WordPress has announced a proposal to take a more proactive approach to third-party plugins to improve security and site performance.
What’s being discussed is a plugin checker that will ensure plugins follow best practices.
Third-party plugins are a major source of security breaches and website performance bottlenecks. The proposal outlines three ways to address the plugin checker and solicits feedback on the idea.
The WordPress proposal defines the problem:
“While plugins have fewer infrastructure requirements than themes, there are definitely some requirements worth verifying, and in any case, checking for security and performance best practices in plugins is just as important as in themes.
However, as of today, there is no corresponding plugin checker. “
WordPress bugs and poor performance
The WordPress publishing platform has a reputation for being vulnerable to hacking and slow.
So it might be surprising to learn that WordPress core itself is a highly secure platform.
Most vulnerabilities affecting the WordPress platform are caused by third-party plugins.
Although WordPress itself is fairly secure, third-party plugins have caused WordPress to become virtually synonymous with hacked websites.
Similar issues exist with WordPress site performance. The WordPress performance team is actively working on improving the performance of the WordPress core itself.
But this effort can be undermined by third-party plugins that load JavaScript and CSS on pages that don’t need or lazily load images, ultimately slowing down site performance.
Plugin Checker
WordPress has generated a theme checker that allows theme developers to check their work for best practices and security. The official WordPress theme repository also uses the same theme checker.
So now they want to explore doing the same for plugins.
This is how the proposed plugin checker goal is defined:
“There should be a WordPress plugin checking tool that analyzes a given WordPress plugin and flags any violations of plugin development best practices with errors or warnings, with a special focus on security and performance.”
The proposal lists three possible approaches:
- A. Static Analysis
This is how the theme is checked, but there are some limitations like not being able to run code. - B. Server-Side Analysis
This method allows plugin code to run and also completes static analysis. - C. Client Analysis
This loads a headless browser (essentially a bot that emulates a browser) and then tests the plugin for issues that a server-side solution might not necessarily detect. The document identifies some challenges with this approach, but also lists ways to address them.
The proposal has a chart with columns for methods A, B, and C, and rows corresponding to the ratings assigned to each method for security and performance issues.
The evaluation found that server-side analysis may be the best approach.
Best Practices for Plugins
The WordPress performance team is not working on creating a plugin checker, this is just a suggestion. This is just the starting point.
Still, it’s a good idea to check out third-party plugins for security and performance best practices, as it will benefit WordPress users and website visitors.
Citation
Summary of performance team meeting with link to proposal
WordPress Performance Team Meeting Summary
Read the plugin checker proposal
Recommendation: WordPress Plugin Checker (Google Docs)
Featured image: Mr. Exen/Shutterstock
