John Andrews is a Competitive Webmaster and Search Engine Optimization Consultant in Seattle, Washington. This is John Andrews blog on issues of interest to the SEO community and competitive webmasters. Want to know more?

johnon.com  Competitive Web & SEO

Trusting WordPress Plugins and “SEO for WordPress”

Over here in John Andrews Land we fight the status quo. WordPress is great, and the plug-in architecture is great, but we don’t build businesses on free, open source code unless we trust it. And we don’t trust free, open source code unless we have checked it. And we don’t rely upon free, open source WordPress plugins unless we know we have taken appropriate risk-management steps, addressing what we consider to be typical concerns when dealing with software, but which the modern world seems to think are optional:

  • does the code conform to programming best practices? At least a little?
  • does the code include obvious or less-than-obvious security flaws?
  • does the plugin abide by the rules to help support the idea of upgrade? Will WordPress break when next upgraded?
  • does the plug in warrant a plug-in? Maybe it doesn’t do enough to be worth the risk?
  • is the WordPress plugin “phoning home”, sending business intelligence to the plugin owner, or otherwise exposing us to unexpected consequences of use, such as hidden links or cloaking?

It sure costs more to do things right, but it sure costs a lot to fix problems in real time, too. Which is your preference?

We can’t check all of WordPress. We rely on that large community of eyeballs looking at it for months prior to release, and the even larger community of eyeballs looking at it during the months after release, to help make sure it is worthy. That’s how Open Source works. But that is NOT the case for plugins. A plugin author may never share his code until publication time. Many plug-ins see very few installs compared to large open source projects. Even 1,000 users will not lead to good code if that is 1,000 non-programmer users (common with WordPress plugins). We look at plugin code very carefully.

This morning I reviewed another plugin from a well-respected SEO plugin author, and there in the code are all sorts of “potential problems“. All around the web you read “you should have this plugin for SEO” and yet, a quick review by my far-less-than-professional PHP coding eyes shows divide by zero gotchas, opportunity for injections by hackers, and risky reliance on system variables that are not as genuine as the PHP manual might suggest. This isn’t rocket science, but it is web programming, and we’re talking about the basics of web application programming in PHP here. i don’t need to send this one to a php security expert. I know it’s dead just by looking at the code myself.

What is the cost of a bad plugin? Well, you may not care if one day your visitors see a PHP error on the screen. You may even have error reporting turned off completely. You can get problems fixed in a day or so anyway, so no harm done, eh? Well, when was the last time you looked at what is in your WordPress database? I mean looked at the content in the database… using some database tool. Time and again I find volumes of bad data filling WordPress databases, which are hidden from the blogger because WordPress is smart enough to skip over them at display time. But they are still there… and with every upgrade, they carry forward. And one day the database tables break. Or some injected code gets run. What. A. Mess. Or WAM v2.0

A good SEO consultant charges in excess of $200 per hour for routine technical work, as does a good PHP security consultant. That reflects the cost of maintaining the ability to perform as a knowledgable consultant. It takes time to audit code, but not a lot of time, especially when compared to what it takes to rebuild a database that has been corrupted with invalid characters or mussed-up attempted code injections. Unless your risk management plan includes “just start over”, it seems wise to spend a little money and get your site checked out before there are problems.

Not every “SEO plug in for WordPress” is a must-have, and some are not even worthy of the time it takes to download them. How do you know?

★★ Click to share this article:   Digg this     Create a del.icio.us Bookmark     Add to Newsvine

23 Responses to “Trusting WordPress Plugins and “SEO for WordPress””

  1. Google Search Sucks Says:

    Lately I have been getting really frustrated with people peddling pure garbage and calling it SEO plugin. I realized the best thing is to take the time and change the code yourself, and believe me I am FAR from a php expert. For example switching my title tag to call on the blog post title first before the blog name doubled my traffic in just one month.

  2. Alan Says:

    we need some plugins so it would be good to know if they were solid, but you’re right many are badly coded and should be avoided.

  3. anonymous Says:

    sometimes the wp devs assume too much. they like to see some things as plugin, but no one can write them as well as the wp dev people.

  4. mike Says:

    Ok, to a non-technical person like myself who uses WordPress blog software…

    It would be nice if you could identify potential plugins that are flawed.

    @mike: that would be a disaster, as #1  I can’t propose proper solutions at the same time, and #2 the negativity would be highlighted by others to my detriment.  That is the catch 22 of no-cost software… there is little accountability. The good part is the code is available, so you can pay a professional to review the code for you and advise you on its suitability. Open Source is a wonderful thing, but it is not zero cost.

