Preventing WordPress Plugin Folly

An overloaded power outlet

There’s no doubt that plu­g­ins are one of the rea­sons for WordPress’s suc­cess. They can do some won­der­ful things.

Even so, they’ve been the down­fall of many a site. This post dis­cuss­es the trade­offs of plu­g­ins and how to pro­tect your site from the Creep­ing Men­ace of Plu­g­in Bloat.

Who this arti­cle is for.
  • Any­one who owns, cre­ates, or man­ages Word­Press sites.
What to expect.
  • Brief praise for plu­g­ins (which real­ly are cool lit­tle crit­ters).
  • Killjoy warn­ings about why you can’t just grab them by the fist­ful.
  • Advice on how to avoid plu­g­in prob­lems.
Top­ics.

The splendor of plugins

Word­Press plu­g­ins are won­der­ful things. They can make your Word­Press site faster, more flex­i­ble, more pow­er­ful, and eas­i­er to use or man­age.

Want to add a cool con­tact form? Done.

Inte­grate with social media sites? Check.

Pro­tect your site from evil geeks? Roger wilco.

But some­times peo­ple treat plu­g­ins like can­dy, cram­ming them into a site by the fist­ful. Which isn’t a bad anal­o­gy. Because, you know, noth­ing could go wrong with eat­ing can­dy by the fist­ful. Right?

a mouth overflowing with candy

Mmmm. Plu­g­ins.

Image cred­it: CeedyE

The folly of plugins

Every plu­g­in you install can make your site even more awe­some in some way.

But every plu­g­in you install is also a poten­tial liability—even if you’ve deac­ti­vat­ed the plu­g­in.

Where can things go wrong?

Folly: Security

Word­Press is the most pop­u­lar con­tent man­age­ment sys­tem (CMS) for good rea­sons. Its pop­u­lar­i­ty also means it has the atten­tion of evil geeks. If they can find a way to take over even a small per­cent­age of Word­Press-based web­sites, they’ll have con­trol of tens of thou­sands of sites.

Every plu­g­in you install is also a poten­tial liability—even if you’ve deac­ti­vat­ed the plu­g­in.

Per­haps the most com­mon weak­ness a site can have is out­dat­ed soft­ware. That might be the Word­Press soft­ware itself (keep your Word­Press updat­ed!), but it might just as eas­i­ly be a plu­g­in with a secu­ri­ty flaw. Maybe the plugin’s author hasn’t fixed the flaw yet, but often they have fixed it and sites are still using the old ver­sion.

Many peo­ple think they can com­plete­ly neu­tral­ize a plu­g­in by mark­ing it as inac­tive.

Nope.

Though it won’t load and exe­cute when peo­ple vis­it the site, the flawed code still lives on your web serv­er. Depend­ing on the nature of the weak­ness, a hack­er might be able to exploit even an inac­tive plu­g­in.

Folly: Maintenance overhead

When you log into Word­Press it’ll tell you whether updates are avail­able for any of your plu­g­ins. You can eas­i­ly update to the lat­est ver­sion with a cou­ple of clicks. So avoid­ing the secu­ri­ty prob­lem is triv­ial­ly easy, right?

Nope.

Updat­ing a plu­g­in can break the plu­g­in, pos­si­bly break­ing your site. And upgrad­ing one plu­g­in can break a dif­fer­ent plu­g­in.

So if you’re being careful—and you should be—you’ll take every soft­ware update seri­ous­ly. In the most extreme case that means for every sin­gle plu­g­in:

  1. Do it at a time when you can afford down­time in case of prob­lems.
  2. If you’re not a Word­Press expert, make sure one will be avail­able if need­ed.
  3. Back up your site.
  4. Update the plu­g­in.
  5. Test your site in gen­er­al and the plu­g­in in par­tic­u­lar.

Now imag­ine your site has 30 plu­g­ins, and that between them you need to install 45 updates per year. Grant­ed you can update sev­er­al at once with the process above, but even so: Does this sound fun?

