What is a WordPress plugin?
Plugins offer extra features and custom functions to self-hosted WordPress sites. They can add a function to the admin dashboard such as SEO optimization or analytics. For the front-end that will be seen by visitors, they can help customize the look of your site and help you organize your content.
The official WordPress.org Plugin Respository is one place to download plugins. All of the 53,351+ plugins in the directory are free with an option to upgrade for additional features. Commercial plugins can also be purchased from third-party marketplaces or directly from the plugin developers.
Tips for Selecting WordPress Plugins
Plugin Security and Updates
When you download plugins from the official WordPress.org repository, you will see update notices in your WordPress dashboard. When there are very critical vulnerabilities, the repository will force a plugin to update.
You should check your dashboard weekly to see if your plugins, WordPress, or theme have updates.
When you browse plugins in the repository, you’ll see user reviews and information about the last plugin update. This can help you evaluate if the plugin authors are maintaining the plugin and responding to requests for help. You can also see the number of active installations.
With commercial plugins sold in a marketplace or from sites of the plugin developers, you usually have to manually install plugin updates. Some will email you to let you know but others will require that you check their sites for notices. This means that a plugin you’ve installed on your site could potentially have a critical update that’s been patched by the developer but the older version is still running on your site.
There are many great free and commercial plugins out there that are offered by reputable developers. If you see that a developer has not provided updates in over 6 months, you should avoid installing the plugin on your site. Sometimes plugins might not require frequent updates. If you feel that a plugin is essential for your site, check to see if the developer still appears to be assisting people with questions. Hopefully this is a sign that they are still checking for vulnerabilities.
Finding Reputable Plugin Sites
You can shop for commercial plugins outside the repository. However, you will need to take extra steps to identify if the plugin site is from a reputable plugin developer.
Plugin Site Information
Not all plugin developers make really nice looking sites. You might even see that their sites have very minimal styling. Keep in mind that it’s possible that a hacker could make a fake site that offers a legitimate plugin that’s been compromised with malware.
You should look for detailed support information, company information, and contact details.
- Do a Google search for the domain name for the plugin site to check for bad reports about the plugin. (You should also be checking for multiple sites where the plugin is available for download so you don’t download a plugin from a fake site.) Are there popular and reputable sites recommending the plugin and where to safely download it?
- Do a Google search for the plugin name and include words such as “vulnerability”, “malware”, “spyware”, and “scam.”
Plugin Login Details and Brute Force Attacks
One way your site can get hacked is by guessing usernames and passwords for your WordPress login, hosting account, and accounts associated with plugins. This is called a brute force attack.
- Whenever possible, enable two factor authentication that requires your cell phone.
- Do not use obvious usernames such as Admin, Administrator, or your domain name. Also, do not use a name that’s easy to guess because it’s already posted on your site. This includes your name (or anyone writing on your site) or company name. Avoid using names of your pets or kids.
- Use a strong password that is long with a mix of letters (upper and lower case), numbers, and symbols. Again, do not use anything with names or anything obvious. Your password should be random letters and symbols.
Minimize the Number of Plugins
The more plugins you have installed on your site, the more likely you are to have a negative impact on page speed, error messages appearing on your site, or even a complete site failure. Also, you might also find that some plugins offer the same functions. As you find plugins that will work better for your needs, uninstall ones you no longer plan to use.
Creating a Template Backup
Prior to installing or updating plugins, you should always backup your WordPress site. If your site doesn’t function properly, you likely installed a plugin that isn’t compatible with your template code or other plugins running on your site.