Winning with Best-in-Class WordPress Plugins. Discover how to Choose High-Quality Plugins that Drive Growth
- Why You Need to Know Who Creates WordPress Plugins
- The Importance of Testing New WordPress Plugins
- How to Audit a WordPress Plugin for Your Website
- WordPress Plugins: The Advanced Stats That Matter
- WordPress Plugin Ratings and Support Tickets
- How to Check for WordPress Plugin Vulnerabilities
- Inactive Plugins and Website Performance
- Can You Have Too Many WordPress Plugins?
Jason: Hi, and welcome to another SEMrush webinar with David. The last webinar we did was absolutely brilliant, and I've seen the slide deck for this one, all about plugins, full of stuff I didn't really know. You're a fan of plugins or you're not a fan of plugins? Or you need plugins to be used correctly?
David: I think I'm definitely a fan. I mean, we use them at WP Engine all the time. I partner with plugin providers quite often to help our customers get things done faster and better. We have Jonathan, is it Jetter or Yetter?
Jason: Jeter. I got it wrong.
Jonathan: It's okay. I run the development department in an ad agency. We're based out of Dallas, Texas. We do work for all kinds of clients, large and small. My team is specifically around digital, so we do everything from online ads, to websites, to mobile applications, to emerging technology, all that kind.
We use plugins all the time. We partner with WP Engine as well for a lot of the web work we do. This week, as a matter of fact, we were vetting some new plugins for a site we're building for a client.
Jason: Okay. You actually write them, you don't just use them, so you're a real expert.
Jonathan: I don't personally write them, but people on my team have written plugins. We write custom plugins for sites, so we do when we don't find a public plugin available for that purpose. For the most part, we try to rely on publicly available plugins, so that we don't have to support them.
Jason: Lovely to meet you, Thomas, as well. I don't know very much about you. You were the co-founder of OptinMonster and you work for Awesome Motive. What's Awesome Motive?
Thomas: Yeah. Yeah. I'm the co-founder of OptinMonster. I'm a partner at Awesome Motive. You've probably heard of Awesome Motive before with one of our brands, our plugins. We run a site called WP Beginner, which is the largest free WordPress resource site, and we have many popular plugins in the WordPress repository. In fact, our plugins are found on over 10 million websites across the globe.
We are not only experts in plugins and using them, but we actually built many of them that people use, so a contact form plugin called WP Forms just passed three million active installs recently.
MonsterInsights for Google Analytics and of course OptinMonster as well, over a million active installs of that too. So, we know quite a lot about WordPress plugins. We build some of the best, if not the best out there, and so we're able to know how you can best use ones for your website.
Jason: David, you've got a presentation for us...You're from WP Engine, which is an astonishingly impressive WordPress hosting platform I've used and have been incredibly impressed by.
David: We take a lot of pride in doing right by our customers and trying to build a platform they can rely on. I'll show you a little bit in the presentation, but helping customers choose plugins is part of what we do.
I'm going to give you a little peek behind the curtain of how we might look at a plugin, either to recommend or to choose to use for ourselves.
Really what we're going to talk about today is winning with best-in-class WordPress plugins. As Jonathan pointed out, choosing a plugin can be a great way to get your idea to market faster, but if you choose the wrong plugin, that could cause some problems for your business.
Picking good plugins is actually part of my job. One of my teams at WP Engine puts together what we call the WP Engine Solution Center, which is a collection of plugins, themes, and SaaS services that are in service at WordPress.
In order to make those recommendations, we go through a process, which I'm going to unpack a little bit today, but it involves making sure the company or people behind the plugin have a solid foundation, that the technology is sound and that they're maintaining the plugin in proper ways. We have some pretty handy plugins and solutions that we list there.
Why You Need to Know Who Creates WordPress Plugins
First thing I wanted to cover was really who creates plugins and why. There can be, of course, many types of individuals and organizations, but I generally think of them in three buckets; brands or companies who might make a plugin to integrate with their software. The company or brand may make the plugin to integrate with it.
