I was starting to get really frustrated.
After my site had spent hours alternating between being slow to load and completely unresponsive, I decided to get on the line with my hosting provider. All they could tell me was that the issue appeared to be related to one of the plugins on my blog.
Then the lightbulb in my head finally flickered into life — I had only installed a new plugin a few hours previously. Right around the time that my site started misbehaving. Ah ha.
I quickly (well, slowly actually) logged into my site and deactivated the offending plugin. Bingo. Site back to normal.
It’s happened to just about anyone who has been using WordPress for any significant length of time: plugin issues that cause your website to malfunction. Yet many of us continue to install and uninstall plugins with wild abandon, ignorant of the potential risks involved in doing so. Even worse, some of us know full well what we are potentially letting ourselves in for and still feed our insatiable hunger for plugins with little regard for the pitfalls waiting around the corner.
In short, most WordPress users are too cavalier with their websites. In this post I want to highlight the potential dangers of plugins (especially free ones) and provide what I hope is a compelling argument against the wanton proliferation of plugins on your WordPress website.
How Much Harm Can a Plugin Really Do?
To put it simply, a WordPress plugin is a program that extends the core functionality of the Content Management System (CMS). The development of plugins began because programmers wanted to increase WordPress’s functionality without altering its core structure.
These days, with nearly 28,000 free plugins in circulation, WordPress can do almost anything you can dream of (and if it can’t, someone’s probably working on it).
Plugins represent the beating heart of WordPress. They have played an enormous part in its exponential growth to king of the CMS kingdom. Without its plugins, WordPress is a relatively limited platform.
A plugin can be very powerful in terms of its effect on your website, and for all intents and purposes, it is treated as part of WordPress and can thus affect your entire WordPress installation. For example, my blog recently slowed to a crawl because of just one plugin. Make no mistake — those few files can have an extraordinary impact.
With that in mind, WordPress users need to realize that they are putting their websites’ health in the developer’s hands every time they install a plugin. If the developer is good at what he does and responsibly minded, the chances of running into problems are slim (although it is far from guaranteed). But sadly, not all developers are responsible with the plugins they create.
When we install a plugin, anything can happen. Your website’s load speed can be seriously affected. It can even crash entirely. In fact, some unscrupulous developers create bad plugins (or hack into otherwise trustworthy plugins) with no other aim than to cause others pain. These are the possibilities we face every time we click on Activate.
The Problem With WordPress.org
WordPress.org is awesome for many reasons, but it’s not without its flaws. At the time of writing there are an enormous number of plugins on WordPress.org. However, the vast majority of those plugins are:
- out of date,
- unsecure, or
- a combination of one or more of the above.
Even the biggest and brightest plugins can suffer. For example, back in May 2013 Sucuri announced a security flaw within the enormously popular W3 Total Cache and WP Supercache plugins. Those two plugins have over 7.5 million downloads between them, which shows just how much damage such flaws can cause.
Similarly, in a recent post on ManageWP I discussed bugs within the widely-used SEO by Yoast plugin. Joost de Valk is a respected developer and moved quickly to deal with the issues, but WordPress.org showed that many people were marking SEO by Yoast releases as incompatible.
SEO by Yoast is back to its best now, but these stories just go to show that no one — not even the most respected developers — is infallible in the world of WordPress plugins.
WordPress.org can be a blessing or a curse — it is without doubt a tool that should be used with caution.
Security Issues in WordPress
I have written about WordPress security a lot — on my own blog, on ManageWP, in an upcoming post on Smashing Magazine and beyond.
I have spoken to a huge number of experts on the topic — including people working directly on the WordPress core — and the overwhelming response is as follows: the WordPress core is extremely secure. However, things start getting hairy with outside influence (from plugins and humans).
If a WordPress user decides to set their password to «password», there is little that WordPress can do to defend itself against brute force attacks. That’s not an issue within WordPress, though — it is an issue with the ignorance of the end user.
Similarly, if a WordPress user decides to install a plugin that has a security flaw, the core is not responsible for what happens next. Every single plugin you install represents a potential security risk.
Surely Premium Plugins Are Safe?
I am sure that if a study was conducted, it would be found that the ratio of buggy/bloated/insecure plugins to «healthy» plugins would be far more favorable amongst premium plugins. However, that does not mean that all premium plugins are perfect and you should not assume so.
Personally, I would recommend that you purchase only from developers that have a solid and well-established reputation.
For instance, if you download a plugin from WooThemes (free or otherwise), you can be certain that it has been coded conscientiously and is extremely unlikely to negatively impact the speed, functionality, or security of your site.
On the flipside, if you come across a website that you’ve never heard of that sells what sounds like a great plugin, you should proceed with caution.
So What Should You Do?
I’m not saying that you should uninstall all of your plugins then crawl into a corner of the room and adopt the foetal position, but I am saying that you should consider the value of each plugin you have installed on your site carefully. It may be a security risk, it may be draining your resources, or it may be buggy and bloated. But if it’s not there, it can’t be anything.
I recently audited my blog and managed to remove 60% of the installed plugins with very little reduction to functionality. I replaced some plugin functionality with simple (and transparent) code snippets and found that many other functions really didn’t need a plugin. For example, although plugins that allow you to easily insert analytics tracking codes within your site are great for beginners, anyone who has created a child theme before should have no problem inserting that code within header.php.
When you’re left with a (hopefully) small collection of plugins, you should run a second check to make sure that you really do need them all. You might surprise yourself if you allow yourself to examine the list objectively.
Finally, you should do a final sweep. Ask yourself the following key questions for each plugin:
- Who developed it?
- When was it last updated?
- Is it well-supported?
You should know what to do depending upon the answers to those questions.
Your site is only as secure and efficient as the code that makes it up. Ideally, all of your plugins should come from trusted developers.
There are also many free plugins out there that are both responsibly developed and excellently coded, but do your homework and make sure that you are avoiding the malicious plugins.
On the flipside, most premium plugins can be trusted, but that doesn’t mean all of them can be. Never jump to conclusions.
If all else fails, just return to the golden rule: less is more.
Do you have your own rules for installing plugins on your WordPress site(s) or do you have your own opinion on plugins? Let us know in the comments section below!