WordPress Plugins: How to Avoid Performance And Security Risks

No Comments

Plug and Play With WordPress

One of the great things about WordPress is that the platform is very plug and play friendly. Find a theme, push a button and you have a website. You want a fancy new slider, download it and activate it. Need a contact form, add a plugin and you have it.

It’s amazing to get all this great functionality without having to write a single piece of code. It’s like that whole adage where you don’t need to know how the light switch turns the lights on it just does.

Prior to WordPress, added functionality and features for your website required writing lines of code. You needed to understand HTML and Javascript. That is no longer the case.


Plugins – Making It Easier For Anyone

WordPress is an ideal platform for creating websites without any prior experience. Anyone can be a website developer. It’s perfect for the DIY and novice website builders, (more often than not, small business owners who cannot afford to have a website developed for them). Thanks to the ease of using WordPress, more developers are capitalizing on this. They are creating plugins to fill every need. While the majority of these are free, many of the more robust plugins are paid. For many developers, creating plugins for WordPress is their business.

As the plugin market grows, you have more and more options. You also get more insight. Now you can see if the plugin is compatible with the WordPress version you are using. Most of the time a plugin seems to work flawlessly with your site and you can go about your day.


Sometimes The Plugin Can Lead To Disaster.

A perfect example is the Yoast SEO plugin. It has been one of the best on the market for helping optimize your website but, when Yoast launched V3.0, it totally caused sites to crash. Unless you knew what you were doing, you were stuck and at the mercy of Yoast to fix it to download the update. Not many people know how to download an earlier version or, better yet, to even think to delete the old one and reinstall the older version. Most wouldn’t in fear of losing their data.

Lately, here at Inbound Designs, we’ve been toying with how plugins relate to site performance and security. We are finding very interesting things and have just scratched the surface. On our quest to get all of the performance benchmarks as high as possible on our site, we noticed plugins were a problem. They were degrading the overall performance score and some were killing particular parts.


Plugins and Site Performance

For example, we found that recaptcha wiped out the first byte time (affecting how fast your site loads for your customer).  Start adding a plugin here and there for every little need and next thing you know, you’re getting a D score instead of an A. You can test your site to see how well it scores for performance at webpagetest.org

Website Performance Test for Inbounddesigns.comFor your bottom line, that could be the difference between a customer happily playing on your website and ordering or giving up, moving on and you never having a chance. How long are you willing to wait on a website to load?

For SEO, Google LOVES clean code and performance. Site load times aren’t the most important ranking factor but they do matter.  Website performance and content together may be at the core of how your website ranks in Google’s search results.


Plugins and Site Security

Performance aside, plugins also create a security issue.

Plugins may see the most security attacks and are the most vulnerable. Most vulnerabilities are public and the developer knows about them. They may either fix them or not. However, if they do and you fail to upgrade your plugin, you are still vulnerable and your site could be exploited. While the complex attacks are down on plugins, it’s still a staggering 3.3 million per day and that was just what was logged by Wordfence’s firewall.

So do themes….


WordPress Themes and Site Security

Wordfence also shows astonishing statistics on themes being compromised as well. You take a vulnerable theme, add in outdated plugins and you end up with a website that can leave you open to attack.


The Solution?

For plugins:

Our best advice is to limit the number of plugins used, keep the ones used to only those created by well-known developers and consider skipping free ones. (Most are fine, but you get what you pay for. What incentive does a developer have to keep a free plugin secure? Or create it to not affect performance?)

Consider having custom code written to support the functionality you need. It eliminates the potential security issues and limits the maintenance required in watching for, then installing updates.

For themes:

The same best practice applies. Chose one from a well-known theme builder like Theme Forest and consider a paid over a free option.


Our Best Advice – Hire A Website Developer.

If you still want to build it yourself, do your research. Test your site. Maintain it.  If you are not willing or able to do this, hire a developer.

Once you make the decision to hire someone to build your website, do your homework. Do not focus on price alone. A low price may be a great deal but it could also mean who you chose will still rely on less expensive themes or free / vulnerable plugins.

Ask questions. Know in advance what theme will be used. Know how many and which plugins will be used. Find out if they will be writing code to limit security concerns.


Build It Right From The Start

Working from the ground up, you are not a part of the masses using products that have known vulnerabilities that even beginner attackers are able to exploit.

When we build a site, we create custom code to give you the same functionality as plugins you download. These are custom written specifically for your site with nothing to download and completely tailored to your needs. This eliminates the loading of unnecessary services degrading performance and creating vulnerabilities. Our sites are built from the ground up and limit the use of mainstream plugins for design and functionality.

In the end, a well-built website, created by a quality developer will provide a secure website with great performance. It will limit your vulnerability and provide a solid foundation to build on as your needs change without the requirement to start over. It will provide the core for solid SEO.


Mike Whitlatch is the owner and lead designer at Inbound Designs

My agency does amazing designs and websites. Anything from business cards to logos; simple websites to enterprise ecommerce. We believe in a solid foundation and incredible design

More from our blog

See all posts