Number of plugins on a site

I don’t think that there is any kind of dilemma in this case. You can remove the vulnerable plugin and replace it with another less vulnerable.
I wouldn’t compromise the stability of my website for a plugin BUT my motto also is that less is more.
If you run too many plugins on your website you end up no being able to control what is going on there and not being able to fix something if any or many of these plugins start to crash or misbehaving ( in purpose or because they are incompatible either with the platform or with each other).

I think that the reason that I was able to switch easily my website to CP was that I run on my website rather few and not that complicated plugins.

How many plugins are “too many”? I have run sites with 80+ plugins and the few conflicts I experienced were easy to resolve.

In any event, some plugins are huge, whereas others contain just a few lines. Some work on the front-end; some on the back-end. Some are active all the time; some become active only when triggered by a specific event. You can’t treat them all as equivalent.

What matters is not the number of plugins but the quality of the code in those plugins.


The epitome of maximalism in other words! :smiley:

How would you ever be able to check the quality of the code of 80+ plugins? Or who is going to check the code out of all these plugins for you?
And what’s wrong with simplicity?

I bet that many of these 80+ plugins overlap the use of some others.

1 Like

If you are the maintainer of their website it is your responsibility to protect this website from back door hacking. Your customers pay you after all in order not to have to bother themselves with these issues.

It doesn’t sound that right to pass the responsibility to your customers, who at the end of the day might not have the knowledge to figure out if the code of the one or the other plugin contains malware and then claim that it is not your fault but the plugin’s maker fault?

If you know at the end of the day that a plugin is vulnerable you can always replace it with something that does the same or similar job. There are literally hundreds of plugins for each and every imaginable customization, that many that it is difficult to choose which is better to use.

I would happily take that bet, because you’d lose!

Currently, those same sites run 47 plugins. But that doesn’t mean that I have cut stuff out. Quite the contrary!

I learned how to code by working with those plugins. After a while, I found that I wanted to tweak many of them to do something specific that the original code wouldn’t do. So I wrote my own code instead to replace those plugins. In some cases, I created my own plugin; in others, I inserted the code as single files in the mu-plugins folder; and sometimes I added code to the theme’s functions.php file. So it looks like the number of plugins has gone down.

But that exemplifies my point about the number of plugins being irrelevant. Although the number of plugins has apparently dropped, the functionality deployed on these sites has actually gone up. I could literally break out all the functionality into well over a hundred plugins if I so chose!

How would you ever be able to check the quality of the code of 80+ plugins?

As I said, I taught myself by reading the code. In time, of course, I found that I could code some of the functionality much better myself (especially if it involved JavaScript or anything to do with accessibility). But there are plenty of tools to help. The plugin, Query Monitor, is fantastic for this purpose.

And what’s wrong with simplicity?

Nothing, so long as it suits the purpose of the site. But everything, if the site doesn’t then accomplish what is required.

In any event, I am not sure that you have entirely understood my point above about plugins doing different things. Not every plugin is about what happens on the front-end. So, for example, I have a plugin that logs activity on the site and any changes made; another that logs all emails; another that logs all REST API activity, etc. If you want to debug something (whether in order to respond to a support ticket or when testing new functionality) it is essential to have proper records.

In fact, I have one site that has just 18 plugins active, and only one of them does anything on the front-end.

Oh, and if you’re thinking any of these sites will be slow, you’d be wrong. Pingdom measures all these sites as loading in less than a second. And, unlike so many membership sites, they don’t get any slower for logged-in users.

1 Like

Would you mind to give me a link towards one of these sites to see what is all about? :slight_smile:

Well, the “maximalist” ones, as you call them, are all membership sites, locked down from the public. But I can give you a link to the parent site that explains in more detail what they are all about:

Thank you. :slight_smile:

Warn the users about the vulnerability and prompt them to take action.
Personally speaking I wouldn’t allow anyone to access my website. I would change cms immediately if I suspected that someone used the cms to access my website’s setup and I would sue the company who did so.
Warning the users about the/any vulnerabilities on the plugins, if you know it of course, is more than enough by the side of the cms maintainers/developers.

But I think that you over thinking the matter. WP doesn’t even bother to do that. The average users usually choose plugins almost in blind based on reviews from other users. Who told you that all people are able to check out the code of a plugin after all?

The cms maintainers are not responsible for the actions of those who write the plugins and they can’t check out the universe. It is on the final users’ discretion and choices to keep their websites secure.

