WordPress has announced a proposal to take a more proactive approach to third-party plugins to improve security and site performance.
Discussed is a plugin checker that ensures that plugins follow best practices.
Third-party plugins are a major source of security vulnerabilities and website performance bottlenecks. This proposal outlines her three ways of approaching the plugin checker and solicits feedback on the ideas.
The WordPress proposal defined the problem as:
“Plugins have less infrastructure requirements than themes, but there are some requirements worth checking. Either way, checking security and performance best practices for plugins is just as important as themes. is.
However, there is currently no corresponding plugin checker. ”
WordPress vulnerabilities and slow performance
The WordPress publishing platform has a reputation for being vulnerable to hackers and slow.
So you might be surprised to learn that WordPress core itself is a very secure platform.
The majority of vulnerabilities affecting the WordPress platform are caused by third party plugins.
WordPress itself is fairly secure, but third-party plugins make WordPress synonymous with virtually hacked sites.
I have a similar problem with the performance of my WordPress site. The WordPress Performance Team is actively working on improving the performance of WordPress core itself.
WordPress has already created a theme checker that allows theme developers to check the best practices and security of their work. The same theme checker is used in the official WordPress theme repository.
So they want to consider doing the same for plugins.
The goals of the proposed plugin checker were defined as follows:
“I need a WordPress plugin checker tool that analyzes specific WordPress plugins, focuses specifically on security and performance, and reports violations of plugin development best practices with errors or warnings.”
The proposal lists three possible approaches.
- A. Static analysis
This way the theme is checked, but it has limitations such as not being able to execute code.
- B. Server-side analytics
This way you can run your plugin code as well as perform static analysis.
- C. Client-side analytics
This loads a headless browser (basically a bot that emulates a browser) and tests the plugin for issues that server-side solutions can’t necessarily detect. This document points out some challenges to this approach, but also lists ways to avoid them.
The proposal features a graph with columns for approaches A, B, and C and rows corresponding to the ratings assigned to each approach for security and performance issues.
In our evaluation, we found that server-side analytics might be the best approach.
Plugin best practices
The WordPress Performance Team has not committed to creating a plugin checker. This is just a suggestion. This is just a starting point.
Still, it’s a good idea to review security and performance best practices for third-party plugins as they benefit WordPress users and site visitors.
Summary of performance team meetings with links to suggestions
WordPress Performance Team Meeting Recap
Read the plugin checker suggestions
Suggestion: WordPress Plugin Checker (Google Docs)
Featured Image: Mr.Exen/Shutterstock