WordPress Proposal To Improve Security & Performance of Plugins

WordPress announced a proposal to take a more proactive approach toward third-party plugins to improve security and site performance.

What is being discussed is a plugin checker that will ensure that plugins are following best practices.

Third-party plugins are a major source of security vulnerabilities and website performance bottlenecks. The proposal outlines three ways to deal with the plugin checker and solicit feedback on the idea.

The WordPress proposal defined the problem:

“While there are fewer infrastructure requirements for plugins than for themes, there are certainly some requirements that are verifiable, and in any case, checking against security and performance best practices in plugins will be as essential as is in the theme.

However, as of today, there is no related plugin checker. ,

WordPress vulnerabilities and poor performance

The WordPress publishing platform has got a reputation for being vulnerable to hackers and for being slow.

So it may come as a surprise to learn that WordPress core itself is a highly secure platform.

Most of the vulnerabilities affecting the WordPress platform are caused by third party plugins.

Even though WordPress itself is quite secure, third party plugins have made WordPress synonymous with hacked sites.

There is a similar problem regarding the performance of the WordPress site. A WordPress performance team actively works on improving the performance of WordPress core.

But that effort could be undermined by third-party plugins that load JavaScript and CSS on pages where they are not needed or lazy-load images, which slows down website performance.

plugin checker

WordPress already comes with a theme checker that allows theme developers to check their work for best practices and security. The same theme checker is also used on the official WordPress theme repository.

So now they want to do the same thing for plugins.

This is how the target of the proposed plugin checker was defined:

“A must-have WordPress plugin checker tool that analyzes a given WordPress plugin and violates plugin development best practices with errors or warnings, with a particular focus on security and performance.”

The proposal lists three possible approaches:

  • A. Static Analysis
    Subjects are checked this way, but there are some limitations, such as not being able to run the code.
  • B. Server-Side Analysis
    This method allows the plugin code to run and a static analysis can also be completed.
  • C. Client-Side Analysis
    It loads a headless browser (essentially a bot that emulates a browser) and then tests the plugin for issues that can’t necessarily be detected with a server-side solution. The document notes some challenges to this approach but also lists ways around them.

The proposal features a graph with columns for approaches A, B and C and rows corresponding to ratings assigned to each approach for safety and performance issues.

The evaluation suggests that server-side analysis may be the optimal approach.

Best practices for plugins

The WordPress Performance Team is not committed to making Plugin Checker, it’s just an offer. This is just the starting point.

Nevertheless, it is a good idea to check third party plugins for security and performance best practices as it will benefit WordPress users and site visitors.


Performance team meeting summary with link to proposal

WordPress Performance Team Meeting Summary

Read the Plugin Tester Proposal

Offer: WordPress Plugin Checker (Google Docs)

Featured Image: Mr/Shutterstock

Source link

Leave a Comment