One of the reasons WordPress is so popular among marketing teams is its extensibility using plugins.
Need to create a survey? Install a plugin.
Need to export form entries to Google Sheets? Install a plugin.
Need to show GDPR or CCPA notices? Install a plugin.
The concept of not having to rely on IT to be able to do your job is fascinating. No wonder the plugin directory on WordPress.org now has 55,000+ plugins.
While plugins provide the freedom to extend WordPress and the ability to move fast, they also introduce potential risks to a high traffic WordPress site.
Mandatory car analogy.
Imagine driving a VW Beetle. It’s a fun car that can be modified heavily without affecting the handling, performance, and safety. You can install a spoiler or a drag-wing kit without worrying about stability. Going mountain biking? You can install a bike rack on the roof without giving it a second thought.
Now imagine driving a Ferrari. If you add a bike rack on a Ferrari, it doesn’t go so well. Even replacing tires with a different make affects the handling and stability heavily.
Your high traffic WordPress site is like the Ferrari. Any plugins you install on it create liability and affect site speed, security, and availability.
Plugins potentially introduce two significant risks to any site:
- Security risk: Plugins (even premium plugins) inadvertently let hackers bypass the authentication from time to time. Some free plugins get bought by malicious companies that then inject code or links to your site.
- Performance overhead – Plugins that overuse admin-ajax functionality, create new sessions, override cache-control headers or access the database inefficiently create performance overhead. Poorly coded plugins can even crash an otherwise fast site under heavy traffic.
So should you avoid installing any plugins on your site?
Of course not! Plugins are one of the primary reasons to use WordPress.
Here’s what you should do when installing new plugins on your high traffic WordPress site:
- Stick to trusted sources when downloading a new plugin. Avoid plugins distributed through GPL Clubs, Facebook groups, and Forums.
- Check the vendor’s track record, support history, and notable clients. You can look up the plugin at wpvulndb.com for any security incidents past or present.
- Check if the vendor supports Nginx. An alarming number of plugins are only tested on apache httpd and need htaccess support to function. These plugins either break completely on Nginx or reduce the cache hit-rate even for non-logged-in users.
- If you have the resources, do a quick code overview before installing the plugin. Look for any hardcoded variables, static sql queries, and session/header manipulation.
Apart from these measures, standard deployment best practices like testing in staging first also help you stay on top of any potential issues.