There might be other third party plugin providers who might make a plugin that adds functionality to WordPress, and their goal fundamentally is to earn revenue from doing that in a variety of ways. Of course, OptinMonster, the company that Thomas co-founded, is one of these.
Fundamentally the kinds of questions I ended up asking myself when I'm thinking about choosing a plugin is, "Do they have the organization that stands behind it?" This is the notion you want to be doing when you think about the plugin that you're going to choose. Of course, there are individuals who will contribute plugins just for the betterment of the WordPress community.
Bill Erickson, who was on the last SEMrush webinar that we did around page performance, is one of these individuals. Bill has many plugins that are free, he doesn't monetize in any way, and he exclusively releases them for the benefit of WordPress.
If the individual doesn't maintain that plugin, then even that helpful act of contributing that code, if you use that code in your WordPress site, if that author doesn't maintain it...then that might be something that could cause you problems later on.
This is roughly how I think about the different types of entities or people that might be creating plugins. It's important, I think, to do that business interview to make sure they're committed to the products that they build.
The Importance of Testing New WordPress Plugins
Jason: Sorry; Terry Bung has asked a question; what's the best way to ensure that you don't have issues with plugins that are conflicting with each other, that they will actually integrate together?
Obviously, they all work straight off with WordPress or they tend to work very well with WordPress straight off, but when you start integrating plugins, there's that conflict. How do you best ensure that you don't get that?
David: Yeah, that's a great question. What I do recommend is that you have basically a suite of tests that can be automated or manual depending on your level of complexity.
When you introduce a new plugin into your site, you want to run all of your standard tests to see if it does introduce a conflict. Now, many times you won't have a problem, but sometimes you will. Then the important thing is to test your entire suite of tests, not just test the plugin that you're installing to check for conflicts.
I'm curious, Jonathan, have you ever had a plugin that might not have been maintained well or might've had problems that actually caused you problems on the sites you were maintaining or operating?
Jonathan: Yeah, I think a good example of that was just with the latest release that went well, WordPress with Gutenberg. There were a lot of plugins that hadn't planned for that or they hadn't tested against it.
There were various ones that we had to decide like, "Do we do the upgrade to this plugin or do we not? Do we use Gutenberg, do we not?" Those were the questions we had to ask. As core WordPress updates come out, you also have to not just worry about, do the plugins work with each other, but do they work with the ongoing updates that go with WordPress itself?
David: Exactly. Picking the wrong plugin can actually have serious implications. In addition to the author not updating it, not keeping features for us that are relevant for what the plugin does, poor maintenance practices can actually lead to security problems.
It is important to note that a plugin that's not maintained, one of the areas to worry about can be security. I think it's important to keep your plugins updated and if there's a security patch to update it ASAP, depending on the severity of that vulnerability.
How to Audit a WordPress Plugin for Your Website
I want to talk a little bit about, how do I actually audit a plugin? How do I know that it's good or not good? Each person will have their own method for this.
This is generally how I might look at a plugin. It's important to note that this is around WordPress plugins that are listed on wordpress.org. This should provide a general guide how you might think of evaluating a plugin. The first plugin we're going to evaluate is one I think you're all somewhat familiar with, a plugin called Akismet.
Akismet is a plugin that basically helps with spam control in your comments. It's actually quite good at it. The first thing I do, and we mentioned this earlier, is I want to do a business interview. Is the company that makes this plugin going to stand behind it?
The first clue I have, or the first piece of information I have to dig in, is the author credit underneath the plugin. You can see it under my mouse there, “by Automattic”.
Now, if you click on that word, by “Automattic”, what it'll do is, it'll pull up the author's website and then that will give you more information about them as a company. How well done is the website? Is it abandoned?
You can also, of course, gain information about maybe their social profiles, their LinkedIn profile. Basically, do an interview because, again when you choose a plugin, you're choosing a partner for your business, so you want to make sure the company behind it is sound and is investing in their products. Jonathan, do you ever go to that level when you're reviewing products?