Folly: WordPress conflicts

The fun mul­ti­plies when you update Word­Press itself.

When­ev­er you install a new Word­Press ver­sion there’s a chance it will change some­thing that a plu­g­in relies upon. That might only cause the plu­g­in itself to stop work­ing, but depend­ing on the sit­u­a­tion there’s a small chance it could wreck your site.

Because of that, some peo­ple rec­om­mend deac­ti­vat­ing all of your plu­g­ins before a Word­Press upgrade, then upgrad­ing, then acti­vat­ing and test­ing the plu­g­ins one by one. Even if you decide to do that for only a frac­tion of your plu­g­ins… again, with two or three dozen plu­g­ins on board, does this sound fun?

A collection of insects

Soft­ware bugs aren’t usu­al­ly this order­ly.

Image cred­it: annamatic3000

Folly: Bugs and Mothballs

When using soft­ware that was writ­ten by a human being, expect bugs. Most bugs will be small or hard to trig­ger, but some can real­ly ruin your day.

This is com­pli­cat­ed by the fact that some human beings are expert pro­gram­mers com­plete­ly ded­i­cat­ed to the long-term sup­port and patch­ing of their plugins—and even more of them aren’t. If the devel­op­er wasn’t an expert, you’ll get more bugs and secu­ri­ty holes. And if the devel­op­er stops main­tain­ing your plu­g­in, you may end up using moth­balled soft­ware with­out real­iz­ing it.

The more plu­g­ins you add, the more risk of bugs. Some of those bugs only affect the plu­g­in itself, but some affect oth­er plu­g­ins or your entire site. And even if it’s not a bug, one plu­g­in can do some­thing that inter­acts bad­ly with anoth­er. If the pro­gram­mer no longer has time to main­tain the plu­g­in, or has just lost inter­est in it, don’t expect a res­o­lu­tion ever.

Protect yourself

Here are things I con­sid­er when decid­ing whether to add a plu­g­in.

  • Will it add sig­nif­i­cant val­ue?
  • Will a sim­pler plu­g­in do what I need? For exam­ple, if I’m just try­ing to mon­i­tor repeat­ed failed login attempts do I real­ly need a kitchen-sink secu­ri­ty pack­age? Big­ger pack­ages do more (which is good), but they also add more pro­gram­ming com­pli­ca­tions (which leaads to most of the lia­bil­i­ties I men­tioned above).
  • Check the plugin’s page in the WordPress.org plu­g­in direc­to­ry.
    • Is it well-reviewed?
    • Even if it’s well reviewed, do the neg­a­tive com­ments apply to your sit­u­a­tion?
    • Has it been updat­ed in the last year or so?
  • Will you use it tem­porar­i­ly, for exam­ple just while set­ting up the site? If so, leave a reminder to unin­stall it (not just deac­ti­vate it) lat­er.

Note that some excel­lent plu­g­ins aren’t list­ed in the Word­Press plu­g­in direc­to­ry. For exam­ple, iThemes’s Back­up­Bud­dy is one of my favorite plu­g­ins of all time, but it’s not list­ed in the direc­to­ry. Even so, I use it.

If something’s not in the direc­to­ry, though, I won’t con­sid­er it unless I’ve heard very good things from mul­ti­ple trust­ed sources. It’s just not worth the risk.

Splendor redux

Plu­g­ins are awe­some. Some are so essen­tial that I wouldn’t con­sid­er build­ing a Word­Press site with­out them.

So long as you’re judi­cious in how many you use and which ones you choose, and if you take care to keep them updat­ed they can be your gate­way to a won­drous and fol­ly-free site.

Post image cred­it: State Farm

Registration is required to comment.

You aren't currently logged in. You can use the fields below to post a comment without logging in or registering, or you can log in or register now.




By submitting a comment here you grant Blazing Moon a perpetual license to reproduce your words and name/web site in attribution. Inappropriate comments will be removed at admin's discretion.

Blazing Moon RSS Feed