What Are WordPress Plugins?
Plugins are pieces of software, written in PHP that extends the functions of the WordPress core. They provide extra features not available in WordPress out of the box. In layman terms, anything that WordPress cannot do, simply use a plugin. For example, WordPress, out of the box, does not have a contact form feature, so if you wish to create one, simply use a contact form plugin. A good way to think of plugins is to liken them to apps on a mobile phone. Through these apps, you are able to add new features and functions to your phone.
Plugins Make WordPress Very Customisable
There are many types of websites these days and different types of sites will require different functionalities. For example, an eCommerce website will require at least a shopping cart system plus payment gateway integration, while a job portal will require functionalities that allow job seekers to submit their resumes and employers to search the job bank database for potential hires. It is thus not possible for the WordPress core to cater to all possible functions or features users may need. Plugins fill this gap, giving users access to functions and features they need, without having to learn coding.
Important Considerations When Using Plugins
While the idea that you can customise your WordPress site through the use of plugins may sound appealing, it is not all a bed of roses; there are downsides as well. For example, plugins may slow down your site, two plugins may conflict with each other causing your site to crash or worse still, a poorly coded plugin may contain vulnerabilities which hackers can exploit. Indeed plugin vulnerabilities are a major concern as a survey conducted by Wordfence found that 55.9% of WordPress sites were hacked because of unsafe plugins.
Below are thus some important considerations which you should note, when using plugins.
Use Plugins From Trusted Developers
Don’t be a guinea pig. If a plugin has very few active downloads, look for other alternatives. It’s not that such plugins are unsafe. It’s just that if you are not a coder, you will never know. When there is a huge community using a given plugin, many eyes will be on it. And within that community, there will be the more technical users who will know of the existence of a security hole, if they see one.
Not All Plugins On WordPress Repository Are Safe
The WordPress Repository is the best place to go to if you are looking for free plugins. As at December 2020, it has a collection of more than 58,000 free plugins and very strict submission guidelines developers have to follow before their plugins can be considered for inclusion.
That said, don’t fall into the trap of thinking that just because a plugin is found there, it is safe. Most of these plugins are created by third party developers and some of them have been abandoned by the plugin author for months, if not years. Wordfence did a study of abandoned plugins in November 2017 and found 22 of them with vulnerabilities.
Never Download Plugins From Untrusted Sites
These days, it is very common to see websites offering premium plugins for a fraction of the price that the original developers charge. Never be tempted by these offers. If anything, they are usually unsafe. Yes, these sites may claim that their plugins are 100% original but then again, which crook will tell you he is a crook? Sucurri did a study of free premium plugins and found them to be very risky, often containing malware including backdoors and hidden links etc.
How To Choose A Plugin?
Given that plugins are not always safe, how then do you choose the plugins to use on your website? While there is no 100% safe way, if you follow the guidelines below, your risk of using a rogue plugin will be significantly mitigated.
Plugin Details to Note
Look for details such as the number of active downloads, evidence of favourable reviews, last revision date as well as compatibility with currently version of WordPress.
Active Downloads and User Reviews
If a plugin is very popular and has lots of rave reviews, it is generally safer. Such plugins are usually from more reputable developers, with large user base. As such, there will be more scrutiny over the plugin. If a plugin has only 1000 downloads or less, we would recommend finding other alternatives.
Last Revision Date and Compatibility
This is an important indicator of whether a plugin has been abandoned by it’s creator. If a plugin has not been updated for at least 2 years, it’s likely to have been abandoned. And security concerns aside, there is also the issue of compatibility with the current version of WordPress. An incompatible plugin can crash your website.
Ask Google
These days you can ask Google just about anything. So if you are unsure if a plugin is safe to use, check out it’s history of vulnerabilities. How? Just Google it. Try typing into Google search, the name of the plugin followed by any of these terms – vulnerabilities, exploits, malware or security holes. Such a search will usually bring to attention potential issues with the plugin, if they are already publicly known. Another Google search worth doing is a background search on the plugin developer. Read about the developer, his background, experience as well as previous plugins he has built and draw your conclusion.
Always Update Your Plugins
Plugins are usually updated for a number of reasons including to:
- Maintain compatibility with the latest version of WordPress
- Provide feature enhancements including speed improvements
- Fix bugs in previous versions
- Provide security patches
As such, it is of utmost importance that you always keep your site updated with the latest version of WordPress, including theme and plugins.
Because WordPress is by far the most popular CMS in the world today, WordPress vulnerabilities (be it core, themes or plugins), once patched are usually made known publicly. Websites using old plugins with security holes are thus often easy targets for hackers who can easily write scripts to scan the web for such sites. Indeed the 2019 Sucuri Hacked Website Threat Report highlights this problem.
Final Thoughts
The WordPress core, is generally considered safe if you diligently keep it updated. However, to customise WordPress to meet your needs, plugins are usually needed. Some plugins have security hole that hackers can exploit and hence, it’s important to keep in mind the above tips on choosing plugins and keeping them updated. This way, you can safely use WordPress to build almost any kind of website. And you will grow to love WordPress, just like we do.
