Plugins came a long time ago to WordPress to make everyday life easier for millions of users who need to integrate functionalities on their website that are outside the core of the CMS, not in vain there are more than 53,000 plugins available only in the Official Directory of WordPress Plugins .org cloth!
This leads many to “experiment” installing plugins left and right without analyzing why they need them and if they really are necessary to meet the needs of their website.
At this point I want to tell you about heavy WordPress plugins, abandoned or that duplicate functionalities and that you should not install, especially in the company of others that may end up causing conflicts and disagreements between them.
What do the statistics say?
If we start analyzing data, the thing is to take it into consideration, but look at the following graph that I have prepared simply with a few data obtained from studies carried out by Sucuri and other reliable sources on the Internet.
It is evident that the figures have possibly grown because I have not obtained data from mid-2017 until the end of the year, so there will be data that will have changed significantly, but as a whole the figures are to take them into account and think that installing abandoned plugins , outdated or vulnerable is like putting a time bomb on your website.
Ahh! And I have not counted in these figures the more than 29,000 WordPress plugins that are not listed on WordPress.org and that usually come from commercial sources or third parties that distribute them independently.
Being lax when analyzing before installing causes millions of installations to end up being vulnerable, mainly due to using badly programmed plugins or simply abandoned by their developers.
There are cases of plugins still active in the WordPress.org Directory that are bleeding, with more than 13 years without updating, and that are still there, at the mercy of any unwary who risks installing them on their website, just for not paying attention to the details.
Plugins add new functionality to WordPress quickly and easily, but their abuse can make a fast site problematic in no time.
If you don’t need it, don’t install it!
This maxim should prevail in a post-it on your monitor, on one side, clearly visible, so that it reminds you, if you are light-handed when clicking “Install” and “Activate”, that the frenzy or the Plugin binge ends in an intense hangover in the form of a malware infection or a 500 error at the least expected time.
In situations like these is when a good Backup Policy of your WordPress, to return in a few minutes to the moment before the announced disaster.
But I better focus on the plugins, especially on reminding you of some that you should not even think about installing on your website, if you really appreciate it and want it to continue for a long time online, collecting leads, visits and improving positioning.
Should we install everything they recommend?
Common sense must be used, “if you don’t need it, don’t install it” and above all, make sure that the maximum security of the Minimum Exposure Point (MPE) so that everything that is not necessary or performs a function on your website, delete it, since it is not enough just to deactivate it.
Surely you are one of those who read daily here and there, in blogs with authority and well positioned that you have to install the plugin “so-and-so” because it does such a thing and it is “the pear mill” that is going to take your website out of torpor and do that go “to infinity and beyond” error! … think again about common sense or read the previous paragraph again.
That they recommend it
influencers or bloggers of great depth does not mean that it is absolute truth since what is good for others is not necessarily going to work in the same way.
Each WordPress installation is different, no two are the same, and as such, the combination of themes, plugins and other elements determine a lot under which circumstances some plugins can end up being conflicting, something that will not necessarily happen in all installations.
Experiment, test, evaluate, before making the decision to incorporate this or that plugin to your website, and above all do it in a litter box before, so you avoid the odd scare.
Evaluate before installing
Many of the usual and / or unknown plugins receive updates more or less constantly, although it is something that depends exclusively on their developers.
For this reason it is important to understand who is behind a particular plugin before installing it. Analyze the number of downloads that this plugin currently has and do not ignore the reputation that users give it through ratings or comments.
Here are some steps you can take to evaluate whether or not you should use a plugin:
- Verify that it is available from a trusted site. (No warez, etc.)
- Make sure it is compatible with your current version of WordPress.
- Evaluate the classification it has (Official WordPress.org plugin directory)
- Check when it was updated and check the changelog (changelog).
- Check how many active installations the plugin has (one).
(one) Some trustworthy and well-programmed plugins have a low number of installations, but that does not mean that they are worse or less efficient than others with many installations.
If for example a plugin has less than 1,000 active installations, it is possible that it does not have a stable maintenance by the author or that it has been abandoned, hence the importance of analyzing other factors such as the update date.
It is true that it can be the case that a plugin has not been updated for more than 1 year but it does not appear in lists of sites that collect plugin vulnerabilities, which could indicate that the plugin is stable even though it has not been maintained for a long time.
This could be the case of WordPress Importer It is developed by WordPress.org and it takes a little over 1 year without receiving updates, but it does not place it among the problematic plugins, since it has not been affected by vulnerabilities since its last update.
It is always important evaluate the comments of other users or stop by the Plugin Support to see what date the last reported and resolved incidents were.
When you access the Plugin Directory of WordPres.org and a certain plugin has not been updated by its author for some time, you will find at the top of the page of that plugin a yellow legend warning about it.
Think that this notice is more than enough reason not to opt for the use of said plugin, don’t you think?
When you see a plugin in the WordPress.org Directory to the right of it, you have important and very useful information that acts as an indicator of the plugin’s health and compatibility, and you should take this information very seriously to decide if you are going to incorporate it into your list of active plugins in your web project.
Some “abandoned” plugins you shouldn’t install
The plugins, most of which are really good, have good code because they are well programmed, they are long-running plugins, with many downloads, hundreds of positive reviews and a growing community of users who trust them.
