A proposal from WordPress aims to enhance the functionality and security of third-party plugins.
WordPress revealed plans to improve site performance and security by being more proactive with third-party plugins.
A plugin checker that verifies that plugins adhere to best practices is being discussed.
Website performance snags and security flaws are often caused by third-party plugins. The proposal asks for comments on the concept and presents three approaches to developing a plugin checker.
The issue was outlined in the WordPress proposal:
Although there aren’t as many infrastructure requirements for plugins as there are for themes, there are still some requirements that should be confirmed. In any case, it would be equally important to check for security and performance best practices in plugins as it is in themes.
But there isn’t a corresponding plugin checker as of yet.
WordPress Security Flaws and Subpar Operation
It’s well known that the WordPress publishing platform is sluggish and susceptible to hackers.
Therefore, it might come as a surprise to hear that the WordPress core is a very secure platform.
Third-party plugins are primarily to blame for the bulk of the vulnerabilities impacting the WordPress platform.
Despite the fact that WordPress is generally safe, third-party plugins have made WordPress practically synonymous with hacked websites.
Performance issues with WordPress websites also exist in a similar manner. The performance of the WordPress core is actively being improved by a WordPress Performance Team.
However, third-party plugins that load CSS and JavaScript on pages where they are not needed or fail to lazy load images can undermine that effort and slow down the performance of websites.
Plugin Examiner
A theme checker created by WordPress already enables theme developers to verify their creations for security and best practices. Additionally, the official WordPress theme repository makes use of the same theme checker.
They now wish to investigate doing the same for plugins.
The objective of the suggested plugin checker was stated as follows:
- Static examination
Themes are verified in this manner, however there are restrictions, like the inability to execute the code.
B. Analysis done server-side
This approach enables the plugin code to function and also permits the completion of a static analysis.
C. Analyses client-side
This loads a headless browser, which is essentially a bot that simulates a browser, and then checks the plugin for bugs that a server-side solution might miss. The document identifies a few obstacles to this strategy but also provides solutions.
The proposal includes a graph with rows representing the ratings given to each approach for security and performance issues, and columns for approaches A, B, and C.
According to the evaluation, the server-side analysis might be the best course of action.
Plugin Best Practices
This is just a proposal; the WordPress performance team has not committed to developing a plugin checker. This is merely the beginning.
However, since it will help WordPress users and site visitors, it is a good idea to check third-party plugins for security and performance best practices.
