The Dangers of WordPress Plugins Ignorance (And What To Do About It)

Written by Mark Forrester on September 27, 2013 Blog.

I was starting to get really frustrated.

After my site had spent hours alternating between being slow to load and completely unresponsive, I decided to get on the line with my hosting provider. All they could tell me was that the issue appeared to be related to one of the plugins on my blog.

Then the lightbulb in my head finally flickered into life — I had only installed a new plugin a few hours previously. Right around the time that my site started misbehaving. Ah ha.

I quickly (well, slowly actually) logged into my site and deactivated the offending plugin. Bingo. Site back to normal.

It’s happened to just about anyone who has been using WordPress for any significant length of time: plugin issues that cause your website to malfunction. Yet many of us continue to install and uninstall plugins with wild abandon, ignorant of the potential risks involved in doing so. Even worse, some of us know full well what we are potentially letting ourselves in for and still feed our insatiable hunger for plugins with little regard for the pitfalls waiting around the corner.

In short, most WordPress users are too cavalier with their websites. In this post I want to highlight the potential dangers of plugins (especially free ones) and provide what I hope is a compelling argument against the wanton proliferation of plugins on your WordPress website.

How Much Harm Can a Plugin Really Do?

To put it simply, a WordPress plugin is a program that extends the core functionality of the Content Management System (CMS). The development of plugins began because programmers wanted to increase WordPress’s functionality without altering its core structure.

These days, with nearly 28,000 free plugins in circulation, WordPress can do almost anything you can dream of (and if it can’t, someone’s probably working on it).

WordPress.org Plugins

Plugins represent the beating heart of WordPress. They have played an enormous part in its exponential growth to king of the CMS kingdom. Without its plugins, WordPress is a relatively limited platform.

A plugin can be very powerful in terms of its effect on your website, and for all intents and purposes, it is treated as part of WordPress and can thus affect your entire WordPress installation. For example, my blog recently slowed to a crawl because of just one plugin. Make no mistake — those few files can have an extraordinary impact.

With that in mind, WordPress users need to realize that they are putting their websites’ health in the developer’s hands every time they install a plugin. If the developer is good at what he does and responsibly minded, the chances of running into problems are slim (although it is far from guaranteed). But sadly, not all developers are responsible with the plugins they create.

When we install a plugin, anything can happen. Your website’s load speed can be seriously affected. It can even crash entirely. In fact, some unscrupulous developers create bad plugins (or hack into otherwise trustworthy plugins) with no other aim than to cause others pain. These are the possibilities we face every time we click on Activate.

The Problem With WordPress.org

WordPress.org Plugin Directory

WordPress.org is awesome for many reasons, but it’s not without its flaws. At the time of writing there are an enormous number of plugins on WordPress.org. However, the vast majority of those plugins are:

  1. out of date,
  2. buggy,
  3. bloated,
  4. unsecure, or
  5. a combination of one or more of the above.

Even the biggest and brightest plugins can suffer. For example, back in May 2013 Sucuri announced a security flaw within the enormously popular W3 Total Cache and WP Supercache plugins. Those two plugins have over 7.5 million downloads between them, which shows just how much damage such flaws can cause.

Similarly, in a recent post on ManageWP I discussed bugs within the widely-used SEO by Yoast plugin. Joost de Valk is a respected developer and moved quickly to deal with the issues, but WordPress.org showed that many people were marking SEO by Yoast releases as incompatible.

SEO by Yoast is back to its best now, but these stories just go to show that no one — not even the most respected developers — is infallible in the world of WordPress plugins.

WordPress.org can be a blessing or a curse — it is without doubt a tool that should be used with caution.

Security Issues in WordPress

I have written about WordPress security a lot — on my own blog, on ManageWP, in an upcoming post on Smashing Magazine and beyond.

I have spoken to a huge number of experts on the topic — including people working directly on the WordPress core — and the overwhelming response is as follows: the WordPress core is extremely secure. However, things start getting hairy with outside influence (from plugins and humans).

If a WordPress user decides to set their password to “password”, there is little that WordPress can do to defend itself against brute force attacks. That’s not an issue within WordPress, though — it is an issue with the ignorance of the end user.

Similarly, if a WordPress user decides to install a plugin that has a security flaw, the core is not responsible for what happens next. Every single plugin you install represents a potential security risk.

Surely Premium Plugins Are Safe?

I am sure that if a study was conducted, it would be found that the ratio of buggy/bloated/insecure plugins to “healthy” plugins would be far more favorable amongst premium plugins. However, that does not mean that all premium plugins are perfect and you should not assume so.