  5. Matt McGee Says:

    So, are you gonna tell us which plugin is risky? :-)

    @matt: I’ll simply suggest everyone be careful what they trust, and be aware that they can have their code audited if they need to manage risk. Perhaps the WordPress community can find a way to rate or review plugins in the future.

  6. Lea de Groot Says:

    Yeah, and its not just plugins – I picked up a pretty theme the other day, and ran a basic eye over the code and *hello* the functions package was phoning home, with all sorts info.
    A few comment marks and that was no longer happening, but honestly – the nerve of some people! I double checked the rest of that little package.

    @Lea: A while back I pulled apart an encoded front end that was cloaking Google with hidden links. A casual code review would have simply suggested something was being hidden with encryption, which is often used to lock software to a particular domain or to phone-home installation details. I actually had to use an encryption cracker to see the code, and when I saw it was cloaking I was shocked. Everyone should cloak their own referrer and look at their sites when they are trusting such software. It is possible to IP cloak the search engines, but not very common given the complexity.

  7. Robbert Says:

    I’m not a php-expert, I only know how to change the themes in WordPress. I never check whether a plugin is worth trusting, because I can’t tell. Now that I’ve read this post, I will be more careful. Thanks!

  8. Joost de Valk Says:

    As an author of quite a few WordPress SEO plugins, I hope that, in the case this affects one of my plugins, you’ll drop me an email? :)

    @Joost:  If a plug-in author includes a feedback request etc. I am quick to suggest improvements when the code is otherwise good. I see you do ask for feedback, but many simply state “it’s free so don’t ask for support”. I think if you use free WordPress plugins to your benefit, you owe the community the effort it takes to provide such feedback.

    On the flip side, I also think those who benefit from providing plugins for free to the community should work hard to make sure they really are good, and safe, and worthy of adoption. Otherwise they are just “snake oil” like so much else in the sales industry. If I see that, then no, I won’t offer advice on improvement because that is consulting for free, not contributing to an honorable open source effort.  I hope that answers the question, because I’m not naming names here (for or against).

  9. Miriam Says:

    I’m not a PHP professional, but my gut always tells me it’s better to hard code whatever is possible then to rely on plugins. I figured that plugins put too much of a strain on the system, but what you describe above is way more serious than just extra stress. Thanks for this useful post!

    @Miriam: the plugin architcture is designed to preserve the upgrade path for WordPress, so it is usually wise to use a plugin vs. hacking the core code. That way you can upgrade WordPress without it breaking. Of course hands-on management of a small number of core hacks is fine, provided you are responsible for maintaining them. I agree however, that stacking a collection of third-party plugins together is not a great idea.  I recommend you use a select set of plugins, which you check if possible, and hesitate to add new  ones until you have some sense of their quality. We have to take risks as this is the Internet frontier, but we shouldn’t be foolish.

  10. Joost de Valk Says:

    @john: understand your feelings… I’ve seen too much plugins that do stupid stuff too, some even with options in the backend “include hidden link to theme author” (yes, that’s REALLY what it said)

    Anyways, I’m not making any money off of my free plugins, and am open to any form of critique on them, I hope others will help me make them better.

    @joost: That option is the disclaimer. Set ON by default, the user is now responsible for being aware, and turning it off if they don’t like it. That is better than others, and closer to where everyone needs to go.  It’s sad, really, because there are examples of properly done embedded backlinks that continue to earn support… in the millions of backlinks range, without appearing scammy in the least.

  11. Karl Says:

    You should simply not trust any code unless the originating source is worth to trust.

    Furthermore, PHP itself has a particularly bad security record. Certain PHP functions are unsafe, for example allow_url_fopen and allow_url_include. You should always make sure the PHP-settings and your server configuration meet your security requirements. These settings in your web servers config file may help:

    php_admin_value allow_url_fopen 0
    php_admin_value magic_quotes_gpc 1 [* No? See editor’s comment, below – Ed]
    The safe_mode directive can prevent some attacks, but then you can not install themes and plugins from within your browser.

    If you are on a shared host, security simply isn’t going to be as strong as when on a dedicated host. On a shared host, you are also most often exposing the session data.

    John replies:

    @Karl: I think it is not so simple, and I disagree that PHP has a “bad security record”. PHP is a language, and while it is popular for web coding it is also a full command line scripting language. It would be inappropriate to remove functions just because they might be less safe on the public web. The responsibility lies with programmers to properly use PHP, as is the case with any language. Remember PHP was adopted very quickly because it was so simple to understand and powerful on the web, and continued to advance as the web advanced. There is no excuse for professional programmers using PHP irresponsibly. There is plenty of reason for non-professional programmers to code the web… that’s how innovation happens. The risk management lies with the business owner or web site publisher, and should be addressed in the economic transactions of web development just like everything else.

