WordPress Proposal to Improve Plugin Security and Performance

WordPress has announced a proposal to take a more proactive approach to third-party plugins to improve site security and performance.

What is being discussed is a plugin checker that will make sure plugins follow best practices.

Third-party plugins are a major source of security vulnerabilities and website performance bottlenecks. The proposal outlines three ways to approach a plugin checker and invites feedback on the idea.

The WordPress proposal defined the problem:

“While there are fewer infrastructure requirements for plugins than for themes, there are definitely some requirements worth checking out, and in any case, checking security best practices and performance in plugins would be just as essential as in themes.

However, to date there is no corresponding plugin checker.

WordPress vulnerabilities and poor performance

The WordPress publishing platform has a reputation for being vulnerable to hackers and slow.

So it may come as a surprise to learn that WordPress core itself is a highly secure platform.

The majority of vulnerabilities affecting the WordPress platform are due to third-party plugins.

Even though WordPress itself is reasonably safe, third-party plugins have made WordPress virtually synonymous with hacked sites.

There is also a similar issue when it comes to WordPress site performance. A WordPress performance team is actively working on improving the performance of the WordPress core itself.

But this effort can be compromised by third-party plugins that load JavaScript and CSS on pages where they are not needed or fail to load images lazily, which ultimately slows down website performance.

Plugin Checker

WordPress already produces a theme checker that allows theme developers to check their work for best practices and security. The same theme checker is also used on the official WordPress theme repository.

So now they want to explore the same for plugins.

This is how the purpose of the proposed plugin checker was defined:

“There should be a WordPress plugin checker tool that analyzes a given WordPress plugin and flags any violations of plugin development best practices with errors or warnings, with a particular focus on security and performance.”

The proposal lists three possible approaches:

  • A. Static analysis
    This is how themes are verified, but there are limitations, such as not being able to run the code.
  • B. Server-side analysis
    This method allows the plugin code to run and static analysis can also be performed.
  • C. Client-side analysis
    This loads a headless browser (essentially a bot that emulates a browser) and then tests the plugin for issues that can’t necessarily be caught with a server-side solution. The paper notes some challenges to this approach, but also lists ways around them.

The proposal has a graph with columns for approaches A, B, and C and rows corresponding to the ratings given to each approach for security and performance issues.

The assessment concludes that server-side analysis may be the optimal approach.

Best Practices for Plugins

The WordPress Performance Team is not committed to creating a plugin checker, it’s just a proposal. This is just the starting point.

Nonetheless, checking third-party plugins for security and performance best practices is a good idea as it will benefit both WordPress users and site visitors.


Summary of performance team meeting with link to proposal

WordPress Performance Team Meeting Summary

Read the plugin checker proposal

Proposal: WordPress Plugin Checker (Google Docs)

Featured Image: Mr.Exen/Shutterstock

Comments are closed.