WordPress is loved by the masses because it is free, easy to use, and has 1000s of plugins that add tremendous functionality to the usability of a site. While all this is true and I myself use and love WordPress, a site owner should also remember that installing WordPress plugins is the equivalent of installing a new application and brings with it increased risk and additional support requirements that must be met to keep a site secure and functioning properly.
Risk #1 – Availability of your site
How extensive has the testing been for the plugin or plugin update you are installing? I have already discussed a recent plugin upgrade incident I experienced while installing a WordPress plugin update that rendered my admin panel inaccessible. Fortunately for me I had backups and was able to restore the admin panel quickly but it is an eye opening experience for any site owner the first time this type of event occurs. A WordPress plugin is only as good as the support and testing that goes into it otherwise it poses a big security risk to the availability of your site.
Risk #2 – Plugin compatibility issues
WordPress plugin developers are a creative bunch but are often limited financially in their ability to test plugin compatibility with different versions of WordPress and different combinations of plugins. This leaves you as the equivalent of a beta tester if you are an early adopter of a new plugin or a plugin update. This can lead to site performance issues and cause other more important parts of your site to stop functioning correctly.
Risk #3 – Security vulnerabilities that can lead to the compromise of your site
Every plugin installed is additional code installed on your site that increases the complexity of your site and opens additional potential vulnerability sources. This is not meant to scare you as it is important to balance the risk vs. reward of any type of business activity but is only meant to give you additional awareness into the risks.
Risk #4 – Increased administrative burden
Installing a new wordpress plugin should be looked at as both an opportunity and a commitment to stay current with that plugins security vulnerabilities and plugin patches. This leads to an increased administrative overhead and while it is relatively easy to apply a patch most of the overhead comes due to support complexities caused during the 1 time out of 50 when something goes very wrong.
Tips to manage the risks of using WordPress Plugins:
#1 – Check the plugin support box to make sure your intended WordPress plugin is compatible with the version of WordPress you are running. Avoid installing any plugins that are not supported with your WordPress version unless you are very technically savvy and have a backup/recovery plan.
#2 – Run the latest version of WordPress to minimize your chances of compatibility issues when new plugin updates are released.
#3 – Wait about two weeks to install a new WordPress plugin update unless there has been a critical security exploit that is actively compromising sites. Being on the bleeding edge put you at an increased risk of suffering an outage or causing additional technical troubleshooting that take away from your other site activities.
#4 – Implement a strategy of regular backups and test your backups to ensure your site can be recovered as expected. Failing to test your backups could lead to undesired surprises and unneeded stress during an already stressful time.
#5 - Only install WordPress plugins that you intend to use and remove plugins that you tested but no longer want. It is better to limit your installed plugins to those you need for the operation of your site to minimize additional potential vulnerabilities and plugin updates.
Some security professionals would say you should review all of the lines of plugin code prior to installing a plugin but I believe that is impractical for the average site owner and overkill. This step may be necessary if your site is bringing in the bulk of your business revenue but otherwise follow the security tips outlined above to minimize your chances of having WordPress plugin related problems.