    As for your suggestion to turn on Magic Quotes, I disagree completely. MagicQuotes was once a good idea to help protect databases, but is now a bad idea and we have much better practices to protect databases without the mess that comes out of Magic Quotes and addslashes (use the databases native functions instead of addslashes, for better portability and because they will protect against newlines and other things addslashes permits).

    This is a good example of how PHP coding practices matter. MagicQuotes was under hot debate for years, and targeted for deprecation a long time ago (meaning it was scheduled for removal from the language). It is officially deprecated for PHP 6 (it takes that long to allow existing code to get updated). You can read about it here.

  12. Reynder Says:

    Isn’t this the problem with every WordPress plugin. Why now all the fuzz about SEO plugins? People should always be aware off free stuff.

  13. Santaluz Says:

    If you are a newbie, how do you know? Are there developers that I can have check plugins? What about support for plugins when WP upgrades?

    @Santaluz: Exactly. Like any other IT project, WordPress is only as good as it is: when you deploy it, you assume responsibility for responsible use. Plug-ins often break when WordPress upgrades, and even when they don’t they may need significant revision in order to “catch up” with security fixes or improvements or advances. I can’t expect plug-in authors to keep up 100%, but I do want the authors of plug-ins I use to be one release behind at most, and hopefully even just 6 months behind. As for checking plug-ins, any security audit will include plug-ins. We are really young in this corner of the industry, so maybe the first step is awareness.

  14. Taylor Says:

    I couldn’t agree more with you. I’m running into this predicament myself now that its time for me to choose some plugins to help facilitate some simple features to boost search engine friendliness. However, this problem extends far beyond wordpress – and is inherent in most cms’ that allow for plugin support and boast heightened seo presence (especially drupal). I think a lot of the functions the seo plugins provide can be achieved with mod-rewrite, robots.txt, and a little tlc. But what about other things like titles and meta tags? You’ve inspired me to research this topic myself, and I’ll be blogging about any solutions I find shortly.

  15. Geld lenen Says:

    Maybe a plugin certificate is a idea? A lot of plugins already marked “deadly” ;-)!

  16. Lening Says:

    It’s open source software, a certificate sounds commercial…

  17. One Year Millionaire Says:

    SEO plugins aren’t what they are hyped up to be… but if you aren’t knowledgeable about seo at all then it can help

  18. Lenen zonder toetsing BKR Says:

    Free SEO plugins are not a problem in itself, a problem is they don’t always work on every template and in every situation with widgets etc.

    It would be nice if there was a big directory with approved and extensively tested plugins so people know they are trustworthy. (or is it already there?)

  19. Wordpress SEO Plugin Says:

    WordPress is a great blogging platform and getting it search engine optimized really isn’t a hard task. Using proper permalinks and robots.txt file to prevent duplicate content and a few other methods can really make a difference. The All in One SEO plugin is really the best bet

    @civics: there is sooo muchmore to it than that. In SEO world almost every detail can “really make a difference”, especially if you start with a poorly implemented site. Making an improvement is not enough to claim SEO success. The All In One plugin is one way to get started, but if you do start there you have to deal with the limitations that plugin brings.  I don’t consider it a “best bet” myself, and I have a lot of experience in SEO and WordPress.

  20. Hypotheek berekenen Says:

    You’ve made a really good point here. But as mentioned above you need to put a lot of time into testing and sometimes rewriting (SEO) plugins for WP. To get the maximum out of WP you need at least need 4 to 5 SEO Plugins.

  21. kunst kopen Says:

    Yes indeed, I use i think 5 plugins and it all works fine!

  22. Seotips Says:

    Hm, never thought it was a serious problem with wordpress, but from what you are saying it sounds like it may be. I would consider paying php security consultant only if I suspect there are problems with the plugin or if I detected new html errors after installing it.

    But thanks for making us aware of the potential risks.

    Tony

  23. Hal Says:

    Excellent post. However, it raises more questions than it answers. I understand, we don’t want to name names. As I search for the fundamental question, should I even use an SEO plugin vs adding my own keywords etc I’m not finding a lot of ‘expert’ opinion.

    I’ve been trying to decide whether I should disable the All In One SEO plugin, or not. From what I see so far, particularly with the theme I use (Thesis) it appears to duplicate or simply take words from my content for keywords. This seems to fly in the face of what I’ve read about SEO.

    Thanks for the risk awareness factor. I hadn’t thought much about that.