We recently wrote about the good and bad sides of the vast plugin repository of WordPress. The massive range of available plugins for WordPress is the biggest perk of the ecosystem in our opinion. The downside is that there exists poorly coded or malicious plugins in the repository that you don’t want to install, so spending time to audit plugins is worthwhile. Here is a quick, non-exhaustive, list of some ways to audit a plugin before installing it on your site.
How many other people are using the plugin?
You can see the number of active installs of each plugin in the repository. Very popular plugins exceed 10,000 installs and some reach millions. Plugins that have very few installations should be treated with caution. A high install count doesn’t necessarily mean the plugin is perfectly safe. There have been instances in the past of vulnerabilities being discovered in some of the most popular plugins. But there is relative safety in numbers here; the more installs the greater the likelihood the plugin is well maintained and the more people there are to find and alert the developers to bugs and vulnerabilities.
Check the reviews
Reviews are available to read on each plugin’s repository page. First of all you should check if it even has reviews. Established plugins will often have thousands of reviews. If the plugin has none or very few, it might just be new, but treat it with more caution. It is also worth filtering for the low score reviews. If other users detect malware or other unwanted behaviour they often use the review section to warn others.
Check the update frequency
The repository tells you when the plugin was last updated. Software is updated to patch security vulnerabilities and to maintain compatibility with other software. If a plugin hasn’t been updated in over a year, it might be worth looking for another. Some developers frown upon plugins that haven’t been updated in less than six months. There isn’t really an exact time frame when a plugin becomes outdated, but a lack of updates can highlight abandoned or poorly maintained plugins.
Who is the developer?
Take a look at the developers profile page in the repository, check out their website, social media and professional profiles. Do they have a website for their business? Do they develop a lot of plugins? Do they have a reputation in the industry? Are they speakers at WordPress conferences? These things can indicate the professionalism of developers.
Is the developer responding to issues?
You can publicly flag issues with plugins in the WordPress repository and developers can respond to and resolve those issues. A record of these interactions can be seen on the plugin’s repository page. This is a great indicator of a developer’s commitment to maintaining their plugin. If the plugin has lots of outstanding issues, it’s probably a good idea to leave it alone.
Do a social media and forum search
WordPress has its own forum and Reddit has two subreddits dedicated to WordPress, r/wordpress and r/prowordpress. Developers regularly share information about bad practices or issues relating to plugins on these forums. Searching them can offer insights into other’s experiences with specific plugins and their developers.
Analyse the code
This step might be a bit overkill for some, but if you do all of the above and want to go a step further, you can analyse the code. This obviously requires some experience with reading code. There are plugin analysers like www.pluginscore.com and AI that can scan the code for you, but you still need to understand the output of these systems.
Use a staging site
Prior to installing any plugin you can install it on a staging site and fully test it. This can help identify conflicts with existing plugins and check if it functions as expected. You should make sure to enable the debug log and check it while testing your site.
Obviously the above can take considerable time and needs to be balanced against the practical nature of what you are trying to achieve. As you become more familiar with the plugin ecosystem you will learn the reputable names in this space. If you require assistance, we already have a lot of experience reviewing plugins. We can advise you on suitable plugins for your site or code custom solutions for you. Get in touch and we will be happy to help.