Improving Security & Performance of Plugins
WordPress Looks at Improving Security & Performance of Plugins.
WordPress announced a proposal to take a more proactive approach toward third party plugins in order to improve security and site performance. The online blog, Search Engine Journal, has described what is being discussed is a plugin checker that will make sure that plugins are following best practices.
Third-party plugins are a major source of security vulnerabilities and website performance bottlenecks. The proposal outlines three ways to tackle a plugin checker and solicits feedback on the idea.
The WordPress proposal defined the problem:
“While there are fewer infrastructure requirements for plugins than there are for themes, there are certainly some requirements that are worth verifying, and in any case, checking against security and performance best practices in plugins would be just as essential as it is in themes. However as of today, there is no corresponding plugin checker.”
WordPress Vulnerabilities And Poor Performance
The WordPress publishing platform has received a reputation for being vulnerable to hackers and for being slow. So it may be surprising to learn that the WordPress core itself is a highly secure platform.
The majority of the vulnerabilities affecting the WordPress platform are due to third party plugins. Even though WordPress itself is reasonably safe, third party plugins have caused WordPress to virutally become synonymous with hacked sites.
There is a similar issue with regard to WordPress site performance, too. A WordPress Performance Team actively works on improving the performance of the WordPress core itself. But that effort can be undermined by third party plugins that load JavaScript and CSS on pages where they’re not required or don’t lazy load images, which ends up slowing down website performance.
Plugin Checker
WordPress already produces a theme checker that allows theme developers to check their work for best practices and security. The same theme checker is used on the official WordPress theme repository, too.
So now they want to explore doing the same thing for plugins. This is how the goal of the proposed plugin checker was defined:
“There should be a WordPress plugin checker tool that analyzes a given WordPress plugin and flags any violations of plugin development best practices with errors or warnings, with a special focus on security and performance.”
The proposal lists three possible approaches:
A. Static analysis
This is how themes are checked but there are limitations, such as not being able to run the code.
B. Server-side analysis
This method allows the plugin code to run plus a static analysis could also be accomplished.
C. Client-side analysis
This loads a headless browser (essentially a bot that emulates a browser) and then tests the plugin for issues that can’t necessarily be detected with a server-side solution. The document notes some challenges to this approach but also lists ways around them.
The proposal features a graph with columns for approaches A, B, and C and rows that correspond to ratings assigned to each approach for security and performance issues.
The evaluation finds that the Server-side analysis may be the optimal approach.
The WordPress performance team is not committed to creating a plugin checker, this is just a proposal. This is just the starting point. Nevertheless, checking third party plugins for security and performance best practices is a good idea because it will benefit WordPress users and site visitors.