But what I’ve said previously is still valid. If you run way too many plugins you involve way too many code writers in the equation. The more these are the higher is the risk to get a plugin that is either in purpose or by mistake harmful for your website.

1 Like

There is no such thing as too many plugins.

1 Like

There you go again. That’s just not true. If I install 20 plugins of 20 lines of code each, that makes for 400 lines of potentially problematic code. If I install just one membership or e-commerce plugin, it’s going to have many orders of magnitude more code than the other 20 plugins put together, and so carries by far the greater risk.

1 Like

On a general level I agree that people choose random plugins if they are building on their own, running in the risk of poor code and too many different devs and code styles.
Consider also the case we’re a dev codes himself the site for them developing special plugins with best practices in mind. Or selects plugins from a directory/repo keeping in mind certain parameters about safety. That way there’s no limit to the number of plugins/features.
So it’s not only how many, but their quality.
And we as a CMS can set rules&standard, but we also have to find a way people follow them because they want to (they “earn” something from being compliant) and not because we as a cms review the code to uniform it to rules. One day there will be thousands of themes&plugins and we simply can’t review every new one or every update release prior to making it available…

But the people who are building their own websites are also the majority of cms’s users and this is after all the reason why the cms platforms have to be simple and easy to use.
The developers of the/any cms have the obligation to maintain very few things.
To keep the interface easy to use in order to spare the end/average user from having to learn the universe in order to write and publish something and retain the platform’s structure in such a state that it would be difficult to be hacked or defaced in a matter of seconds.

Now what each and every plugin is able to do or undo ha ha, is not something that should concern the developers of the platform that this plugin is made for, and that because we are talking about open source projects where everyone can contribute on his own ( good or bad ) will.

The next better option - but also one that needs loads of work- would be to include the most popular functions that now are offered only as plugins- as defaults in the cms’s platform. Offering the cms with ready made options for gallery, lightbox, e commerce, statistics or whatever you think that is essential for running a website, that would be also 100% compatible with the cms. But not as plugins maintained by individuals.

1 Like


The best option is what we have now: a platform that allows us to extend it in any way we like, without having to carry the bloat that any other site owner thinks they need. Your comment points out the issue where you say, “…or whatever you think is essential for running a website”. The simple fact is: there is no single answer to that because some won’t have enough features while others will be stuck with bloat they don’t need.

1 Like

No source. The thousands upon thousands of artists who own and maintain their own websites on cms don’t register themselves in any lists, but they don’t have also the budget to pay web design companies to do this job for them. I don’t know a single one ( and I know many of them) who pays a company or an individual for the design and maintenance of his website. But all of them have one, All …
Same happens with the millions of bloggers all around the world, people with small personal businesses who retain small websites on free hosting platforms and they design them themselves etc.Just because the larger websites usually owned by corporations have higher visibility that doesn’t mean that they are the majority of websites existed .

The best option is what we have now: a platform that allows us to extend it in any way we like, without having to carry the bloat that any other site owner thinks they need. Your comment points out the issue where you say, “…or whatever you think is essential for running a website”. The simple fact is: there is no single answer to that because some won’t have enough features while others will be stuck with bloat they don’t need.

There is no need to have them activated in advance. Just as options of the style “this is the CP native lightbox. Try it and if you don’t like it remove it and go for a plugin that covers better your needs”

Without a source, it’s really just anecdotal evidence; nothing to act on. Indeed, if there’s no need to have a piece of functionality activated in advance, there’s no need for it to be in the core software. What you’re referring to is what I call bloatware. Consider how Hello Dolly and Akismet were included but not activated. Nobody liked it…except Automattic.

1 Like

Anyway, this topic is about disabling vulnerable plugins… I’m going to exit-stage-left here to avoid keeping it off-topic.

1 Like

I’m sorry to say this but it seems like you don’t understand that not all people who use internet are IT people. You don’t seem also to understand that not all individual categories of professionals that are unrelated with IT technologies, are registered in any lists or in any statistics.

Visual artists are everywhere. Do you really want me to give you a source that says that they are millions? Isn’t a single search enough to make you realize it? What sort of attitude is the one who says that if something isn’t listed somewhere it simply doesn’t exist?

Artists have to have websites for PR or publicity purposes but they are not web designers and they don’t have any particular preference on whatever regards the cms platform they use, they are usually struggling financially in order to be able to pay for the services of a professional webdesigner and they go whererever they are offered something that can work easy and for free.

Good day to you. :slight_smile:

1 Like

It is already night here. :slight_smile:
Good day to you, good night for me.

1 Like