Personally, I would recommend that you purchase only from developers that have a solid and well-established reputation.

For instance, if you download a plugin from WooThemes (free or otherwise), you can be certain that it has been coded conscientiously and is extremely unlikely to negatively impact the speed, functionality, or security of your site.

On the flipside, if you come across a website that you’ve never heard of that sells what sounds like a great plugin, you should proceed with caution.

So What Should You Do?

I’m not saying that you should uninstall all of your plugins then crawl into a corner of the room and adopt the foetal position, but I am saying that you should consider the value of each plugin you have installed on your site carefully. It may be a security risk, it may be draining your resources, or it may be buggy and bloated. But if it’s not there, it can’t be anything.

I recently audited my blog and managed to remove 60% of the installed plugins with very little reduction to functionality. I replaced some plugin functionality with simple (and transparent) code snippets and found that many other functions really didn’t need a plugin. For example, although plugins that allow you to easily insert analytics tracking codes within your site are great for beginners, anyone who has created a child theme before should have no problem inserting that code within header.php.

When you’re left with a (hopefully) small collection of plugins, you should run a second check to make sure that you really do need them all. You might surprise yourself if you allow yourself to examine the list objectively.

Finally, you should do a final sweep. Ask yourself the following key questions for each plugin:

  1. Who developed it?
  2. When was it last updated?
  3. Is it well-supported?

You should know what to do depending upon the answers to those questions.

Final Thoughts

Your site is only as secure and efficient as the code that makes it up. Ideally, all of your plugins should come from trusted developers.

There are also many free plugins out there that are both responsibly developed and excellently coded, but do your homework and make sure that you are avoiding the malicious plugins.

On the flipside, most premium plugins can be trusted, but that doesn’t mean all of them can be. Never jump to conclusions.

If all else fails, just return to the golden rule: less is more.

Do you have your own rules for installing plugins on your WordPress site(s) or do you have your own opinion on plugins? Let us know in the comments section below!

cta-banner-10-product-page-v2_2x

17 Responses

  1. Gary
    September 27, 2013 at 12:43 pm #

    Great article. I definitely agree that ‘less is more’ is a prudent path when it comes to Plugins.

  2. Richard
    September 27, 2013 at 12:54 pm #

    Very nice article, indeed.
    I was thinking of writing something similar for a long time now, but could never get to it.
    I have often seen people using ‘free’ plugins from questionable sources, but after it causes issues to their site – they spend a lot of time and money to get it working, but if they used a premium paid plugin from a reputable source, they would be spared of the headache and it would cost them less.
    It shows that using ‘free’ plugins, is not always a good thing to do and can be a false economy.

  3. Courtney
    September 27, 2013 at 2:33 pm #

    The P3 plugin by GoDaddy is about the only thing I recommend that Godaddy has done. It will tell you what plugins are eating up what resources. Of course, it’s in the WP repository.

  4. rtwlabs
    September 27, 2013 at 2:42 pm #

    Great post. So many times I’ve come across a website that’s overflowing with plugins and the owner wasn’t concerned at all. There is so little respect for plugins when it comes to your average users they just keep loading them up without thinking of the potential consequences.

  5. jgardner
    September 27, 2013 at 2:57 pm #

    I really enjoyed the post until I got here:

    “When you’re left with a (hopefully) small collection of plugins”

    Why do authors continue to perpetuate this myth that there is an unspecified correct number of plugins to run, and that it’s a “small” number? Running 300 plugins that are well coded will always be superior to running 1 plugin that is terribly coded.

    • Tom Ewer
      September 30, 2013 at 11:32 am #

      Hi there,

      I think you’re reading too much into that statement. I’ve written in the past about how the number of plugins you have on your site is largely irrelevant if they are well-coded and agree with you. Having said that, less plugins is never a bad thing.

      Cheers,

      Tom

  6. douglsmith
    September 27, 2013 at 6:02 pm #

    The main point of being careful about the plugins you add to your site and knowing who is behind them is great advice that can avoid a lot of pain. However, I think some of the generalizations don’t fully hold up. Some examples:

    At the time of writing there are an enormous number of plugins on WordPress.org. However, the vast majority of those plugins are: out of date, buggy, bloated, unsecure, or a combination of one or more of the above.

    and

    For instance, if you download a plugin from WooThemes (free or otherwise), you can be certain that it has been coded conscientiously and is extremely unlikely to negatively impact the speed, functionality, or security of your site.

    Sure, there is junk in the repository, but the reality is that there are also a bunch of really great plugins that are coded well and fully supported in the repository too. Hard working volunteers review plugins for the worst problems before they are allowed in and the rating system and forums help us all get a feel for what can be trusted.