Jonathan: We don't just go to the website, we look for reviews on the company as well and obviously the plugin. We definitely are very adamant about checking who builds the plugin so we know how it's going to be supported.
David: Excellent. The other area on the wordpress.org plugin listing that you can get information about who made the plugin, is the contributors and developers section.
In the plugin’s main page, we're getting into the data now and want to talk a little bit about how I interpret that data. The view you're looking at in the middle, the orange box around is again displayed on the plugin’s main page on wordpress.org.
The first thing I look at is the version number. Is this version 1.0? In other words, is this the first iteration of the plugin? Is it a mature plugin at least as reflected by the version numbers? This might be a clue to me whether it's early days or not.
I still may consider that as a strong influence or not, depending on the rest of the information. I can see here in Akismet's case, they're on version four, seems to be updated and be a mature version of the software. Again, it doesn't mean you shouldn't use it if it's a 1.0, but just illustrative of the maturity of the product.
Last updated date; this is a really big one for me. If this thing says two years ago, that's a big warning sign for me. Generally speaking, you want to see it updated not less than around every six months.
It doesn't necessarily mean the plugin has to be updated. The plugin could work just fine and never be updated, but this is a good sign that the maintainer is either updating the plugin or not, which could have security implications and compatibility implications.
Thomas, I'm curious. I know you're updating plugins based on your roadmap, based on need, but what do you think a good rule of thumb is to look for here on the last updated date?
Thomas: I think a good rule of thumb is anything six months or earlier, particularly if it's a very niche solution. It may be something very specific to your need and not as many people are using it, and in that case it may be six months before it's updated again, but that might just be because it's very specific and it solves a need very well. Then ones that are more ubiquitous, I would look to see them updated a little more frequently.
David: Good tips there. Of course, you can also look at active installations of the plugin. If there was just one active installation, that might be a clue. It's a little early maybe for you to get involved with using it. Whether or not you want to be the second user of that plugin or not, that might work into your considerations.
WordPress version 4.0 or higher. There's not a ton of reasons from my view to keep running a site on an older version of WordPress for a length of time. There are security implications to that. However, the WordPress core team will patch older versions with known vulnerabilities, so it doesn't necessarily mean that you will absolutely be insecure if you're on an older version.
Jonathan, I'm curious from your perspective. I'm sure from time to time you have clients that need to stay on an older version of WordPress, but does that come up a lot or are you able to keep people on the current branch?
Jonathan: I mean, there's not really a good reason to stay on an older version. The Gutenberg update was the biggest one recently that we've had where we had to keep people on a certain version for a bit. Then we had a security update came out pretty soon after that. We had to make the changes that we had to make on the sites in order to be able to upgrade the core, to the most recent version.
David: Yeah. Unless you want to keep up with patches on these older versions...but depending on your platform and your level of sophistication, it's probably not worth the extra effort to try to stay anchored on those older versions.
Speaking of versions, this is another one; “tested up to”. In this case, we see that Akismet was tested up to version 5.3 of WordPress. Again, this is a clue whether the author is maintaining their plugin or not. As people see this, if it's not the most current version of WordPress, they start to wonder if the plugin author's paying attention. That can have implications to the functionality of the plugin and again, potentially the security.
Now, if you don't know what the current version of WordPress is, if you go to wordpress.org/download/releases, it will tell you what the current version of WordPress is.
Jason: Terry Bung once again, he was actually asking how long you should wait for a plugin to be mature and you've answered that by saying if it's very niche, it can be pretty quick with a small number of installations, with relatively few updates. He makes a point where he installed a plugin from Google and it was horrible and points out that even credible companies can make bad plugins.
David: Yeah, that's a really good point. I think as far as, when is it early days? If you're seeing a small number of active installations, I think the first thing I would ask myself is, "Who made it?" The company behind it, the size of the company can be a clue as to whether or not it might be quality, but it is not a guarantee. You're still going to have to test. You're still going to have to ask yourself and run some of these other checks I'll show you in a minute.
