In this post, I’m going to expose our secret methods for choosing the most-secure and bug-free WordPress plugins.
WordPress is a fantastic website management tool.
It’s the most popular content management system (CMS) in the world, used on a whopping 30.7% of websites (W3Techs). This is an impressive number of websites! The next runner up for market share is Joomla!, which only represents 3.1% of the market share.
It’s so easy to use.
No wonder people like it. It’s super easy to manage your website. You can add pictures, content and menus… very easily. However, there’s a big problem:
It’s also easy to break your website. I think they’ve gone too far with making everything “easy”. With a push of a button, you can update (and screw up) your WordPress software. With automatic updates turned on, WordPress can do it for you. I’ve seen quite a few websites break like this.
One customer thought they’d just click the update link. It seemed so easy. Their website was destroyed. Utterly. Unfortunately, they did not backup the website first. Unfortunately, they didn’t host with us and so did not have automatic server backups turned on, or daily remote backups installed. They were done for.
You can also add new plugins so easily. Just put in a couple of keywords and add a new plugin with the push of a button. Folks, I can’t stress it enough: this is dangerous!
Plugins are not made by WordPress. WordPress plugins are made by freelance developers and non-WordPress companies. Many of the plugins are great (I’m going to tell you how to find them), but there are also many poor plugins that create doorways to viruses into your website.
You’ve got to understand the vetting process for accepting WordPress plugins. Here is the criteria for getting a WordPress plugin approved:
- Plugins must be compatible with the GNU General Public License v2 or later. If a license is not specified, code will be considered “GPLv2 or later.”
- The provided Subversion repository must be used for functional WordPress plugins only.
- Links such as a “powered by” link, or advertising, or external service calls are prohibited unless it is clearly documented and explicit user permission is granted.
- The plugin and developer must not do anything illegal, dishonest, or morally offensive. This includes spamming or harassment.
There’s not much to it. There’s no record of using a formal code review process. There’s no testing. Why? Because the WordPress community is supposed to do that. Rather than staffing this process, WordPress relies on developers and communities to separate the good plugins from the bad. WE are their vetting process.
If you know what you are doing and are careful, this process works. It works well because of the shear number of people using the software. Quality is primarily surfaced through thousands of reviews and displaying a large number of downloads. In a word, quality is managed through: popularity.
However, there’s more to doing it right. Following is a list of 10 methods we use to vet WordPress plugins for quality…
A Large Number of Downloads
As I mentioned previously, a common way to identify a good plugin is to look at the number of downloads. We prefer to plugins that have more than 10,000 downloads. We make exceptions to this all the time, but this is a good starting point. Why do we look at this? The idea is that with enough people using the software, many of the bugs and vulnerabilities will have been worked out by the early adopters. When it comes to new software from unknown developers, try not to be an early adopter. Instead, look at the most popular or featured plugins. These are plugins that have been implemented and used by many, which in theory, should be more stable and worry free when it comes to integrating with your website.
A plugin might have an adequate number of downloads, but has poor reviews. I typically look for a 4-5 star rating. It’s also a good idea to read the review comments.
I’ve seen cases where a plugin has a low review because a competing developer spammed the reviews for a plugin. I’ve seen the opposite, where the plugin developer obviously opened up a bunch of new WordPress accounts and posted outstanding reviews. Or, people will leave bad reviews because they don’t have the technical expertise to set up a complex plugin.
To get a good gauge for the quality of the plugin, I look for the evidence to throw out. I am also looking for real problems where the plugin has caused websites to break, are incompatible with other plugins, or have left doorways to viruses.
The point is that reading plugin review comments will give you a better feel for how good a plugin is. If you are in doubt, you can always reach out to the developer and ask a question. It pays to be cautious instead of spontaneous.
If a plugin hasn’t been updated recently, it might be an indication that it’s not compatible with the current version of WordPress. When choosing a new plugin, I tend to prefer one that has been updated more recently. This might suggest that the developer is still active with keeping their software current and synchronized with new WordPress software updates.
Proceed with caution if a plugin has not been tested with your latest update.
Another metric to look at is the highest version supported. While this might only mean that the developer updated the version number in a configuration file, it at least shows that the developer is proactive and still interested in supporting their code.
If there are a large number of downloads, lots of good reviews, has been updated recently, and supports the current version of WordPress, I’ll usually feel pretty good about the plugin and will install it and test it. If I’m feeling a bit uneasy about it though, I’ll perform searches on Google to uncover what others are saying about the plugin.
YouTube is a great source for research. Look and see if there are videos of the plugin available by other users or even the developer. I have found videos to be extremely helpful about the benefits and limitations of a plugin, including integration and performance.
There are a number of places online that track and publish bugs and vulnerabilities. This process allows me to keep a tight wall of security around my business at all times. Each new plugin goes through a step-by-step security process to ensure my business is safe, along with the information I store.
Here are a few companies that I use to help with the security process:
WPScan Vulnerability Database
WordFence Activity Report
WordFence Vulnerability Blog
WordPress Bug Tickets
In addition to scanning for bugs and vulnerabilities, I’ll often review the WordPress forums relating to the particular plugin. It’s best to know all you can about the plugin.
Visual Inspection of Code
Sometimes, you have no option but to use a new plugin with few downloads, few or no reviews, and with little or no outside references. For instance, you might have an uncommon feature requirement that an obscure plugin can handle. I will often visually inspect the code to see if there are intentional doorways to viruses, vulnerabilities, or poor code quality.
If there are no visual areas of concern, proceed with installing the plugin and testing as you would normally.
Review for Conflicts and Bugs
This one is obvious! It’s important to test the plugin to see if it breaks your website and works as you expect. Plugins can create a conflict with your theme, especially if you purchased a theme that is packed with features and other plugins to support the theme.
After installing and activating a plugin, check the website. Review the plugin to make sure it’s operating successfully and no errors occur on the website.
Hide Plugin Management
For trigger happy customers, I’ll sometimes install Admin Menu Editor. Among other things, it allows me to hide from certain users and types the menu links for updating WordPress and plugins.
This is a nice safety measure to have in place. It will ensure users who have access to your website won’t be able to install updates and potentially break your website.
Turn Off Automatic Updates
This might seem counter-intuitive because WordPress recommends having automatic updates turned on. If you get a virus, you can’t blame WordPress if you don’t have this turned on! However, the downside is that it can break your website or conflict with plugins. It’s far better to have a professional do a full backup of your website and do all that I’ve outlined above before applying updates.
Finally, it’s a good idea to regularly scan for unauthorized changes in code and viruses. WordFence does this automatically for your website. I install it on every website and it’s a good example of an awesome plugin.
In summary, it’s very risky to add and update WordPress and plugins without knowing how to evaluate plugins. I’ve documented my vetting process for you. I hope this helps! Although simple and easy by clicking a button, the effects of an update or use of a low trusted plugin can be catastrophic.
If you’d like to have a professional regularly review and update your website, take a look at our security plan or give me a call (530-680-2734). If you’re in the Chico area, I’d love to sit down and talk with you.