Wordpress - Are Wordpress Plugins essential?

##Plugin Necessity##

What the necessity of plugins really boils down to is the question, "Am I satisfied that WordPress's core functionality is all that I need?"

If all you want is a simple blog with some categories and a number of static pages you're set. But if you want to start integrating interactive maps, calenders with events, maybe a 3rd-party REST API, force users to use strong passwords, or even turn the site into a social network then you need plugins. Grant Palin's answer provides more insight into why one might desire plugins. Dan Gayle's answer points out that many themes provide all sorts of plugin functionality without explicitly using WordPress plugins.



#Core Security# The WordPress core itself is considerably secure, and the core developer community does a respectable job isolating and patching security vulnerabilities as soon as they are identified - one of the benefits of having hundreds of millions of users and an average of around 200 core contributors per release. And the risk that used to be present for the duration between the identification of a vulnerability and the release of its fix is quickly being eliminated with the addition of Automatic Core Updates.

Excerpt from a Pagely WordPress security infographic. Click to view it in its entirety.

WordPress security infographic from Pagely (Fair amount of solid info - click through to view it in its entirety)

Yes, WordPress has inherent security vulnerabilities. But so do Drupal, CakePHP, Ruby on Rails, Symfony, Zend, etc.... There is no platform or system that I would use without implementing additional security precautions in addition to those already provided by the platform. I think it simply a bad idea to rely on the CMS or framework alone for the front-line security of any website, especially any framework with notable adoption rates.



#Plugin Security#

Plugins are not definitively insecure. The problem is that plugins are not vetted to ensure that their authors followed good security practices. WordPress has set forth a number of standards that authors should follow, but many plugins are authored by novices or others who ignore the standards. But as with all code-bases in existence, the more code you add to a system, the greater the likelihood of introducing bugs and vulnerabilities. The more plugins you add to your installation, the greater the risk you tend to take. By the same means, know that WordPress themes present an equally malicious threat - particularly the slews of "free themes" available from obscure theme-sites, many of which attempt to directly exploit your site rather than innocently exposing security vulnerabilities through ignorance or accident. Only obtain themes and plugins from trusted sources and credible authors.

A rule of thumb is to not install plugins from widely unknown authors or plugins that are relatively new on the scene. If you can, take the time to establish the author's credibility. Ideally, learn the factors that go into a well-secured plugin (numbers-used-once [a.k.a. "nonce"s] for request and URL authentication, input sanitization, output escaping, prevention of direct access to plugin files, proper access of the database through WordPress methods and functions, the absence of errors and deprecation notices when debugging is enabled [refrain from enabling it in production environments], etc.) and vet every plugin you install yourself. There is no substitute for understanding what goes into secure plugin script, nor any better defense from crappy plugins.

If the thought of insecure plugins and themes frightens you or you are not familiar with or seeking to become familiar with PHP, you may find the services of WordPress.com to be more your cup of tea as they assume responsibility for vetting plugins and themes and only allow those determined to be secure to be installed on users' sites. You may still use a custom domain with WordPress.com if desired.



#Back it Up#

Some hosts provide such services, others don't. Just as I don't trust the security of any platform to stand on it's own, I don't trust any host to take care of my backups. Rather, I prefer to have my backups pile up in my Dropbox and synced to different servers so that I can be confident that I always have direct access to my backups with copies on several different systems. If my host goes down or is bought out by a larger company or some other hosting misfortune, my sites are a few clicks away without even the risk of having to deal with my host's support.



#Final Notes#

You should read the codex entry on Hardening WordPress for more security advice. If you don't think that you should need many plugins or any obscure plugins in the future, it may well be wiser to have WordPress.com or an alternate managed WordPress hosting provider such as Pagely host your blog.

Regardless of the new "Automatic Core Updates" feature of WordPress, you should still strive to manually ensure that your installation and all of your plugins and themes are up to date. Some might think it excessive, but I like to enable debugging after an update and ensure that no plugins or themes have lost compatibility (a stream of errors and deprecation notices is a strong symptom of this). If they have, I disable them until their authors update them, or make the necessary changes myself to hold me over until they release an official update. Note that you should either take your website offline or run an offline development copy of your website before you enable debugging to troubleshoot anything.

I am not sure as to the prevalence of the Ad-sense click-bombing practice, but a WordPress plugin offering to mitigate the effects of such click-bombs is offering you an additional layer of security in addition to whatever precautions Google has in place. Websites not running WordPress face the same exact threat regarding click-bombing, and either must implement protection by other means or survive without it.