Jason: Yeah. Sorry, there's another question also from Terry Bung, who's asking a lot of questions. It's obviously important to investigate these things. Is there any third party that can help you with that?
David: Many hosts will provide a list of plugins that they have vetted and recommend. In WP Engine's case, they have the WP Engine Solution Center. Automattic has a host called WordPress VIP and they also have their own version of vetted plugins. These are areas where people will have gone to great lengths to vet these solutions and you can generally trust those opinions.
Then, of course, there's top 10 lists and things like that which tend, depending on the author, to just be, "I like this plugin or I feel like it does a good job." You want to watch a little bit about how you might follow those recommendations.
WordPress Plugins: The Advanced Stats That Matter
Let's talk about the advanced stats view...basically on the homepage of the plugin, if you click on that advanced view, you'll be taken to a screen that looks like this. There's some tricky ways to interpret this data.
The downloads per day is where a lot of people will focus. Like, "How popular is this plugin?" We can see these great big spikes and you might be thinking, "What happened to that plugin on that day?
The plugin author released an update. The downloads data represents the amount of times the plugin is downloaded, which includes updates to the plugin. If you're looking at the downloads per day view as a way to gauge popularity, it's not really giving you that, at least when you start looking at the spikes.
Now, the data in between which in this particular graph is mushed down because of the scale, that would be more the normal run rate of people downloading the plugin for the first time. When you see these spikes, it doesn't mean they got really popular one day. It just means, generally, that they released a plugin update on that day.
Plugin stats on active versions is also kind of interesting. This shows you how many people are running the most recent version of a particular plugin. The reason why this might be interesting is because if most people are running old versions of the plugin, that could be a clue that updating to the current version might cause “breaking” changes, and you might have people anchored in older versions because of that reason. This data doesn't clearly tell you that, but it can be a clue that’s the case.
Jonathan, updating plugins is an important part of click Here Labs practice. How do y'all approach updating plugins?
Jonathan: We put our clients on a monthly schedule. A lot of times our clients are adding content to the site. We're not part of that process. We have to coordinate.
We're going to do code changes and plugin updates on a certain day every month. We'll, leading up to it, do all the testing, update all the plugins in a staging environment that's not the live environment to make sure that we do that testing to make sure everything ... no updates or breaking anything and everything's working well.
David: In your case, it's a month, but just generally try to keep those plugins up-to-date. The active versions can sometimes be a clue whether there might be breaking changes between one update or another. Then, of course, active install growth is a percentage of the number of active installs relative to the total, so again, take some of this data with a grain of salt. Just because it's going down, doesn't necessarily mean it's a horrible thing.
WordPress Plugin Ratings and Support Tickets
Let's talk about ratings and authenticity. I feel like a lot of people feel like they're pretty strong on figuring out if ratings are real or not. Of course, the first thing you look for is, are there only five-star reviews? Maybe you're the world's best plugin author, but to be real, of course, there's probably not a plugin out there that's worthy of only five-star reviews. Watch for that rating between, five, four, three, two, one.
Then of course, when you look, you can actually see the ratings people left, and so you can start to get a feel of, "What do the one-star ratings usually include? What are they complaining about? Is it something that I might need to worry about?"
Another one is support tickets. In the plugins listing of wordpress.org, you can click on the support tab. It's important to note that the author isn't necessarily obligated to answer the support tickets. They may choose that support is only available through some form of paid service. You can buy support or get a membership package or something that enables you to access support.
Just because they're not answering specific support questions doesn't necessarily mean they're a bad plugin author. What I typically do is look to see if they pay attention to these tickets and if they give some form of response. If someone is saying, "This plugin is materially broken," I'm probably going to want to see some response from the author.
In addition to seeing if they're responsive to those tickets or they're actively participating in their plugins listing on.org, of course, you can also see if there's common issues. Does it have a conflict with another type of plugin, like WooCommerce or something like that? Do people have common setup issues? Those kinds of things.
