Preventing WordPress Plugin Folly

An overloaded power outlet

There’s no doubt that plugins are one of the reasons for WordPress’s success. They can do some wonderful things.

Even so, they’ve been the downfall of many a site. This post discusses the tradeoffs of plugins and how to protect your site from the Creeping Menace of Plugin Bloat.

Who this article is for.
  • Anyone who owns, creates, or manages WordPress sites.
What to expect.
  • Brief praise for plugins (which really are cool little critters).
  • Killjoy warnings about why you can’t just grab them by the fistful.
  • Advice on how to avoid plugin problems.

The splendor of plugins

WordPress plugins are wonderful things. They can make your WordPress site faster, more flexible, more powerful, and easier to use or manage.

Want to add a cool contact form? Done.

Integrate with social media sites? Check.

Protect your site from evil geeks? Roger wilco.

But sometimes people treat plugins like candy, cramming them into a site by the fistful. Which isn’t a bad analogy. Because, you know, nothing could go wrong with eating candy by the fistful. Right?

a mouth overflowing with candy

Mmmm. Plugins.

Image credit: CeedyE

The folly of plugins

Every plugin you install can make your site even more awesome in some way.

But every plugin you install is also a potential liability—even if you’ve deactivated the plugin.

Where can things go wrong?

Folly: Security

WordPress is the most popular content management system (CMS) for good reasons. Its popularity also means it has the attention of evil geeks. If they can find a way to take over even a small percentage of WordPress-based websites, they’ll have control of tens of thousands of sites.

Every plugin you install is also a potential liability—even if you've deactivated the plugin.

Perhaps the most common weakness a site can have is outdated software. That might be the WordPress software itself (keep your WordPress updated!), but it might just as easily be a plugin with a security flaw. Maybe the plugin’s author hasn’t fixed the flaw yet, but often they have fixed it and sites are still using the old version.

Many people think they can completely neutralize a plugin by marking it as inactive.


Though it won’t load and execute when people visit the site, the flawed code still lives on your web server. Depending on the nature of the weakness, a hacker might be able to exploit even an inactive plugin.

Folly: Maintenance overhead

When you log into WordPress it’ll tell you whether updates are available for any of your plugins. You can easily update to the latest version with a couple of clicks. So avoiding the security problem is trivially easy, right?


Updating a plugin can break the plugin, possibly breaking your site. And upgrading one plugin can break a different plugin.

So if you’re being careful—and you should be—you’ll take every software update seriously. In the most extreme case that means for every single plugin:

  1. Do it at a time when you can afford downtime in case of problems.
  2. If you’re not a WordPress expert, make sure one will be available if needed.
  3. Back up your site.
  4. Update the plugin.
  5. Test your site in general and the plugin in particular.

Now imagine your site has 30 plugins, and that between them you need to install 45 updates per year. Granted you can update several at once with the process above, but even so: Does this sound fun?

Folly: WordPress conflicts

The fun multiplies when you update WordPress itself.

Whenever you install a new WordPress version there’s a chance it will change something that a plugin relies upon. That might only cause the plugin itself to stop working, but depending on the situation there’s a small chance it could wreck your site.

Because of that, some people recommend deactivating all of your plugins before a WordPress upgrade, then upgrading, then activating and testing the plugins one by one. Even if you decide to do that for only a fraction of your plugins… again, with two or three dozen plugins on board, does this sound fun?

A collection of insects

Software bugs aren’t usually this orderly.

Image credit: annamatic3000

Folly: Bugs and Mothballs

When using software that was written by a human being, expect bugs. Most bugs will be small or hard to trigger, but some can really ruin your day.

This is complicated by the fact that some human beings are expert programmers completely dedicated to the long-term support and patching of their plugins—and even more of them aren’t. If the developer wasn’t an expert, you’ll get more bugs and security holes. And if the developer stops maintaining your plugin, you may end up using mothballed software without realizing it.

The more plugins you add, the more risk of bugs. Some of those bugs only affect the plugin itself, but some affect other plugins or your entire site. And even if it’s not a bug, one plugin can do something that interacts badly with another. If the programmer no longer has time to maintain the plugin, or has just lost interest in it, don’t expect a resolution ever.

Protect yourself

Here are things I consider when deciding whether to add a plugin.

  • Will it add significant value?
  • Will a simpler plugin do what I need? For example, if I’m just trying to monitor repeated failed login attempts do I really need a kitchen-sink security package? Bigger packages do more (which is good), but they also add more programming complications (which leaads to most of the liabilities I mentioned above).
  • Check the plugin’s page in the plugin directory.
    • Is it well-reviewed?
    • Even if it’s well reviewed, do the negative comments apply to your situation?
    • Has it been updated in the last year or so?
  • Will you use it temporarily, for example just while setting up the site? If so, leave a reminder to uninstall it (not just deactivate it) later.

Note that some excellent plugins aren’t listed in the WordPress plugin directory. For example, iThemes’s BackupBuddy is one of my favorite plugins of all time, but it’s not listed in the directory. Even so, I use it.

If something’s not in the directory, though, I won’t consider it unless I’ve heard very good things from multiple trusted sources. It’s just not worth the risk.

Splendor redux

Plugins are awesome. Some are so essential that I wouldn’t consider building a WordPress site without them.

So long as you’re judicious in how many you use and which ones you choose, and if you take care to keep them updated they can be your gateway to a wondrous and folly-free site.

Post image credit: State Farm

Registration is required to comment.

You aren't currently logged in. You can use the fields below to post a comment without logging in or registering, or you can log in or register now.

By submitting a comment here you grant Blazing Moon a perpetual license to reproduce your words and name/web site in attribution. Inappropriate comments will be removed at admin's discretion.

Blazing Moon RSS Feed