Plugins are a great way to add additional functionality to your WordPress (WP) site. They allow you to extend the core WP functionality without needing much development knowledge. For example, if you want to add a contact form to your site, this functionality is not in WP by default. To achieve this you can enable a contact form plugin like Contact Form 7 or Gravity Forms. Once you’ve created your form, you can easily embed it in your page using a small code snippet called a Shortcode. You don’t have to dive into the code to add extra functionality.
There are so many available plugins out. Whether they’re free or paid, there are some things you should check out before adding them to your site. Choosing a bad plugin can cause errors on your site, or open up security vulnerabilities. Here are some simple steps to take to help you choose a plugin that doesn’t take your site down.
Is the plugin stable on your version of WordPress?
When WordPress releases a new version it fixes known vulnerabilities and deprecates old functions. Before adding a plugin to your site you need to make sure it’s compatible with your version of WordPress. If the plugin is not compatible with WordPress it can cause errors on your site. This could lead to the WordPress white screen of death.
This is also a good rule to follow before updating your WordPress site. You want to make sure your old plugins are still compatible on the newer version of WordPress. You should keep your WP site up to date as each release fixes known issues and vulnerabilities.
After adding or updating a plugin or WordPress, it’s important to check your site for any unexpected errors.
When was the last time the plugin was updated?
This is closely tied to the above tip. If the plugin hasn’t been updated in a long time then it could be using deprecated functionality that aren’t compatible with newer versions of WordPress. Plugins that haven’t been updated in over two years will display a warning on the plugin page:
New vulnerabilities are constantly being found. Depending on how the plugin was originally written, and what the plugin does, it could expose a vulnerability due the codebase not being updated in a long time.
What do the plugin ratings or support tickets say about the plugin?
The WordPress plugins hosted on WordPress.org all have reviews and support sections.
Ratings allow you to see what other people are saying about the plugins. In the above image the plugin has a lot of positive ratings so there are other people that use and trust the plugin. This allows us to assume it’s a safe plugin that gets maintained regularly. You can also click into specific star ratings to read what people are saying about the plugin or why they chose to give it that specific rating.
Support tickets for plugins allow us to see whether there are any common themes, this can help indicate if the code is broken or if there are exposed vulnerabilities. If there have been a lot of issues and none of them are getting marked as resolved, it’s also a good indicator that the plugin is not being maintained.
Do you have a staging environment you can test the plugin on first?
This is probably the most important step. When avoidable, test plugins out on a development or staging environment first. If all the above tips fail and you still install a plugin that takes your site down or displays error messages, you’ll know before it’s ever seen by anyone else on your live/production site.
Unfortunately this step doesn’t let you see if there are any vulnerabilities in the codebase of the plugin, that’s why there’s the next tip.
If you have some coding experience, do a code review of the plugin.
This is a bit more advanced, hopefully the tips above has weeded out the majority of the bad plugins out there. If you do have coding knowledge you can do a code review. You want to make sure the plugin escapes output, especially when dealing with user inputs. Also check how it is using the WP API. Does this match the recommended WordPress codex examples or is the plugin author doing some unusual things here that could expose vulnerabilities?
Following all these tips should help you avoid bad plugins, however it’s not 100% foolproof. You should always test the plugin before installing it on a live environment. If you’re not sure whether or not to use a plugin, look for reviews on the plugin or ask a developer to help you make the decision.
– Emily Fox