiting to happen
Jon, thanks for the reminders on this issue. I’ve had many a site compromised due to non-secure plug-ins and nefarious doings.