Wordpress has a huge number of plugins that extend the core functionality of WordPress.
Often there are multiple plugins that appear to do the same thing and you need to choose which one to install. Here we’ll consider what should inform your choice so that you can get the functionality you need whilst managing the risk.
Risk & Reward
Every plugin you install represents a risk. Primarily a security threat because attackers can find it easier to compromise code written by a single plugin author compared to code provided by the core WordPress team. There is the risk you’re an earlier adopter and might be the first to find particular bugs. Similarly a plugin may conflict with other plugins you have installed. The author may also abandon a plugin which means you’re left without any ongoing support or development.
Here is a checklist to help you with plugin selection:
- How mature is the plugin? Has it only been available for a short time? Does it have a low release number?
- The wisdom of crowds. Not a guarantee this, but a plugin that has been installed 10 times has a different risk than a rival installed 4 million times.
- When was the last time the plugin was updated? If its more than 6-8 months it may have been abandoned. The “Tested up to:” field in the plugin directory is also a proxy for this. If its only been tested up to a fairly old release of WordPress core you may want to look elsewhere.
- Install and test on a development version of your site first. Do not install untried, untrusted plugins on your live/production site.
If a plugin looks mature and well supported its worth downloading and investigating further. Examine the code and see if the author has included hooks at key points in the code. This will allow you to alter the behaviour of the plugin without hacking the plugin directly. In that way any changes you want to make will be preserved when you upgrade.
If the plugin is providing content to your site visitors, does it wrap the content in structured data that passes the Google structured data testing tool?
If you’ve got this fat and the plugin still looks good, activate it and re-test the functionality of your website. Anything broken? if so deactivate the plugin and re-test. If the problem disappears the plugin may be the culprit.
Stay up to date
Its essential that you keep up to date with plugin releases. In our experince not all plugin authors mark security updates as such, instead any updates may be marked as “fixes”, “revisions” or “tweaks”. Staying up to date will help keep your site secure. Obviously you can update va the admin back-end. Its a lot quicker to update using wp-cli, e.g.
wp plugin update plugin-name. If you’re running a fleet of sites with a variety of plugins wp-cli also allows you to script these updates. This is a topic we may return to in a future blog.
Minimising the number of plugins to achieve a successful site is a design and development goal of ours. The most common plugins we use are Yoast, Woocommerce and CiviCRM. We also have an internal plugin that audits various system messages to log files, provides SMTP mail and other niceties such as enqueuing analytics files. A low number of plugins reduces the security threat, helps with site speed and makes your site easier to maintain.