    Generally, downloads from WooThemes are of good quality. However, some of the WooCommerce extensions for sale are from third-party developers with varying code quality. I’ve purchased some that have been very poorly coded. And others have had a negative impact on my site. Fortunately, Woo stands behind their products and offers good support to get through most things like that.

    My point is that mistakes can happen to anyone. Both the WordPress.org repository and commercial sources have mechanisms in place to help us know which plugins we can trust and how well they are supported. It is important to get to know our plugin sources but I don’t think we can generalize free or commercial always being better than another.

  7. Bob Dunn
    September 27, 2013 at 6:58 pm #

    Some great points in the post as well as in the comments. I have had this same discussion numerous times.

    One thing we do need to remember, a lot of developers think the solution is using code snippets instead, which does make sense. But in reality, the average user might not be comfortable with code, and also if something is done that way for them, often when they are ready to remove that functionality, they don’t know what to do. Whereas removing a plugin is much easier for them. What ends up happening is their site loses some of the ease of self-management that first brought them to WordPress.

    In the end I always say “Quality trumps quantity.”

    • douglsmith
      September 27, 2013 at 11:38 pm #

      Good quality code in a snippet and good quality code in a plugin will pretty much perform the same. You don’t gain anything by not having a plugin in that case.

  8. dotp
    September 27, 2013 at 10:07 pm #

    I think that the other factor often overlooked when employing plugins is cost savings. I couldn’t deliver many sites to clients with low budgets without plugins to cut dev costs. Try developing everything from scratch and the cost of a site goes up significantly, even with snippets. But the points in the article are well taken in general.

  9. elitedesignstudios
    September 29, 2013 at 2:25 am #

    Great article Tom. I write a lot about WordPress plugins and one of the most common responses I get from people is how they don’t understand how a simple plugin could bring their whole site to a crawl and if so then why is it still on wordpress.org. Well I found a plugin to help plugins. Sounds silly but with P3 (Plugin Performance Profiler), by GoDaddy of all people, you can install, analyze what you got going on, clean house, then deactivate the plugin to sit and wait for another usage. It creates an in-depth performance breakdown of your plugins that allows you to easily see where the bottle neck is so to speak. Its sure helped me out of a lot of jams.

  10. Richard Ford
    September 30, 2013 at 12:05 am #

    uninstalling is the simplest way to resolve it.

  11. Henrik
    September 30, 2013 at 7:59 am #

    Good article! Good arguments on why you should not install to many plugins and why it´s important to remove old plugins that are no longer updated.

    I started out testing and trying to many plugins that it is scary. Now I tend to rely on a few selected plugins that I know have loads of support, Jetpack, Akisment and if needed plugins from woo. Otherwise I tend not to use plugins and rather code the needed things myself. So far it has worked fine and dandy.

    Nice shout out to the coredefence of WordPress being secure and telling the readers that the users and plugincoders are more of a reason to why sites get hacked. Since most often the user is the cause.

    I do have one question. If you knew what plugin it was that you recently installed hadn´t it been faster to log onto the ftp server of the site and remove it from there? Since by doing so the activation and everything about the plugin gets removed pretty easily.

  12. Achin Jain
    September 30, 2013 at 2:46 pm #

    Great article.

    I used to install any plugin earlier but that has affected my Blog a lot. Page loading is one factor which i am very much concern about and installing so many plugins do slow down wordpress blogs.

    Now i install only plugin that are absolutely necessary..

  13. Shiv
    September 30, 2013 at 3:22 pm #

    Great Article, using less number of plug inns will perform the better.

  14. JPat
    November 8, 2013 at 4:23 am #

    Hi,

    I do have a modest multi site which I primarily did to reduce the number of “one sites” to keep updated, and with this one multi site I am quite loose with the plugins installing matter, and same with themes (although I do use the plugin “Theme Authenticity Checker”!)

    Once it slowed down really a lot and during several days I sought for the reason, but that was not because of the plugins recently installed: on the contrary, it was because of the numerous plugins removed, but who had left tables in the Mysql database! Once the guilty tables removed the whole multi site got it’s former speed back.

    I also have on several sites and multisites a few plugins which I keep to activate only once a while for security checks for instance, or for import, but keep inactive when I don’t need them.

    And last, I also sometimes run the WP installs with the debug mode turned to “true” in the wp-config.php, to see if any of them triggers errors.

  15. Mark
    November 11, 2013 at 12:09 pm #

    How do you deal with the fallout when a paid plugin damages a database on a client site? (not that I have proof yet)