Evaluating Plugins

Strategies to Effectively Extend WordPress

Our Goals

Learn strategies for choosing plugins to safely and effectively extend WordPress functionality beyond core functions.

• Is it the right tool for the job?
• Is it high quality?
• Is it actively being developed? (Will it last…)
• Is it safe?

Have some fun -- plugin horror stories.

What is a plugin?

A script or group of scripts in PHP that extend the functionality of your WordPress site. Plugins seamlessly integrate into WordPress, often leveraging the core functionality of WordPress to add new features to your site.

Themes: display and layout, but can also add functionality.

Plugins: add functionality, but can also add to your site's layout.

​

What can plugins do?

“There’s a plugin for that.” Plugins can do just about anything.

Of the most popular plugins, functionality includes:

• Contact Forms (Contact Form 7)
• Search Engine Optimization (Yoast SEO, All in One SEO, Google XML Sitemaps)
• eCommerce (WooCommerce)
• AntiSpam (Akismet)
• Backups (Updraft Plus)
• Security (Wordfence)

​

​

Plugins turn what started as a basic blogging platform into a full function data-driven website that supports your business.

What a plugin can do

Plugins insert new functionality and bring your site new life.

​

And with that power…

What a plugin can do

...comes great responsibility.

What happens on your site is your responsibility.

​

Make good decisions based on good data.

It’s all about performance

What can a plugin do for you?

Will it do what it says it will?

Will it do no harm?

​

Types of plugins: Open source

The WordPress Plugin repository: 60,000 free and open source WordPress plugins.

wordpress.org/plugins

Samples:

• Contact Form 7
• Duplicate Post
• WP Super Cache

Types of plugins: Freemium

Offering basic services for free while charging a premium for advanced or special features. Free version of the plugin in the repository with some locked features. Unlock features by purchasing a license.

• Yoast SEO
• Smush (Image Compression)
• Updraft Plus
• Wordfence

Types of plugins: Premium/Commercial

Source is not in repository and is only available after purchase.

Commercial sources like Envato Market:

• ThemeForest.net
• CodeCanyon.com

Types of plugins: Nulled

Freemium or premium plugins made available for free.

Often have backdoors, spam links.

Spoiler: It’s a trap!

Do You Get What You Paid For?

Not necessarily.

Plugins from repository are open source

Paid plugins don’t have visibility in the marketplace

Not all paid plugins are bad; due diligence is on you, no help from the community

Plugin Horror Story: The Tunnel

WordPress Premium SEO Pack support backdoor.

No visibility, not open source.

​

Researching Plugins

Google search phrases

[plugin name] hacked or vulnerability

[plugin name] broke, broken

[plugin name] slow site, performance

[plugin name] support

Thankfully, we’ve got the repository...

​

Plugin Effectiveness

Questions you can answer on WordPress.org:

• Is it updated?
• Has it been tested?
• Is it supported?
• Is it loved?

(All factors are important!)

Not updated or tested

Not supported

A 5-star review! This plugin should be good, right?

No longer updated.

No answers to support questions.

The Changelog

Under Development, look for the Changelog.

Are vulnerabilities disclosed and fixed?

(No changelog? Hmmm.)

Reviews: WooCommerce

How many reviews? How many 5 star reviews?

Read a selection of mid-range and 1 star, too.

Take everything with a grain of salt; look for patterns.

Resources: Patchstack

https://www.patchstack.com

Version number with the vulnerability.

Just because a plugin is here, doesn’t mean it is currently vulnerable.

Code Review

You could take a look at the code yourself.

Download the zip file, unpack it.

Use a text editor to look for anomalies.

​

​

​

https://github.com/ethicalhack3r/wordpress_plugin_security_testing_cheat_sheet

Wordfence Scans

Not just malware scanning.

Security problem alerts.

Upgrade alerts.

Abandoned plugin alerts.

Is it Gutenberg ready?

Resources to evaluate Gutenberg readiness.

https://plugincompat.danielbachhuber.com/

(other resources forthcoming)

Plugin Resource Utilization

How does the plugin affect your site’s performance?

Debug Bar https://wordpress.org/plugins/debug-bar/

Best Practices: Testing

Create a test replica of site.

Duplication plugins can help.

Don’t test new plugins on production.

Look for effectiveness, compatibility issues with other plugins.

​

Best Practices: Plugin Management

Uninstall plugins you’re not actively using.

Keep plugins updated.

Audit/review plugins periodically.

End Result

• Functional site
• Safe site
• Happy customers
• Entertained site visitors
• Performance!

Keep in touch!

My personal site: zant.com

Twitter: @kathyzant

LinkedIn: kathyzant

Facebook: kathyzant

kathy@zant.com / kathy@wordfence.com

​