WPCandy published a great post on plugins and the numbers of plugins to be used per website. Recently more and more developers do complain about the number of plugins that a client is running. But nobody asks the real question: how many of these plugins are actually of _high quality_?
From what I’ve encountered through the years is that when my installation starts to become unstable at some degree, it is always a result of one or two plugins coded the wrong way. I could remove them two and add 15 more, it doesn’t matter if they are okay. So the number of plugins is not to be discussed (disregarding the long term where a developer might stop supporting it – but it could also happen with 3 plugins as well as with 30).
I am specifically concerned of the quality of the plugins being released. As I commented on the WPCandy post:
The worst problem here is the WPORG repo control. While themes pass through a “Theme Reviewer” control, plugins are like: “Please reserve me some space at your hosting, I’ll upload something in SVN and it would be up and running in 15mins”. The community needs a reviewing policy for plugins. Many plugins use hardcoded table prefixes (by default it is wp_* but have you noticed that could be changed before installation?) or other default values that are freely modifiable (not to say recommended for security reasons). Some of them grab external data via some feeds or remote services that are suspiciously reliable.
If you go through the listings of WordPress vulnerabilities last 2 years, half of the problems (if not the majority) are the vulnerable insecure plugins. It’s not the plugins to blame that – it certainly is – but they just have the option to contribute and this contribution is malicious sometimes.
I have reported few plugins being dangerous and one of them led to hacking an installation of a client of mine because of insecure streaming of some 3rd party data.
How many of you are aware of the Theme Check plugin? It’s one of the tools used during the theme reviewing process in WPORG. It does a great work by iterating through theme files and verifies for: depricated functions, obsolete calls, incorrect multilingual statements and many, many more regarding the codex of the themes to be submitted to the repository. What if the same concept is transferred to the Plugin repo – let’s say a “Plugin Judge” plugin that verifies all plugins for static references, third party sites data gathering and so on and reporting with different levels of importance, this could help a lot to the community and the overall quality. I know it is hard to maintain a team that does review of the plugins so that could be the automated way – better plugin coding policy (this one is good too, just few more details) and a tool that verifies what is going on actually.