Modern content management systems make it almost too easy to install new features. WordPress in particular has a plugin and theme ecosystem that encourages experimentation. Tens of thousands of developers contribute plugins to the WordPress ecosystem, and browsing through the plugin repository presents enticements at every turn. The temptation is to install plugins on a whim — after all, they’re free, so why not?
I’ve come across WordPress sites with dozens of plugins installed. The administrator installs a plugin, tries it out, and then neglects to uninstall it. Or they load their site with as many features as possible, and install a plugin for each shiny new gewgaw.
While there’s nothing wrong with trying out new features on your site, there are downsides to leaving lots of plugins permanently installed.
More Complexity, More Bugs
Content management systems are complex pieces of software, and their plugin ecosystems multiply that complexity. Given the limitations of human beings when it comes to understanding and building complex systems, increases in complexity lead to increases in the number of mistakes and incompatibilities. Software bugs can cause all sorts of unpredictable effects, which is why it’s sensible to limit complexity wherever possible. If you aren’t using a plugin in your content management system, uninstall it, just in case.
More Bugs, Less Security
The most serious bugs lead to vulnerabilities that can be used by attackers to compromise a site. We often hear about vulnerabilities in WordPress, but the majority of those reports are actually about vulnerabilities in plugins, which are sometimes not as well coded as the CMS itself.
Leaving unused plugins installed and activated, or installing every vaguely interesting plugin, increases the likelihood that your site will have critical vulnerabilities that can be exploited to take it over and steal private data.
It’s not always true that plugins cause performance problems, but it’s true often enough that it makes sense to remove unused plugins. Some plugins do cause performance problems — if your site is slower than you’d expect it to be, it’s probably worth selectively disabling plugins in an attempt to identify the culprit.
A Note On Themes That Include Plugins
Many of the most complex feature-rich themes have plugins embedded within them. Themes with sliders are an obvious example. While this isn’t a problem in itself, it can turn into a problem if the theme’s developer doesn’t update the included plugin in a timely fashion. Plugins bundled with themes can’t be updated with the usual update mechanism, which means site owners have to rely on the theme’s developers.
Over the last few years, there have been several reported instances of attacks that succeed because theme developers failed to update the plugins they included in a theme.
A vibrant plugin ecosystem is a key benefit of choosing a content management system like WordPress, but site owners should exercise some restraint to reduce the risk posed by security vulnerabilities and performance problems.