WordPress Plugin  Abuse

Plugin abuse in WordPress is rampant, and really always has been. Hearing about a slow WordPress website is very common, particularly in the admin area. Overuse/misuse of plugins on professional business websites is the #1 cause, and it’s unfortunately very common.

Mid-to-large organization using WordPress as a CMS usually have a custom WP theme that was built by a WordPress developer or WordPress consultancy/agency. Professional business websites using WordPress should have a few actively used plugins in use, depending on the functionality of the website. It’s a reasonable expectation to have for a professionally built custom theme.

Unfortunately, I continually see the opposite more and more. It’s common to see “custom” WordPress websites built by agencies and “developers” that rely on heavy, overweight plugins for simply functionality that could otherwise be handled with a few lines of code.

It seems many WP developers don’t know this, don’t care, or both. Installing more and more plugins to cut corners and maybe get things done faster in the short term can lead to major problems for a business down the road.

Common Plugin Abuse Example: SMTP Email Delivery

Most professional WordPress websites rely on email delivery for notifications. By default, WordPress will send emails using PHP’s mail() function to send emails directly from the web server. This approach is commonly caught by spam filters, especially those used by corporate or enterprise businesses.

To solve this issue we can switch to a more stable approach by using SMTP email delivery. With SMTP configured, WordPress will send emails from a real email inbox rather than the server, allowing for encryption and verification to be put in place like DKIM and SPF.

These technologies help prevent spoofing and spam by verifying that a sender is valid and not malicious, so they’re significantly less likely to be marked as spam. It’s very common for WordPress websites to switch over to using SMTP for this reason.

Plugin Approach

Using a plugin like WP Mail SMTP is by far the most common approach used to do this, and while it may not be an issue for business websites with smaller audiences, I wouldn’t recommend it for any serious business or website that needs next level performance and stability.

I realize that one of the largest benefits of WordPress is that it provides the ability for almost anyone to build a website without coding skills or knowledge. For that scenario I would 100% recommend using a plugin like this.

I’m specifically talking about business class, professional (often expensive) websites using WordPress as a CMS. Organizations pay a premium for quality, and they deserve a highly stable and efficient website as a result.

Disadvantages

Premium plugins are often used by businesses because it provides a feeling/sense of stability and quality. If you understand how these are built, you’ll realize that they have significant disadvantages:

• 87907 lines of code, where custom code is just 11, is significantly more overhead. This makes it more difficult to track down and fix issues when they happen.
• Much larger code footprint that uses significantly more processing power than is necessary for the features provided
• Verify license keys are provided and valid by hitting third-party HTTP APIs that are slow
• Analytics & usage tracking sends data to additional third-party HTTP APIs, further slowing down the WP admin
• Numerous premium plugins do this on every WordPress admin pageview, which slows down the process of editing and updating content significantly
• Plugins appeal to mass audiences, they will always include excessive features and configuration options in order to appeal to as many possible use cases as possible. Businesses only need a small subset of these configuration options, the rest are superfluous and only serve to add unnecessary weight to a custom WordPress installation.

Using Custom Code

Sending email with SMTP is extremely simple to handle with custom code, without any plugin, and it can be done with 10–15 lines of code depending on the SMTP server credentials.

WordPress provides developers with built-in access to a tool called PHPMailer, a PHP class for modifying the configuration PHP uses for sending email. All a developer needs to do is tap into the “hooks” WordPress provides to set the configuration details for SMTP. When these are set, WordPress will replace PHP mail() to SMTP delivery.

These 11 lines of code can replace the need for any SMTP email delivery plugin. It can be added to an existing custom WordPress theme, or custom functionality plugin. Sure, some of these plugins have added

/**
 * SMTP Email Delivery
 */
add_action( 'phpmailer_init', function ( &$phpmailer ) {
  $phpmailer->isSMTP();
  $phpmailer->Host = 'smtp.sendgrid.net';
  $phpmailer->Port = 587;
  $phpmailer->SMTPAuth = true;
  $phpmailer->Username = '[email protected]';
  $phpmailer->Password = '{PASSWORD}';
  $phpmailer->SMTPSecure = 'tls';
  $phpmailer->From = '[email protected]';
  $phpmailer->FromName = 'Firstname Lastname';
}, 10, 1 );

Advantages

Using this approach has the following performance and stability advantages:

• No additional plugins are loaded, so WordPress won’t need to routinely check for remote updates or monitor the activation/deactivation status.
• A tiny amount of code will always be easier to understand, diagnose and fix
• Significantly less processing power used for the same functionality
• Avoids remote HTTP requests for analytics tracking and license verification. This is the #1 source of a slow WordPress admin.
• Solves for the exact use case and nothing more, which is always an ideal approach for highly stable systems in the long-term

Building Minimal WordPress Systems

Sadly, this is an alternative approach that I rarely see. The advantages and disadvantages are strong when they’re fully understood, and for the right businesses use cases it can have a profound effect on the quality and stability of a WordPress website over the long-term when followed as a pattern.

I’ve used this minimal approach to build custom WordPress themes for large organizations, and they’ve proven to be extremely stable and reliable long-term. Less code means a faster admin, better security, and better publishing productivity. WordPress sites built like this don’t break when plugins and core updates happen, and changes and adjustments can be handled rapidly and with confidence because there is both less to change, and less that is effected when changes do occur.

Custom themes built like this remain in use for much longer time periods because they are highly adaptable. They can support a complete redesign or rebrand without a major rebuild, because code can safely be removed and refactored without unanticipated changes.

TripAdvisor Blog: A 10 Year Custom Theme

In early 2015 I built a custom theme for TripAdvisor that followed this minimal approach to development. It was just fully retired in April 2024 because the site (tripadvisor.com/blog), 9 years later. This was done because it was actually competing and out ranking articles on TripAdvisor.com, which was ultimately a business conflict. I worked with their IT team to migrate everything in-house to use custom-built Java content management tools.

During the almost decade that this custom WordPress theme was in use it successfully powered 9 different localized TLD’s, each with unique content specific to a countries audience, using a single WP installation (no multisite). It successfully supported 3 rebrands, each in a matter in a timeline of weeks not months, and had zero recorded downtime resulting from WordPress, the custom theme, or any plugins. This was in large part due to the minimal approach taken.

Conclusion

WordPress is an extremely flexible system, providing thousands of ways to handle similar use cases. This is both a benefit and drawback, and it’s the primary reason behind developer and business owner complaints. But when you take a professional development approach that keeps systems specific and minimal, developing for specific use cases, you can create custom content managed WP sites that are highly stable, very secure, and easy to work with long-term. They’re fast on the frontend and within the admin, and result in more online revenue and success.

WordPress can be an incredible tool, but it can also be a terrible one. It comes down to the developer you work with and the mindset they take towards creating effective systems.