WordPress Plugin Best Practices for Optimal Security and Performance

It’s quite easy to get into the weeds with WordPress plugins. Plugins have their place, but “just because you can” shouldn’t be your reasoning. The question you should be asking is, “Can I achieve the features or functionality I need without one”? Most of the time, the answer is “yes”.

If and when you use a plugin, follow these simple practices to ensure you choose the right one.

1. Choose Your Plugins Wisely

Who created the plugin?

Plugins can be developed by large agencies, small teams, or single developers. Due to this, releasing plugins on the WordPress Marketplace — while they have quality control systems in place — is a bit of a hit or miss. Ratings and reviews can’t always save you, but they’re a good indicator of future reliability.

Sure, a top-rated plugin with a reliable agency behind it may go out of business one day; after all, no one can predict the future. But, it’s much more likely that a poorly-rated plugin that hasn’t been updated in 6+ months and isn’t compatible with the latest WordPress version will break your site.

Choosing your plugins wisely is a big part of technology independence and IP ownership. It may cost more to build the functionality you’re looking for upfront, but over time, owning the IP means no licensing fees, no relying on third-party developers for support and maintenance, no hidden costs or premium upgrades, and all the control you need to make it work exactly how you need it to.

When was the plugin first released?

On the plugin’s profile page, if you click the “Development” tab and scroll to the very bottom of the page, you’ll see the release date of version 1.0. This is the same for every plugin ever released. This date tells you how long the plugin’s been active. In combination with the “Last updated” date on the main profile page, these two dates can be used as a good metric of long-term reliability.

The formula we use internally goes something like this:

Step 1: Current Year (a) – v1.0 Release Date (b) = Multiplier (c)
Step 2: Multiplier (c) x Total Number of Releases (d) = Result

Example:

The current year is 2024.

The plugin we’re assessing was first released in 2018. Since then, there have been 20 total releases.

Step 1: 2024 (current year) – 2018 (v1.0 release date) = 6 (multiplier)
Step 2: 6 (multiplier) x 20 (total number of releases) = 120 (result)

A good rule of thumb: any plugin with a final result of 99 or below is considered risky. Anything between 100 and 119 is considered moderately safe. Anything 120+ is considered safe. There are exceptions to every rule, but this metric helps us make more informed decisions about the types of plugins and technologies we recommend to our clients.

When was the last major update?

WordPress requires developers to list certain information when releasing plugins on its Marketplace. One of these pieces of information is the “Last updated” date. This date tells us clearly when the plugin was last updated. Even if a plugin is not currently compatible with the latest version of WordPress (more on that next), if it was updated a week ago chances are the developer is actively working on the plugin. However, if it hasn’t been updated for a few months, this is probably a good indicator of a lack of dedication and support from the developer. Steer clear of any plugins like this.

Is it compatible with the latest WordPress version?

Compatibility with the latest WordPress version really should be a requirement. WordPress does not have an automatic termination policy in place for plugins that remain incompatible with several releases of WordPress, but it should.

Like most technologies, PHP and the frameworks that support WordPress change frequently. New WordPress releases are usually centered around security patches, new feature releases, and framework optimizations. Updates are vital to your website environment’s operability, reliability, and security. Using incompatible plugins increases your security and operability risk.

2. Are you running the latest version of WordPress?

Before installing a new plugin check what version of WordPress you’re running. If a new release is available, update it. But, not so fast! Speak with your Site Manager or web host before running any site updates. Updating any files or plugins on your site may cause errors, downtime, or security vulnerabilities. At the very least take a backup of your site and database before running updates.

If you are running the latest version of WordPress and the plugin you want to install is compatible, it’s safe to install and test on your site. Once you’ve installed a new plugin, run front-end and back-end tests to ensure nothing broke. If you notice anything is broken, deactivate the plugin.

3. How many active installations does the plugin have?

The plugin’s Active Installations metric tells users how popular a plugin is amongst the WordPress community. A higher number doesn’t necessarily correlate to a better plugin. Some plugin’s target audience is small depending on its usages. For instance, an SEO plugin may have 100,000 active installations while an AI chatbot plugin may have only 1,000 active installations. The difference of 99,000 active installations may seem like a red flag but it isn’t so cut and dry. The other information listed above matters just as much if not more when deciding which plugin to use or whether to use one.

4. How active is the plugin’s support page?

When viewing a plugin’s profile page, check out the Support tab. Some questions to consider are:

1. How many “open” support tickets are there? High rates of open or unresolved tickets may signify a lapse in communication or increased turnaround times. This is typically a bad sign.
2. How many repeat topics are there? If there are a lot of repeat topics, it may be that the plugin developer hasn’t yet fixed the issue or that the particular topic isn’t a priority. Either way, this can become problematic if it’s affecting your website.
3. When was the last support ticket added? If it’s been a month since a support ticket was added but the plugin has thousands of active installations, that’s a good sign that it works well and does what it says it’s supposed to do.

5. What happens if the plugin’s developer seizes operations?

The more plugins you install on your website the more difficult it becomes to manage. Plus, do you ever really “own” your website’s IP if most of it relies on plugins and third parties to function? The answer is, “no”. What if plugins you rely on suddenly become obsolete? The developer discontinues updates or stops answering support questions. Suddenly, the repercussions become much bigger and the solution becomes more complex.

Unfortunately, there’s absolutely nothing you can do about it if a plugin becomes obsolete. The final solution to avoiding this scenario is to build the features or functionality you need as part of your native theme. But, this presents its own set of pros and cons.

What does all it mean?

This is all just a bunch of tech mumbo-jumbo for, “do your research and stay up-to-date”. If you choose your plugins wisely, refrain from installing plugins just because you can, and maintain your plugins properly, you’re already miles ahead of most.