Another area that I always go to is the changelog, and you can access that in the development tab on wordpress.org. This is telling me how frequently they're updating the plugin, what features they're adding to it over time. Is the plugin going to get better? This is where I'm trying to see how on top of improving their plugin they are.
The other thing I want to point out here is that security updates are a very good thing when you see them in the changelog. It is quite common when people discover that a plugin has had a vulnerability that they'll say, "I hate this plugin. I'm never going to use it again. I can't believe you had a vulnerability."
I want to do a wake-up call here: modern, widely distributed software will have security vulnerabilities. Your iPhone, your computer, every piece of software in your life, has multiple patches every year that patch vulnerabilities that are discovered.
If you see a vulnerability in a change log or just anywhere about a plugin and the author's patched it, that is a very, very good thing.
Thomas: Yeah. It's unfortunate because like you said, it's just a fact of life. People are building software and people aren't perfect, and there are going to be things that they miss. We hope that anybody that discovers those vulnerabilities disclose them responsibly.
Jonathan: I would say, too, that it may not even be the plugin's fault. Right? There's lots of layers, so the plugin is on top of WordPress, which is on top of PHP. There's so many layers. A vulnerability may be in PHP, it may be in something else, and the plugin is going to have to update it even though it wasn't even something that they did or in their code.
How to Check for WordPress Plugin Vulnerabilities
David: Speaking of plugin vulnerabilities, there's a big number of ways you can check for vulnerabilities and plugin. The easiest way I found, at least for the point of this presentation is to check out a site called wpvulndb.com. This is a site that basically chronicles known vulnerabilities in plugins. What you're really looking for here is a vulnerability that wasn't patched.
One cheat here is that if there is a plugin with an unpatched vulnerability in the wpvulndb.com and through other sources, the WordPress core plugin team will ban that plugin from the WordPress repo until they apply the patch. They'll actually disable the listing.
We actually use a variety of methods to try to discover public vulnerabilities. The reason why I keep using that word public is what happens is, a researcher will discover a vulnerability in a plugin and then will do what's called responsible disclosure, meaning that they privately let the author know about the vulnerability, and then the author will release a patch. By the time the world knows about it and bad actors could use that information, there's already a fix in place.
One of the questions asked earlier was, how can I check the quality of a plugin? Or is there a service or company or something that can help me do this? I think this presentation should arm you at least from editing or auditing the wordpress.org listing for the plugin. There is a tool. It's called a linting tool or the WordPress Coding Standards tool that will help you understand if the plugin is coded to WordPress Coding Standards.
You can access it via the GitHub repo that's linked here at the bottom. What this will do is see if the plugin was coded using WordPress Coding Standards. Just because you have a failure and basically an error message in the linting, doesn't mean the plugin is a bad plugin or that it doesn't work. It just means that it wasn't perfectly coded to WordPress Coding Standards.
How do I test a plugin once I picked it? Jonathan pointed out that you definitely want to do this in a staging copy of your site, so no cowboy coding. Don't go install that plugin in production. Do a staging copy.
Your host may have something that makes this easy. At WP Engine, we have all kinds of staging features and local development features, all kinds of ways to do that. The main thing is, don't do it in production.
Then as I mentioned earlier, in addition to testing the plugin itself, run all of your other tests. Check your forums, check your checkout, check any type of functionality or visual testing you might do in addition to testing of the plugin itself.
Then when everything works fine and hopefully you may even have automated tests if you have an advanced development group, but the main thing is, run through all those tests. When they all pass, then go ahead and push it to production. Jason, do we have some questions queued up?
Inactive Plugins and Website Performance
Jason: We do. First of all, I'd like to say that was absolutely brilliant. Thank you very much. Yeah, we did have some questions. One of them from Josh Jaspers, is do inactive plugins impact the site performance at all?
David: I prefer to delete them, but I haven't found that deactivated plugins have a huge performance. What about you, Thomas or Jonathan?
