The dangers of WordPress Plugins Ignorance (And the Ways to Combat it) The Dangers of WordPress Plugins Ignorance

Jun 2, 2023

 I began to get really frustrated.

 My website had been bouncing around for several hours being slow to load and completely non-responsive, I decided to get to my host provider. The only thing they could say was that it seemed to be connected to one of the plugins on my blog.

 Then the lightbulb in my head finally came to life -- I had installed a brand-new plugin just a couple of hours prior. Around the same time my website began to behave strangely. Oh ha.

 I swiftly (well, slowly actually) logged into my site and deactivated the offending plugin. Bingo. Site returned to normal.

This has happened to nearly everyone who's used WordPress for any length of time: plugin issues that cause your website to malfunction. Many of us still to download and remove plugins with wild abandon and are unaware of the hazards involved. Even worse, some users are fully aware the dangers we could be taking on and still satisfy our insatiable craving for plug-ins without awareness of the dangers lurking around the corner.

In short, most WordPress users are a bit naive when it comes to their sites. In this article, I'm going to highlight the potential dangers of plugins ( especially free ones) and offer my hope that it will be a compelling argument against the wanton proliferation of plugins on your WordPress website.

How Much Harm Can a Plugin Really Can Do?

Simply put, a WordPress plugin is a software which extends the functionality that is part of WordPress. It is a plugin that extends the functionality of Content Management System (CMS). The creation of plugins started as programmers sought to expand WordPress's capabilities without altering its core structure.

These days, with more than 28,000 plugins for free being used, WordPress can do almost anything you can dream of (and even if it doesn't, someone's probably working on it).

WordPress.org Plugins

The plugins are the heartbeat of WordPress. They've played a huge part in its exponential growth to become the king of the CMS kingdom. Without its plugins, WordPress is a relatively limited platform.

The plugin you choose to use can be extremely influential in the sense of its impact on the performance of your website, and for the most part, it's considered a an element of WordPress and can thus affect your entire WordPress installation. For example, my blog was recently slowing down as a result of one plugin. It's not a secret that these few files could have an enormous impact on your blog.

In this regard, WordPress users need to realize that they are putting their websites' health on the hands of developers every time they use an extension. If the developer is good at what he does and has a good sense of responsibility, the chances of running into issues are low (although the odds aren't 100% guaranteed). Unfortunately many developers aren't in charge of the plugins that they develop.

Once we have installed the plugin, any thing could happen. The speed at which your site loads could be severely affected. The site could even go down completely. Indeed, a few untrustworthy developers make bad plugins (or hack into otherwise trusted plugins) with no goal other than to create people pain. This is the risk which we encounter each time we click the activate button.

The Issue with WordPress.org

WordPress.org Plugin Directory

WordPress.org is fantastic for a variety of reasons, but it's not without its flaws. As of this writing, there are an enormous number of plugins on WordPress.org. However, the vast majority of them are:

  1. not up to date
  2. buggy,
  3. bloated,
  4. insecure, or
  5. A combination of any one or more of the mentioned.

Even the most robust and powerful plugins can suffer. In May 2013, Sucuri disclosed a security vulnerability that was present in the hugely popular W3 Total Cache as well as the WP Supercache plug-ins. These two plugins boast more than 7.5 million downloads between them, which shows just how much damage such security flaws could cause.

Similarly, in a recent blog post on ManageWP I wrote about bugs that exist within the popular SEO By Yoast plugin. Joost de Valk is a respected developer, and he quickly moved to resolve the issue however, WordPress.org discovered that numerous users had marked SEO by Yoast updates as not compatible.

SEO developed by Yoast is back at its peak, however these cases prove that nobody -including the top-rated developerscannot be guaranteed to work when it comes to WordPress plugins.

WordPress.org can be either a blessing or curse and is no doubt an application that must be utilized with care.

Security issues in WordPress

I've written on WordPress security a lot -- on my own blog, on ManageWP and in a forthcoming post on Smashing Magazine and beyond.

I've talked to many experts on the topic -as well as people who work directly with the WordPress core. the overwhelming response is like this: The WordPress core is very secured. But things can get hairy with outside influence (from plugins as well as humans).

If an WordPress user decides to set the password for their account to "password" There is very little WordPress will be able to do to defend itself from attacks using brute force. It's not a problem for WordPress, though -- it is an issue with the inexperience of the user.

Similarly, should you as a WordPress user chooses to install a plug-in that is vulnerable to security issues in the core, it's not accountable for the consequences that follow. Each and every software you install poses an opportunity for security issues.

Absolutely Premium Plugins are Safe?

I am sure that if a study was conducted, it would be found that the ratio of buggy/bloated/insecure plugins to "healthy" plugins would be far more favorable amongst premium plugins. But that doesn't mean that every premium plugin is excellent and it is not wise to think that way.

Personally, I would recommend that you purchase only from developers that have good and established reputations.

If, for instance, you download a plug-in from WooThemes (free or otherwise) it is certain that it has been designed with care and is highly likely to not negatively affect performance, speed or security of your site.

If, on the other hand, you stumble across a site which you've not heard of before and that claims to sell a great plug-in, it's best to be cautious.

So What Do Be Your Next Step?

This isn't saying you must uninstall all your plugins then crawl into the corner in a fetal position, but I am suggesting that you take a look at the worth of every plugin that you've installed on your site carefully. It may be unsecure, could be draining your resources or be buggy and bloated. But if it's not in the system, it's not going to have anything to do with it.

I recently rechecked the functionality of my blog and was able to get rid of 60% of used plugins, with little reduction to performance. I have replaced some plugin functions using easy (and clear) code fragments, and realized the majority of other features don't need a plugin. In particular, though plugins that allow you to quickly insert tracking analytics codes in your site are great for novices, anyone who has developed the child theme prior to this should not have any problem inserting that code within header.php.

When you're left with just a (hopefully) smaller number of plug-ins, do a second review to ensure that you actually really need each one. There's a chance that you'll be amazed when you take a look objectively at the list.

In the end, it is time to conduct a final sweep. Consider the following questions for each plugin:

  1. Who was the person who invented the idea?
  2. The last time this was changed?
  3. Does it have a solid foundation?

You should know what to do, based on the answers to these questions.

Final Thoughts

Your site is only safe and effective as the code it's made up. It is recommended that all plugins must come from reputable developers.

There are also many available plugins that are both responsibly developed as well as extremely coded. But take your time and research to make sure that you are staying clear of dangerous plugins.

On the flipside, most premium plugins can be trusted, but it does not mean every one of them are reliable. Don't make assumptions.

If all else fails If all else fails, simply revert to the golden rule of thumb: less is more.

Do you have your own rules for installing plugins on your WordPress site(s) and do you also have an thoughts on plugins? Tell us in the comment section below!