There are a lot of WordPress plugins these days, which is great! Need to manage events? There’s a plugin for that! In fact, there are probably ten plugins for that, and each one claims to be the “best.” So how do you pick one?
Step 0: Identify the Need
Yes, you read that right. Step 0. This is the step before the actual evaluation.
This might go without saying, but I’m going to say it anyway: Only add plugins if you actually need to. Don’t just add plugins for exciting, cool features that you read about on some blog. Adding plugins adds more PHP code to your site, and that code might have flaws that could be exploited by malicious internet traffic. So adding plugins inherently increases the risk of your site/server being hacked. One of the goals of our plugin evaluation is to minimize this risk.
Once you have a need and have Googled to find a handful of plugins that seem to meet that need, the evaluation proper can begin. To be efficient, we like to start with the lowest effort items and work up to the higher effort items.
Step 1: Check for Red Flags
We like to check for red flags first because it only takes a couple of minutes, and if any are found, we can move on without wasting more time.
We first check when the plugin was last updated. If the plugin hasn’t been updated in over a year, it’s likely it will not be updated in the future when vulnerabilities are inevitably discovered.
The second thing we check is if the plugin has vulnerabilities listed in the WPScan vulnerabilities database. Many plugins are listed in that database, including many of the plugins we use, but the vulnerabilities are marked as fixed with plugin updates. If vulnerabilities haven’t been fixed by the plugin for a while, then that is a red flag that the plugin won’t receive updates for vulnerabilities in the future.
It’s also a good idea to quickly read through the reviews. Make sure to pay special attention to the most recent ones. If there are many believable negative reviews, then it might be a red flag.
If we find a red flag, it’s time to move on and look for another plugin.
Step 2: Test It Out
Plugins usually advertise a long feature list, but before we spend any more time evaluating the quality of a plugin, we better actually test if it does what we need it to do. So the next step is to actually install the plugin and do a quick test. We usually do this in a local or staging environment so that production is protected.
Beyond testing the plugin functionality, you also might want to check performance. We often use the Query Monitor plugin to check if new plugins slow down the page generation time, or seem to be doing unnecessary queries.
Step 3: Research the Plugin History
Once we’ve checked for red flags and confirmed the plugin works as desired by actually testing it, we research the plugin’s history. There is no certainty what the future may hold, but a plugin with a good history has a better chance of having a good future than one with a bad history or none at all.
How popular is the plugin? The WordPress plugins repository shows how many sites each plugin has been installed on. A popular plugin indicates other people have found the plugin to be useful. But popularity is a double-edged sword because more popular plugins are more likely to be the target of malicious attacks. In general, though, higher popularity is better.
How old is the plugin? Has the plugin developer consistently updated the plugin since it was first released? A plugin that has been consistently updated over the years is more likely to be updated in the future as issues come up.
Who is the plugin developer? Is it developed by a company or an individual? Does the company look legitimate, or more like something that could vanish in a couple of months? A plugin developed by a company means there are probably more developers available to work on the plugin, but more developers aren’t necessarily better than a single developer who cares a lot. If the plugin is developed by an individual and appears to support a large chunk of their living, they are probably pretty motivated to support the plugin.
Evaluating a plugin’s history is not an exact science. Try to not write off a plugin for not ticking an arbitrary box, e.g. must be developed by a company, must have 100,000 installations, etc. Keep your options open, look a little deeper, and see if you like what you see.
Step 4: Take a look at the documentation
Often reading the documentation of a plugin can give you a feel for the care and attention to detail the developers use in producing their work. Does the documentation cover the features you’re interested in? Is the documentation clear and easy to understand? If you’re thinking about starting to use a complicated or highly technical plugin, then a lack of full and up-to-date documentation should make you pause.
For most WordPress plugins, the documentation should have a filters and actions section. Filters and actions allow you to work with and customize the plugin. It is one of the most important ways to interact with a plugin.
Step 5: Take a look at the code
If you are technical, it’s a good idea to download the plugin, open it up, and take a look at the code. One of the most important considerations, as was mentioned in the documentation section, is the presence of filters and actions. So do a quick scan for where these are located in the codebase to make sure there are plenty of them in key spots.
If it’s a simple plugin, make sure there is only a little bit of code. If it’s a more complicated plugin, check to see if the plugin’s code is organized in a way that’s easy to understand.
Conclusion
Plugins are a great way to conveniently add functionality to your website. Adding plugins does increase the risk of being hacked, but with a thorough evaluation, this risk can be minimized. Your best bet is to choose plugins that work for you and that receive updates when issues arise, and then keep them updated!