A WordPress website is a lot like a house. WordPress, the CMS, provides the foundation, the theme is the walls, doors, windows, and utilities, while the plugins provide everything else: intricate crown molding, fancy furniture, and decorations. Just like with a house, you want to ensure you’re building your website with the highest-quality components possible. One faulty beam or line of code could mean everything comes crashing down.
Alright. Enough with the house analogy. When it comes to a CMS, finding something that’s safe and secure is relatively easy. WordPress itself is a secure and safe platform if kept updated and maintained.
But what about plugins? There are over 55,000 plugins in the WordPress repository. When you’re looking for something as simple as a contact form, you get almost 50 pages of plugins ready for you to download and install on your site. Which one do you choose? Which will give you the functionality you need? Most importantly, which one will be secure and keep your site safe? Luckily for you, we’ve got a list of ways to tell whether or not the plugin you’re about to download is secure.
Check the Plugin Page Itself
There are a number of things you can learn just from the WordPress plugin repository itself. Once you’re on a plugin page, look for the following:
Number of active users.
Are only one or two people using a plugin? Chances are it’s not that good! The more people using and installing a plugin, the better it is. It’s like when you’re in a new city looking for a good restaurant. When you find one with a line out the door, you know you’re at the right place.
Ratings and Reviews.
This one goes without saying, but ratings and reviews mean a lot. Plugins with five stars have really earned it, as we know! The AMP for WordPress plugin that we’re using as an example here had relatively low reviews and ratings when we began contributing to it in early 2017. We’ve worked hard with the AMP team to bring that rating up. Contemporary reviews are glowing, and users know that they can trust us to provide a quality product.
Users also know that teams can respond to issues and provide adequate support. When you’re looking at reviews, check to see how the plugin maintainer responds to criticism or suggestions. Do they respect users and take their input seriously? They should. After all, we’re all part of open-source software development—users and developers alike.
Compatibility with the Latest Version of WordPress.
WordPress usually updates three or four times a year. Whether it’s a huge push or just a few minor tweaks in a dot release, you want to be sure the plugin you’re about to put onto your site is compatible with the latest version.
WordPress doesn’t just update because they feel like they need to add a new number behind it. There are a lot of considerations that go into updates, from feature changes to security patches. You should always update with a new release, but as the Core team moves toward automatic updates, it’s even more important to ensure your plugin is tested with the latest version.
The Last Update Date.
WordPress isn’t the only piece of software that updates regularly. Plugins should be updated often to avoid holes in security and add new or requested features. When was the last time the plugin you’re looking at was updated? If it’s more than six months to a year ago, you might want to find another plugin for your site.
See Who’s Maintaining the Plugin.
It’s not just how the plugin is being maintained that’s important, but by whom. A lot of major players in the WordPress scene produce and maintain plugins, like Automattic and XWP. If you download a plugin that a team with a good reputation helped create, you can rest assured that you’re getting a quality product that will work with your site––or at least that you’re working with a team who will value your feedback and try their best to keep it running smoothly. If the team that works on your plugin has a reputation for falling behind on maintenance or creating low-quality code, find another plugin.
Perform Your Own Review
WordPress has a vibrant community behind it, a community of people who care about safety, security, and accessibility just like you do. While a lot of plugins might boast about security, you can fact check their claims with a few tools around the web.
WP Scan has a vast database of security issues with plugins that you can access on your own. You can also check out the WordFence archives to see if a plugin is safe and secure. Even if you can’t take a deep dive into plugin code, you can do a bit of research on your own.
Check with Your Host.
It’s better to not find this one out the hard way. Every host has a list of features they provide to the sites on their servers. To keep their servers free of excess weight, some hosts might ban plugins that duplicate these built-in features, like caching. This can also have a negative effect on performance, not just for your site, but for other sites on the host’s servers.
While some of your host’s banned plugins might be outlawed to cut back on weight, they could also ban other specific plugins because of a bad reputation. Check with your host before installing a plugin that you’re unsure about. While no host would boot you off their servers for one small infraction, doing it over and over again could get you more than just a slap on the wrist.
Plugins are one of the best things about WordPress. You can find almost any and every feature you’d ever need in the plugin repository. If you can’t find it, you’re welcome to build and submit it yourself. While this is the whole point of open-source software development, it’s also a pitfall. Some plugins that make their way onto the repository can be poorly maintained and cause security vulnerabilities on users’ sites. But fear not! Finding a secure, safe plugin is easy when you know what to look for.