Additional Resources

  • Codex: Writing a Plugin

A functionally-focused introduction to plugin authoring with a few security tips intermixed. In particular, pay attention to the Plugin Development Suggestions section near the bottom of the page.

  • Codex: Validating Sanitizing and Escaping User Data

A brief introduction to these concepts and why they matter.

  • Codex: Security FAQ

  • Handbook: PHP Coding Standards

A syntactically-focused standard for PHP code in WordPress with a few security tips intermixed.

  • Handbook: PHP Inline Documentation Standards

I would absolutely love to tell you to never install a plugin that neglects in-line documentation, but in reality even good developers don't always do this. Nonetheless, hearty in-line documentation complete with PHPDoc tags is a good indication that the author has some idea of what they're doing.

  • WPSE: "What Are Security Best Practices for WordPress Plugins and Themes?"

The answers to this question provide a few additional points that aren't listed in other resources. Note that this question is locked and will not be updated to reflect new developments.

  • WPSE: "In Which Contexts are Plugins Responsible for Data Validation/Sanitization?"

In a nutshell, "When do I need to secure my data and when do the core functions handle it for me?"

  • WPSE: "Who are the most trusted plugin developers?"

A small list of some of the most trusted and renown names in WordPress plugin development. Certainly not exhaustive by any means, but a good starting place for a few quick "sure-bets." Note that this question is locked and will not be updated to reflect new developments.

  • WPSE: How can I establish the credibility of a theme/plugin author?"

Authored based on this very question regarding the necessity of plugins, hopefully this question will yield a general process for selecting trustworthy theme/plugin authors.

  • "The Dangers of WordPress Plugins Ignorance (And What To Do About It)" - Tom Ewer

A solid non-technical overview regarding the dangers of plugins.

  • "Developing for WordPress? Keep your shit secure" - Mike Jolley

An excellent brief technical overview of best-practices for secure plugin development. Note that the infographic from wptemplate.com linked in the article contains some additional good tips for WordPress security as a whole, but is compiled rather poorly and authored in broken English.

  • "7 Simple Rules: WordPress Plugin Development Best Practices" - WP Tuts+

The articles on Tuts+ are typically accurate and of considerable quality.

  • "WordPress Security – Cutting Through The BS" - Tony Perez

An excellent technical overview of WordPress security vulnerabilities and precautions based on Perez's Chicago 2012 WordCamp presentation.


Simply put - WordPress does what it does out of the box, without plugins required.

However! Different people have different ideas about what else should it do. Some of those ideas are sound. Some are completely bonkers.

Specifically on your examples:

  • WP (or more precisely current stable version of it for the moment) is secure, many security plugins focus on auditing (things like other plugins' code) and proactive monitoring (nothing is really absolutely secure).

  • many people (me included) don't trust third party to handle backups. There are many horror stories around how trusting hosts with backup led to rather sad results and unless you can personally monitor, access, and verify backups that host is [supposedly] taking it's safer to treat them like they don't exist.


WordPress is quite functional on its own. If your needs are straightforward, or you know how to add custom functionality, there's generally no need for plugins. However, there are advantages to the plugin model, some which I'll enumerate:

  • modular, plug and play (mostly) functionality
  • encapsulate specialized functionality
  • avoid reinventing the wheel
  • benefit from experienced plugin authors' work

Referring to the second-to-last point, if there's certain functionality you want to add, odds are good that it has been implemented in plugin form already. It's not wrong to benefit from work that has already been done.

Per the final point, numerous plugins available are the result of developers' hours and experience. Such plugins tend to be well-built and -supported, and have the reputation to go with. Look at Pippin Williamson, Scott Kingsley Clark, and Alex King, to name only a few. They not only have technical skills, they have credibility. This is a tremendous benefit of certain third-party plugins.

In the case of backups, I'd be reluctant to trust web hosts with something so important, especially if backups are kept on the same server or within the same network. A third-party plugin or DIY approach provides you more control, as well as usually storing backups in a very separate location from the website.

Security plugins are not strictly necessary, if one has the know-how to handle security arrangements themselves. Some such plugins, such as Better WP Security, simplify the handling of file permissions, .htaccess directives, and the like. Others such as WordFence provide monitoring services, while Limit Login Attempts provides some protection for the site backend.

If you're worried about plugin quality, it can be a hit or miss affair. Those on the WordPress plugin repo I think undergo at least some vetting by the people behind WordPress, but quality or value is quite variable - and heavily depends on your needs and abilities. If a plugin is well-reviewed, has active support, and comes from a well-known author or team, you are likely in good hands.