But within these there are also others that take advantage of the gaps that the supply and demand market constantly leaves to establish themselves, and when they are not based on firm projects, with a team of serious developers behind them, which are constant, they end in abandonment and possibly loaded with some vulnerabilities waiting for lax or unwary users to make use of these plugins.
- P3 (Plugin Performance Profiler) – https://es.wordpress.org/plugins/p3-profiler/ – More than 3 years without updating.
- WP PHP widget – https://wordpress.org/plugins/wp-php-widget/ – 7 years without updating.
- Starbox Voting – https://wordpress.org/plugins/starbox-voting/ – 9 years without updating.
- Limit Login Attempts – https://wordpress.org/plugins/limit-login-attempts/ – 6 years without updating.
- Jason’s User Comments – https://wordpress.org/plugins/jasons-user-comments/ – 13 years without updating.
- PS Auto Sitemap – https://wordpress.org/plugins/ps-auto-sitemap/ – 3 years without receiving updates.
- flickrRSS – https://wordpress.org/plugins/flickr-rss/ – A little over 3 years without updating.
Also think that many of these plugins are inherently vulnerable. You just have to go through the WPScan Vulnerability Database and query any of them and you will see that they have been affected by security flaws, possibly not yet corrected.
Plugins with EXEC functions
They are those plugins that use exec () functions that not all Hosting providers allow to use for security reasons.
These plugins are not necessarily outdated, abandoned, or have security issues, but their code executes calls to PHP functions that run external programs.
They are usually disabled to avoid security problems on servers where they could be used to execute arbitrary commands.
Some of these best known plugins are:
- EWWW Image Optimizer – https://wordpress.org/plugins/ewww-image-optimizer/
- ezPHP for WordPress – https://wordpress.org/plugins/ezphp/
- Inspector Plugin – https://wordpress.org/plugins/plugin-inspector/
- BackUpWordPress – https://wordpress.org/plugins/backupwordpress/
- WPTerm – https://wordpress.org/plugins/wpterm/
Just a brushstroke of the many in the official plugin directory. If you have doubts, it is good to check with your hosting provider if certain plugins you want to use will work in the hosting you have contracted.
I would like to make a point in this type of plugins, which are spoken of in many specialized blogs, but which sometimes end up becoming bottlenecks or duplicating functionalities that your hosting provider may already implement.
Installing plugins to improve the security of your website is not in itself a solution, and in the case of needing many plugins to protect weak points of your website, perhaps the question you should ask yourself is Am I hosted by the appropriate hosting provider for my web project?.
The secret is based more on having a coherent and balanced mix of security measures, either through .htaccess, or even plugins, but a good Hosting makes the difference in this regard.
- iThemes Security
- Sucuri Security
- All In One WP Security & Firewall
- Wordfence Security
- Bulletproof Security
- Security Ninja
- WP Antivirus Site Protection
The list could be more extensive, as well as plugins to secure WordPress exist, but their use should be subject to mitigating real threats and not those that you think could be carried out against your website, it is very likely that many of the possible gaps that You try to cover with these plugins already closed by your hosting provider and its security measures.
Builders and frameworks
This short list is not about showing deficiencies or programming errors in plugins that are commonly used, but rather indicating that when using spaghetti code, or over-programming, you run the risk of creating scripts (this is what plugins are ) with a complex and difficult to understand flow structure that make them native colliders to other plugins.
In this other list, almost de facto, I would put most of the usual builders plugins, since many of them generate a brutal dependency (effect lock-in) that makes them authentic parasitizers of the subject and the content generated with these builders.
- Divi Builder (ElegantThemes)
- Page Builder (SiteOrigin)
- Visual Composer
- Fusion Builder (Avada · Theme Fusion)
- Theme4Press Evolve Builder
The list does not mean that you should stop using them, it is just a warning to navigators to reconsider when your project needs a builder and which of the existing and most popular ones, which are not few as I already told you in previous articles.
It is true that many of the modern WordPress Themes existing today already come with these builders pre-installed or their use is necessarily recommended, which is certainly conditional use, possibly for commercial reasons, but there are builders such as Elementor, to name one, which are not even a quarter of the intrusive ones that are mentioned, they do their job very well and it is usually possible to use them with well-known topics in the topic market.
/>Elementor Page Builder how to lay out your pages in WordPress?
Then there are the frameworks, which by themselves are good tools, which are specific pseudo-constructors for certain themes, or rather, for themes based on those frameworks.
You should not stop using frameworks if your topic requires them, but it is important that you document yourself in case there are conflicts with these with plugins that you may be using on your website or plan to incorporate into your project.
This article is especially dedicated to all those who spend hours trying to explain why the use of many or certain plugins can be counterproductive for a WordPress installation or because Pingdom or other tools insist on recording the exaggerated load times when using undesirable plugin combinations.
There is no concrete formula to help determine when a web installation is abusing certain plugins, not necessarily by quantity, since sometimes just one is enough to ruin the web or load times, but a detailed analysis of what you install and why they have to serve as an indicator to know when to stop or change plugins.
Listen more to your server, where your website is hosted, to the existing load time measurement tools on the Internet, sponsor the principle of Minimum Exposure Point, always make backup copies before installing “another plugin” and think that if you are not going to use it, what are you going to install it for?
In a future article I will tell you how to detect bottlenecks in your WordPress installation so that you are able to detect what adds, what remains and what hinders your installation.
A small preview in the form of a capture …
…. no, it is not P3 Performance Profiler patience!
Remember the maxim that says “Less is always more” and apply it.