WordPress plugins - good versus bad


HD Moderator
Staff member
The good side of plugins is that they enhance the functionality of websites, but the bad side is that with increased plugins comes increased risks – not only from potential incompatibility with the current version of WordPress, but from potential threats like ransomware and malware.

Add to that, some plugins are resource hogs and will detrimentally slow down your site’s performance, leading to shopping cart abandonment and increased bounced rates.

Every plugin you use adds resource consumption to your site, but how much is too much? Your thoughts?


HD Community Advisor
Staff member
Every plugin you use adds resource consumption to your site, but how much is too much? Your thoughts?
We generally build our websites with just 4 or 5 plugins... Elementor, Elementor Pro, Astra Pro, Rankmath & WordFence WAF Security.

Depending on the host, we add in either the in-house optimizer plugin or a caching plugin of some sort.

Now that's for a general site. Once we get into eCommerce, things can spin out of control fast. We currently manage a VERY optimized site that has nearly 50 plugins - but not all plugins are created equal. 11 of those plugins are ones that we created, and to call them a plugin is very ambitious. Essentially, instead of having all custom code in a functions.php file, we split them into their own "mu-plugin" plugins - so the code is easier to read. It also means we can disable one of our sections of functions and not affect the rest of the site.

How many is too much? I access some sites and see 8 plugins and it's overkill for what they actually need (image squasher, copyright editor, footer editor, login screen customizer)... the image optimization should be done before uploading images, and the other edits can all be done in a functions.php file, or creating a new footer file in a child theme.

At the end of the day, plugins go out of date. Windows and Mac, cell phones and apps - they all have updates on a regular basis. The difference is that people actually DO those updates, and there's a development team around them. With WordPress, developers can suddenly disappear and abandon the plugin with a potential exploit that never gets resolved.

Thankfully, WordPress has become more vigilant when it comes to out-of-date plugins and removing them from their repository. The plugins still exist on users' sites, but at least no NEW users would be affected.

Lack of updates is the #1 cause of a website being hacked or defaced. We have some clients that refuse to update plugins - there's not much we can do in those cases.