I believe WordPress plugins should be used very sparingly, for three reasons:
This is the Plugins page of my site’s WordPress backend:
It all fits on one page. The orange box contains all my plugins: four.
This is the Plugins page of a client’s WordPress backend after I have already uninstalled some:
The orange box doesn’t fit on one page. There are over 20 plugins. The red box at the top, absent on my site, contains distracting prompts from various plugin creators, requesting either reviews or investment for more features.
If any of these plugins break, part of the site’s functionality will be disrupted. Each additional plugin boosts the risk of this happening.
I consider each of the prompts to be disruptive to workflow, so the fewer of those the better.
But WordPress plugins can present serious security vulnerabilities too, especially when they’re not kept up to date. If a webmaster doesn’t update their plugins often, the site becomes more and more vulnerable.
The list of hacked, dangerous, and vulnerable WordPress plugins over at firstsiteguide lists five main vulnerabilities and exploits. Here they are with a brief intro:
As you can see this is pretty severe. Your site can be hijacked, deleted, compromised, or disrupted in various other ways. Often these attacks are hard to reverse, as your admin access to the site will likely be deleted.
The longer a plugin has not been updated, the more likely it is that security vulnerabilities it may have had will have been found and utilised.
Each plugin multiplies the risk of this happening. The most vulnerable and most hacked WordPress plugins are listed in the guide I already linked to.
Hopefully by now you’re not asking yourself “should I update my WordPress plugins?” any more. The answer is yes.
Asking why is fair enough, though.
Think of it as a game of cat and mouse: a plugin developer releases their plugin into the world. Honest users download and install it. Over time, issues become apparent, users report them, and the developer fixes them.
Then they release an updated version with these fixes built in.
Anyone downloading after this point has the newest version which (hopefully) has all known bugs fixed. Diligent users who update their previous versions also have these fixes. Lazy users don’t, and they are still exposed to these bugs.
Not all bugs will be security vulnerabilities, but if they are and you don’t update, you’re still exposed to them. And the longer the bug has been around, the more likely there are bad eggs out there just waiting to exploit it.
I’ve seen a client site hacked and replaced with a parking page promoting ISIS, something along the lines of the below:
I’ve also seen tons of pornographic content tucked away on pages of the client site that weren’t linked to from the top nav, or anywhere else on site. Meaning they were effectively invisible.
This is my favourite reason.
A plugin is designed to do something for you. Whether it’s something incredibly elaborate like creating a functional contact form and hooking it up via SMTP to your email account, or something ridiculously easy like changing the colour of your links.
Each time you install a plugin you deny yourself the opportunity to learn a new skill.
Fair enough if you’re a webmaster who just wants to get their site up and running.
BUT, if you are advertise as a web designer and you rely on plugins to achieve all of the functionality on sites you build, I think this is dishonest.
There are obviously plugins that are fair game: WooCommerce for example. Or Contact Form 7. These are big name players who update often and offer functionality that is hard to replicate.
I fully welcome people to disagree with me and say either “hey, plugins are fine, leave me alone” or “WooCommerce? HA! Learn to code it yourself you lazy f*ck”.