Skip to content
January 23, 2008

WordPress Plugins should be Regulated

As someone who maintains hundreds of WordPress blogs for myself, friends, and clients, the number 1 problem that I’ve always encountered and have given me tons of headaches and sleepless nights are WP Plugins.

Wp PluginsHundreds of plugins, dozens of WP versions and varying webhost/server environment can give you thousands of possible ways to screw up your blog and your web host. Add to the fact that these WP plugins are always in development with newer bug fixes or compatibilities being released constantly, one can only imagine how much of a headache this is.

Here are a few of the weird things and problems I’ve encountered:

  • Poor coding and half-baked plugins can strain the server especially if it makes multiple instances of mySQL requests for every page load.
  • Plugins requiring you to make files/folders writable — prone to hacks!
  • Plugins that modify or extend default WP tables — you’re likely to screw a new WP upgrade that modifies these tables.
  • Plugins that eat a ton of database space — I’ve seen the WP-Shortstats plugin raking in 500MB of DB space.
  • Plugins that are not compatible or doesn’t work well with other plugins.
  • Plugins will similar names but are actually developed by different developers.
  • Plugins that have not been updated for a long time and no longer worked well with newer versions of WP.
  • Plugins that are created by malicious people trying to get backdoor access to your account/blog.
  • The installed plugins just grows and grows in the blog that running all of them could be like running a 100 plugin-free blogs.

Just look at the official WP forums and all you’ll read about are problems related to plugins. It’s nice though that the recent version of WP has that nice “plugin update alert” for latest versions.

Because installing a plugin on a WordPress blog is so easy that everybody who knows FTP can just install anything they liked. However, that also opens it to a lot of wide-open doors to tragedy.

First, most bloggers don’t really know the inner workings of WP, much more PHP or mySQL. They’re not familiar with phpMyAdmin which comes with their control panel. Half the time, problems are caused by bloated DB tables.

Second, there’s an activate/de-active option inside WP Admin but the deactivate option does not actually un-install the plugin. Deactivating a plugin does not really excuse it from being the culprit. Plugins should have un-install options. Some are really hard to un-install manually, like that WP Cache and its variance.

Lastly, there’s no quality control. If Matt was kind enough to weed out sponsored themes from their Themes DB, I guess he can do the same with plugins.

What I meant by regulating the plugins is adding a stamp of approval for “quality-coded* plugins. At least, bloggers will know what they’re getting into when they install their next plugin.

P.S. You can Digg this post to get more attention from the WP development community and Automattic.


12 Responses to “WordPress Plugins should be Regulated”

  1. sylv3rblade
    Twitter: sylv3rblade
    says:

    Hmm.. adapting Expression Engine’s attitude on addons/plugins would be nice.

  2. LiNTEK says:

    Hmmnnn…. WP should be the QA for these plugins, review bugs, check for vulnerabilities and have them fixed. Once tested and certified OK, then that is only the time users like us should download the plugins and use it for our blogs.

    :D

  3. rod says:

    some of them are not even protecting their plugins folder

  4. deuts
    Twitter: deuts
    says:

    Yeah and before Automattic certifies the plugin, it should be a must that it should indicate at which WP version it is compatible, or better yet provide different plugin versions for different WP versions. :D

  5. Christian says:

    Exactly, I once build a site based on a plugin that eventually became obsolete once a new WP version came out. Lesson learned, don’t build a site based on a plugin unless it’s “big” & supported like PodPress.

  6. Jaypee
    Twitter: jaypee
    says:

    I was also thinking of writing something like this but I’m glad you did it. You’re right about this. WP should do something like Firefox does to it’s extensions or addons. When you install a Firefox extension you get that message telling if the extension is certifed by Mozilla or not. I really think this should be done to eliminate plugis with malicious code and to prevent further or future problems. Good post Abe! :)

  7. I’m not familiar with expression engine but I guess they should check out what the drupal community is doing. even the codes of submitted drupal plugins are audited to mae sure that it follow secure coding guidelines and it wont’t break drupal.

  8. jhay says:

    This is a good start of something definitely positive in the WP community. Perhaps we should all blog about this as well. Like a campaign or something similar to the call for adhering to web standards.

    Oh wait, there goes an idea for niche blog! :P

  9. Ian says:

    Isn’t being hosted in wordpress.org/extend already a form of imprimatur that, yes, WordPress recommends this plugin?

    Looking at the conditions for being hosted there — it has to be GPL, it must not do anything “naughty” — WordPress core developers could probably raise the bar (yes, something akin to Mozilla QA sounds nice).

    But in the end, since it’s open source, why not let the community decide (you know, lots of eyeballs on the code)?

  10. yuga says:

    @ Ian, it’s a start but it looks like the review is community driven and I don’t think the community is looking at it on the code-level but on the functionality level. So a plugin may get a 5-star rating because from the onset it works as intended, even if it’s poorly coded.

  11. That’s what we get for free.

  12. excellent post Abe. Pag libre, you don’t get it all in one package.

Leave a Reply

*
*