WordPress’ popularity as a content management system (CMS) is largely a result of its flexibility and extensibility, but that doesn’t mean you can't run into trouble as a result. Need a contact form and you can't write a line of PHP code? Grab a plugin. Need help managing comment spam? Grab a plugin! But marketers, UX designers, leadership or anyone else working on the site should be paying attention to the plugins being used on their WordPress site, not just because it helps keep a site efficient and high performing, but also because you want to protect your customers, their security and your brand's reputation.

Plugins & Site Design

In most cases, plugins extend WordPress functionality with an extra layer of power or finesse, and plugin developers are good, solid folks who follow WordPress plugin best practices, pay attention to the timelines and impacts of WordPress Core updates, and keep their plugins secure and current. But with 54,478 plugins and counting in the WordPress Plugin Repository, and more available in outside plugin marketplaces, the choices can seem overwhelming and potentially risky. What if a plugin conflicts with your theme or another plugin? What if it has a vulnerability and your site is hacked? These are real concerns and it's wise to give them some thought, and work with your development team to minimize risk.

In a recent WordPress newsletter to our clients we detailed the steps we take to keep client sites secure, clean, and current. Here are a few of the plugin rules we always have in mind when working on client sites.

Four Crucial Factors for Plugin Selection: Research, Recency, Reputation, Rationale


If you're trying to solve a problem with a plugin, start with the group closest to your WordPress build and ask questions! If you're working with a development team, they've most likely built a short list of plugins they consider "go to" solutions for most site builds. These plugins have already been researched, vetted, and used with success. At Acumium, some of these plugins include Yoast SEO, Sucuri Security, and Advanced Custom Fields

If you're trying to solve something new and different, it's a good idea to start with a search of the WordPress Plugin Repository, which hosts free and open source plugins. Sometimes you'll find an option, often many options, but other times you may need to look outside the Plugin Repo to a commercial marketplace like CodeCanyon.

As an additional step, especially if you haven't found exactly what you're looking for, do a web search. There are independent commercial plugin developers that may have something that meets your needs, and as a business, may be more responsive and timelier in their support of a plugin.

If you've found a handful of likely plugins, you should always search the plugin name combined with terms like "hack," "vulnerability," and "exploit" as an additional layer of diligence. Really investigate if this plugin is a good and viable option for the problem you’re trying to solve.

For the next three R’s, I'll focus mainly on the WordPress Plugin Repository.


In the WordPress Plugin Repository, there's a lot of information available to help you evaluate how current a plugin is. 

  • When was it last updated? We're looking for a plugin that has been updated within the last six months—hopefully more recently. You can find this information in the right column of the plugin's landing page.
  • How frequently are updates released? While a plugin might be current, we prefer not to see huge gaps in release timing. You can get a better picture of this by clicking on the “Development” tab of the plugin.
  • What version of WordPress is required (minimum) and what version is it tested up to? Minimum version gives valuable information about the plugin's lifespan. What version it is tested up to is important to ensure compatibility with contemporary WordPress versions. These details are also available in the right column.


  • How many active installations are there? We generally steer away from plugins with less than 1,000 installs, unless it's a relatively new or special-purpose plugin. Check for this in the right column.
  • What do the ratings and reviews say about the plugin? You can find reviews and star ratings by clicking on the “Reviews” tab. 
  • What kind of developer support for the plugin (either on WordPress.org or perhaps externally) is there? This is also a good chance to see hot button issues that you may run into with a plugin.


  • Is this plugin really needed? In some cases, plugins are used for very specific things, and often for a limited time. If you no longer need a countdown timer, for example, then it's likely you can deactivate or even remove the plugin you installed for that purpose. 

In the end, plugins should not only be kept as current as possible, but when they're no longer used, or no longer useful, they should be removed. This falls into the "care and feeding" category of your WordPress site and plugins, and helps make your site's footprint as small as possible. It also helps ensure that you don't accidentally install several plugins whose functionality overlaps, causing conflicts and even broken pages.

Choosing plugins with care, keeping them current, and periodically revisiting this process following the four R’s to identify plugins that no longer meet your criteria is one of the best ways to ensure your WordPress site stays healthy, high performing, and worry-free.

If you have questions about WordPress plugins contact our team to learn more.