WordPress plugins are great; they can save you time, speed up your website, improve SEO, and more. Plugins allow web designers and developers the ability to build sophisticated websites quicker and (possibly) better. With more than 20,000 plugins and over 330,000,000 downloads in the official WordPress plugin directory, there’s no question that plugins are an important component of the WordPress ecosystem.
But there’s a downside to using WordPress plugins. Relying too much on plugins can expose your site to an increasingly wide variety of risks.
Let’s discuss the problem with plugins and things you should consider before installing one.
The Problem with Plugins
A WordPress site was running sluggishly and the client I was working with wasn’t sure why. He asked me to take a look.
So I logged in. I immediately noticed a significant delay in web page responsiveness.
I went straight over to the list of plugins to confirm my suspicion of what could be the cause.
Sure enough, I saw a list of more than 40 active plugins!
Now, very importantly, the number of WordPress plugins is not the problem. While a high number of plugins increases the likelihood of difficulties, the plugin count itself isn’t the culprit.
That said, poorly developed plugins are a very common cause of trouble. Some of the problems you’ll face when dealing with plugins are:
Some common problems you’ll face when dealing with plugins are:
- Speed decreases
- Security vulnerabilities
- Exposure to long-term risks (such as the plugin not being updated)
Site speed issues that related to plugins is caused by things like poor development practices on the part of the plugin author.
Here are two possible reasons why a WordPress plugin can slow down a site:
wp_headand are now being requested by all web pages. To avoid this, these files should be added conditionally only when the plugin’s function is needed.
Another major problem with poorly developed plugins is the potential for security vulnerabilities. There are few things worse than getting a call from a client about their site being hacked.
Here are some common security vulnerabilities in WordPress plugins:
- Vulnerable libraries: In late 2011 a security vulnerability was found in TimThumb, a PHP library used in many WordPress plugins and themes, resulting in many affected WordPress sites. This is an example of how using WordPress plugins can open your site to security issues.
- Lack of good data sanitization and validation: Another poor security practice is failing to properly sanitize and validate data, which can result in MySQL injections and cross-site scripting (XSS) vulnerabilities. A good plugin should follow best practices on data sanitation/validation. (For WordPress developers, there’s a data sanitation and validation tutorial on Wptuts+ that might be helpful.)
Relying on a WordPress plugin over a long period of time can expose you to risks, including:
- Plugin development being discontinued: The majority of plugins are free and open source. Over time, the plugin developer’s interest can fade and fall off, especially for less popular plugins.
- Plugin updates are slow: A major risk is a security vulnerability being found in a plugin and the developer not being able to issue an update quickly enough. A plugin that makes use of deprecated functions also runs the risk of not working in future versions of WordPress.
- The plugin is replaced by WordPress core updates: A plugin will often be developed to solve a need that isn’t currently being met in WordPress. With new WordPress versions, they may no longer be needed and further development and maintenance of the plugin may stop. When this happens, the plugin author may recommend ways to deactivate the plugin and switch to the new core feature; however, there’s no guarantee this will happen. And if you rely heavily on the plugin, you could be stuck with it forever.
Questions to Ask Yourself before Installing a WordPress Plugin
Now that we’ve identified potential issues of using WordPress plugins, you might be thinking about evaluating whether you really need a plugin or not.
Below are some questions I suggest you ask before making a commitment to using a WordPress plugin.
Do I need this plugin?
When you’re searching through the WordPress plugin directory, the first thing to determine is whether or not there’s really a need for the plugin. Is this plugin critical to the site?
Finding out if you really need a plugin especially becomes important when you’re browsing the top plugins in the WordPress plugin directory because you might be tempted to install a plugin simply because many other sites seem use it too.
Can I do what I need without this plugin?
The idea of clicking the "Install" button and everything just working makes plugins highly attractive.
For non-developers, using a plugin for even the simplest functions might be necessary. However, if you’re a developer with good understanding of PHP, MySQL, web development best practices and a bit of time, writing your own code in WordPress’s
functions.php might be a better option so that you can avoid dependencies on third-party plugins.
