Third-party plugins

VIP recommends searching the WordPress plugin repository for a plugin with the desired feature set. After identifying plugin candidates that are potentially suitable, they should be reviewed by following the below methods.

• Thoroughly evaluate, scan, and test a plugin before using it on a production environment.
• VIP does not maintain a list of pre-approved third-party plugins.
• Third-party plugins are not eligible for manual code review.

Evaluating plugins

Before installing a plugin candidate, evaluate a variety of the plugin’s qualities, including how completely the plugin candidate addresses requirements and/or the problem needing to be solved.

Simplicity and usability

Some plugins are more complex and have a large number of built-in features to provide a wide variety of options. Increased complexity can lead to bloated code if not done well, and can potentially cause performance issues (e.g., several classes and data structures being loaded upon every page request).

If a plugin’s code seems bloated, an inspection of the (open) source code may reveal the few purely functional lines of code that can solve your problem. The rest of the plugin’s code may not be needed.

Performance and security

Older plugins—and plugins that are not actively maintained—can have uncorrected issues that affect security (such as poor output escaping), or performance (such as queries that do not scale). Scanning a plugin’s code with PHPCS can help to reveal some of these issues. Manually reviewing a plugin’s code may also be needed and beneficial.

PHPCS scanning

Code quality can be verified by downloading the plugin candidate and running a PHPCS scan to provide feedback on existing warnings and errors within the plugin’s code.

Feedback from the PHPCS scan should be reviewed, and decisions should be made on how to act on the feedback. This includes the possibility of seeking out a similar plugin with higher code quality.

The VIP Code Analysis Bot performs the same PHPCS scan using the WordPress-VIP-Go standard in all pull requests. For this reason, it is time efficient and beneficial to run PHPCS scans locally on all code and acting on feedback before creating a pull request.

Review the guide to working with feedback from the VIP Code Analysis Bot or PHPCS.

Testing on the VIP Platform

To assess a plugin’s performance and suitability, install it on a VIP non-production environment, sync production data to the selected non-production environment, and test various features, functions, and options. While testing, try to reproduce the production environment and conditions as closely as possible, including the same theme and collection of activated plugins.

Monitor the plugin over a reasonable amount of time and confirm that the plugin’s features continue to perform as expected.

Query Monitor and New Relic are available on VIP Platform environments and can be very useful during testing.

Plugins may use functions or perform actions that are incompatible with the VIP platform. The only way to accurately test for incompatibilities is to test all of a plugin’s features on a non-production VIP environment.

Many plugins make assumptions about the environment they run in. Unless a plugin has been built for an enterprise-level platform, it may expect to make local filesystem changes or expect the user to modify .htaccess rules to make it work. Some plugins make remote requests to download a pro version. Many of these actions will not work as expected on the VIP Platform.

---