WordPress’ popularity as a content management system (CMS) is largely a result of its flexibility and extensibility, but that doesn’t mean you can't run into trouble as a result. Need a contact form and you can't write a line of PHP code? Grab a plugin. Need help managing comment spam? Grab a plugin! But marketers, UX designers, leadership or anyone else working on the site should be paying attention to the plugins being used on their WordPress site, not just because it helps keep a site efficient and high performing, but also because you want to protect your customers, their security and your brand's reputation.
In most cases, plugins extend WordPress functionality with an extra layer of power or finesse, and plugin developers are good, solid folks who follow WordPress plugin best practices, pay attention to the timelines and impacts of WordPress Core updates, and keep their plugins secure and current. But with 54,478 plugins and counting in the WordPress Plugin Repository, and more available in outside plugin marketplaces, the choices can seem overwhelming and potentially risky. What if a plugin conflicts with your theme or another plugin? What if it has a vulnerability and your site is hacked? These are real concerns and it's wise to give them some thought, and work with your development team to minimize risk.
In a recent WordPress newsletter to our clients we detailed the steps we take to keep client sites secure, clean, and current. Here are a few of the plugin rules we always have in mind when working on client sites.
If you're trying to solve a problem with a plugin, start with the group closest to your WordPress build and ask questions! If you're working with a development team, they've most likely built a short list of plugins they consider "go to" solutions for most site builds. These plugins have already been researched, vetted, and used with success. At Acumium, some of these plugins include Yoast SEO, Sucuri Security, and Advanced Custom Fields.
If you're trying to solve something new and different, it's a good idea to start with a search of the WordPress Plugin Repository, which hosts free and open source plugins. Sometimes you'll find an option, often many options, but other times you may need to look outside the Plugin Repo to a commercial marketplace like CodeCanyon.
As an additional step, especially if you haven't found exactly what you're looking for, do a web search. There are independent commercial plugin developers that may have something that meets your needs, and as a business, may be more responsive and timelier in their support of a plugin.
If you've found a handful of likely plugins, you should always search the plugin name combined with terms like "hack," "vulnerability," and "exploit" as an additional layer of diligence. Really investigate if this plugin is a good and viable option for the problem you’re trying to solve.
For the next three R’s, I'll focus mainly on the WordPress Plugin Repository.
In the WordPress Plugin Repository, there's a lot of information available to help you evaluate how current a plugin is.
In the end, plugins should not only be kept as current as possible, but when they're no longer used, or no longer useful, they should be removed. This falls into the "care and feeding" category of your WordPress site and plugins, and helps make your site's footprint as small as possible. It also helps ensure that you don't accidentally install several plugins whose functionality overlaps, causing conflicts and even broken pages.
Choosing plugins with care, keeping them current, and periodically revisiting this process following the four R’s to identify plugins that no longer meet your criteria is one of the best ways to ensure your WordPress site stays healthy, high performing, and worry-free.
If you have questions about WordPress plugins contact our team to learn more.