For example, searching for "Facebook Like" in the WordPress plugin directory returns over 700 results. If your only objective is to add a Facebook Like button on your WordPress posts, that’s easy to do: get the code from the official Facebook Developers docs, and then put it in the appropriate location in your theme’s
Is this plugin better than another competing plugin?
The idea is to get a good list of options before you make a commitment to a particular plugin. Start by searching the plugin directory and putting together a quick list. Do research on each, looking for reviews of each plugin online.
Here are a few things to keep in mind when performing research on WordPress plugins:
- When was the information published? Things quickly change in the world of WordPress, so make sure the review is still relevant.
- Don’t gloss over premium WordPress plugins. There are some great paid options out there that may not be at the top of your search results, or may not appear to be as popular compared to their free, open source counterparts. I recommend you evaluate them as well. They also often come with active support from the plugin developer in case you run into trouble.
- Regularly review your list of plugins. Compiling a good list of plugins will require some time. Because of how fast things change, I recommend that you regularly revisit your list (I do this at least twice a year).
Which plugin author has the most credibility?
When you choose a plugin, you’re placing trust in its author. It’s important to have chosen an authority that has the strongest level of credibility.
Determining credibility can be difficult. A new developer on the scene may be the best choice, yet may lack the publicity and reputation of an older developer.
There isn’t an exact science to answering this question, but here are some things to consider:
Review the plugin’s activity. For plugins in the WordPress plugins directory, take a look at the ratio of support tickets answered over the past, say, two months to determine how responsive the developer is.
Here’s what the All in One SEO Pack plugin’s support forum page looks like:
You can quickly see how many tickets are resolved in the Topic column and when the last time a ticket was responded to in the Freshness column.
For a premium plugin, look at their official support forums (if possible) and check how many of the questions are answered and how long a time period elapses between answers.
Try to figure out why the developer created the plugin. What motivated them to do the initial work? What’s motivating them to continue work on the plugin? The answer isn’t always obvious and the seemingly "obvious" answers can be wrong. Maybe it’s to scratch their own itch. If it’s a spare-time hobby that the developer took on for fun and experimentation, you might be at risk of them falling disinterested in their project. If developing the plugin is a full-time endeavor (as is the case with some of the premium plugins) then the developer’s motive to continue development and support remains high.
Determine, as best you can, the developer’s level of experience. Is this their first (or only) plugin? What kind of work do they do for a living? Have they made contributions to WordPress core? Though experience is not the only measure of talent, many times, it’s a safe starting point.
Which plugin has the best update track record?
As you narrow down your list of plugins, consider the plugin’s update frequency. For plugins hosted in the plugin directory, look at the Changelog tab to see notes on what was done with each update.
Also, Go to the Developers tab and look at the Development Log on Trac to see how much time has elapsed between updates.
As you review this information, below are some things to consider looking at:
- Evaluate the types of changes made to the plugin. A long list of bug fixes, while good to have them resolved, may suggest sloppy coding practices on the part of the developer and the risk that there are more bugs yet to be found. A plugin full of "Feature Requests", while they might seem good on the surface, suggests a developer that may not have a clear sense of focus for the future of the plugin and it might end up being a monster down the road.
- Evaluate the amount of time that has lapsed between updates to the plugin. Keep in mind the simple nature of some high quality plugins may not require many updates. An important factor is consistency. Updates on a monthly basis are better than updates on a daily basis for a month, followed by six months of silence.
Which plugin has the most widespread adoption?
Consider the usage and recommendation of the plugin throughout the WordPress ecosystem. How many downloads does it have? Who’s recommending it and why? What’s being said about the plugin?
As you ask those questions, keep in mind that the popularity of a plugin doesn’t automatically make it the best choice. While certainly a factor, weigh its popularity against the other answers to the other questions you’ve asked about the plugin’s author and update history.
Be willing to go with a less popular (for now) plugin that has a solid developer behind it.
Plugins are important to WordPress. But I recommend keeping your plugin use to a minimum and looking for ways to accomplish more with less.
Share your thoughts about WordPress plugins in the comments!
- Using XAMPP for Local WordPress Theme Development
- How to Customize the WordPress Admin Area
- WordPress Custom Post Types Guide
- Related categories: WordPress and Web Development