The Risky Business of Using WordPress Plugins
Written by Jon Henshaw and published
One of the greatest things about WordPress is the ability to find a plugin for just about anything. In fact, their developer community is second to none when it comes to CMS add-ons.
Since plugins are a big draw to the WordPress platform, it’s common for many site admins to add a lot of plugins to their site. I call this the plugin honeymoon period, because it’s inevitable that at some point one of their plugins is going to fail. And many times when the plugin fails, the site will fail with it.
5 Questions To Ask To Minimize WordPress Plugin Risk
Every time you add a new plugin to WordPress, you increase your site’s risk of failure. Each plugin adds new code that usually overrides some part of WordPress’ core functionality. There are several questions site admins should ask when considering plugins.
1. Is the plugin being actively developed?
There’s a lot of abandonware in the WordPress plugin world. One of the first things you should do when considering a plugin is to see when it was last updated. Yoast frequently updates his WordPress SEO plugin and it’s highly rated, making it much more trustworthy. However, if you come across a plugin that hasn’t been updated in years, you may want to keep looking.
2. How secure is the plugin?
The security of the plugin is difficult to discern. However, one the best ways to approach this is to consider what the plugin does in WordPress.
If the plugin affects user accounts, logging in, caching and other sensitive areas of WordPress, you may want to do some research into how it works. It’s also a good idea to search and read reviews of each plugin you’re interested in using in order to help determine if the plugin has ever been compromised.
3. Can you trust plugins that are not downloaded from WordPress’ Plugin Directory?
WordPress and its community do a very good job of spotting and reporting security and stability problems within it’s Plugin Directory. Unfortunately, that doesn’t apply to plugins that are distributed offsite.
Downloading and using plugins from sites other than WordPress’ Plugin Directory is a very real threat to your site. Depending on the author and their intent, they could easily include code that spams your site, or even worse, gives spammers backdoor access to it!
When considering plugins that aren’t in the Plugin Directory – similar to what has already been discussed – research the author to determine if he’s trustworthy and to make sure the plugin is still being actively developed. A good example of a plugin and author that can be trusted is Rocketgenius and their Gravity Forms plugin.
4. Will this plugin cause any conflicts with other plugins I’m using?
It’s easy to find and activate plugins that seem completely different from each other, only to find out later that they override the same codebase in WordPress. When this happens, either one of the plugins overrides the other, or worse, it breaks the site.
One of the ways to avoid this is to use plugins sparingly. Aside from that, try to use plugins that do very specific things. In addition, activate plugins one at a time, and then test your site to make sure that everything is working perfectly before activating another plugin.
5. How will this plugin affect the performance of my site?
It’s common for admins to add several plugins and then get everything on their site working perfectly, only to find out that their site is now incredibly slow. Plugins are notorious for degrading site performance. So much so, that some hosting providers, like WPEngine, actually ban some plugins from being used.
The best way to test if a plugin hurts the performance of your site is to first create a baseline speed using a tool like GTmetrix. Then activate one plugin at a time, testing the speed each time. Also, don’t just rely on a speed tool, make sure you test it yourself in a browser for any noticeable differences.
Run lean and stay alert
WordPress plugins in and of themselves aren’t bad. If site admins adhere to WordPress plugin best practices, then they can greatly reduce the risk that inherently comes with using them. In summary, always keep the following in mind when using WordPress plugins:
- Use as few plugins as possible
- Research the trustworthiness of the author
- Confirm that the plugin is actively supported/developed
- Pay close attention to your site performance when plugins are added
- Actively monitor and keep your plugins up-to-date
- Keep frequent backups of your site in case of a disaster
Has your site been compromised because of various WordPress plugins? If so, tell us what happened and how you resolved the issue in the comments below.