Thomas: The performance impact is immaterial. The only way that you would notice it is, there's an option in the database that determines what plugins are on your site. Then WordPress will loop through those and determine which one is actually active and which should fire load the plugin file. The only way that it does is, it just increases the size of the option. Again, it's immaterial, so to answer the question, no, it doesn't impact your site performance.
Jonathan: In our part, I agree completely with that, but I would say having a lot of inactive plugins in your list just designs to confusion. Right? We've gone into sites where we've gone, "Hey, repair this site or fix it for us." They'll have 12 plugins where they were deciding on one and they just made all the rest inactive. Then when you're going in to the code or to the site, you can't figure out which one is actually doing what, so yeah, delete them.
Jason: Yeah. Isn't that a general comment we should be making about WordPress? Spring cleaning is a really good thing to do and we should all, not necessarily in the spring, but once a year or once every six months ...
What would be a good timing to actually go through and look at your site again and figure out what it is you should be getting rid of, what you should be cleaning up? Is it every year? Is it every six months?
Jonathan: Well, it depends on the site for us. If the plugin is doing its job and you have the right plugins installed, then the maintenance part is ongoing. The only time you need to change plugins or add plugins is if you're trying to do something different, you're removing functionality, if there's specific things you're doing on the site. That's when you go back and do this plugin review.
David: I typically will look at when the plugins are updating is a moment where I might do a little spring cleaning because I'm already doing some testing in there. Then certainly when WordPress updates again, you're going back through and making sure that the update to WordPress isn't going to cause issues with your site, which generally doesn't.
Can You Have Too Many WordPress Plugins?
Jason: Okay. That's totally sensible. Another question and this is ... I think the answer's going to be, "It depends." How many plugins is too many?
David: There isn't a number. It depends on what your site's doing, how efficient any particular plugin in your stack is. I don't actually have a magic number. If I see a website with a thousand plugins, I'm going to go ahead and assume that's too many, but I think it really just depends on what the plugins are doing, about whether that's a problem or not.
Thomas: If it's an excessive number, I would be concerned about that simply because it's many more files and potential for things to slow down. We've got sites that have 50, 60 plus plugins and they're fast, and we've got sites that have less than 10 and they're fast. It all depends on the quality of the plugin, how it's built.
The best way to determine how many is too many for you is, like using the WP Engine staging area, do some benchmark performance tests. Understand how fast things are going and then activate a plugin and see how it changes, and it'll be very quick for you to determine which ones are maybe not ideal from a speed perspective or maybe not ideal from a security perspective.
Jonathan: To that point, one bad plugin is one too many.
Jason: The thing about the bad plugin is, I think we all have problems with figuring out which one is causing performance issues. What everyone always tells me is, "Just switch them all off and switch them back on, one by one." Is that only way to do it?
David: It's the most efficient way to do it in my view. You can also use a product called New Relic, which will give you backend performance relative to the plugins’ usage of server resources. The most efficient way is just to turn them off and on, one at a time and see how it might affect the performance of your site.
Thomas: Again, that's why it's so important to have a staging area where you can do this and you don't have to worry about your live site being impacted.
Jonathan: That's what you have to do when you're updating plugins too unless you're updating one at the time of doing the whole test. When you update plugins, if something goes wrong then you have to go back, un-update everything one by one. Do that to make sure that you figure out what the problem is.
I was going to say backup and restore is your best friend. Right? Make sure that before you start. That's the step you never skip. Even on your own site, anyone's site, you back it up first before you do that.
David: In the WordPress universe, it's open source. You make your own plugins, do whatever you want, choose plugins from the ecosystem. There's a lot of power in that. But of course, that's going to be coupled with some responsibility. There's going to be some responsibility there with making sure that the tools you choose work well in the type of site that you're trying to build.
Jason: We've come to the end of the hour. I thought that was actually brilliant and I think the audience is probably agreeing with me. We had some great questions, a great insight study. That was a brilliant presentation. Thank you very much.
David: Thank you. I really enjoyed chatting with you, Thomas and Jonathan.
Jonathan: Thank you.
David: Bye, everybody.
Thomas: Great. Thank you so much.