MarckDev
All articles

August 4, 2025 · 4 min read

How to evaluate a plugin or theme before installing it

How to evaluate a plugin or theme before installing it

Most of the compromised or slowed-down WordPress sites we end up fixing have a common point of origin: a plugin or theme installed without evaluating it. Every extension you add is someone else's code running on your site, with the same permissions as everything else. Evaluating a plugin or theme before installing it takes ten minutes; removing the consequences of a bad choice can take weeks.

The signals to check before installing

Before even looking at the features, look at the vitality of the project. On the plugin's page in the official repository, or on the marketplace for paid products, you'll find almost everything you need:

  • date of the last update: an extension that hasn't moved in a long time is a risk, because vulnerabilities discovered in the meantime stay open;
  • declared compatibility with the WordPress and PHP versions you use;
  • active installations: not a guarantee of quality, but a broad user base means problems surface and get reported quickly;
  • recent reviews, not just the historical average: a plugin that was excellent for years can deteriorate after a change of ownership;
  • who develops it: a company with multiple products and a well-kept site inspires more confidence than a profile with no history.

None of these signals is enough on its own. It's the combination that tells you whether there's a maintained project behind it or abandoned work.

The changelog says more than the sales page

The presentation page is marketing; the changelog is the project's true history. Reading the notes of the latest versions tells you how often a release comes out, whether security fixes are disclosed and handled seriously, and whether development is active or limited to cosmetic touch-ups.

Be wary of empty or generic changelogs. A healthy project documents what changes, because it knows its users update sites in production. This counts double for themes: a theme that hasn't published updates in a while is probably accumulating incompatibilities with plugins and with new versions of WordPress.

Support and documentation

Sooner or later something will go wrong, and at that moment what matters is who's on the other side. Two quick checks:

  • open the support forum or ticket system and look at recent requests: do they reply? How fast? Do they resolve or deflect?
  • look for the documentation: if the only thing available to configure the product is a promotional video, every future customization will be a gamble.

For paid products, also verify what the license covers: how many sites, how long you receive updates, what happens if you don't renew. A plugin that stops updating when the license expires is a security deadline written into the contract.

A look at the code (or have someone who can read it do it)

You don't need to be a developer to catch the most glaring signals, but if you run a site that generates revenue, a technical check before installing important components is money well spent. The things we verify when evaluating an extension for a client:

  • how it handles incoming data, because most vulnerabilities stem from unvalidated input;
  • what it loads on the frontend: stylesheets and scripts on every page, even where they're not needed, are the most common way a site becomes slow;
  • what it writes to the database and whether it cleans up after itself on uninstall;
  • whether it requests permissions or external service keys out of proportion to what it does.

A theme deserves extra attention: unlike a plugin, it touches the whole site. Huge multipurpose themes, with dozens of demos and built-in builders, carry the weight of all the features you'll never use.

Test everything in staging, decide with numbers

The final word belongs to a trial on a copy of the site, never on the production site. Install in staging and verify three things: that the promised feature works with your real content, that the main pages haven't gotten heavier (a speed test before and after installation removes all doubt), and that there are no conflicts with the plugins already in place, especially caching and security.

One last good habit: every six months, review the list of installed extensions and deactivate what you no longer use. Every plugin removed is less attack surface and one less update to keep track of.

This selection process is one of the reasons the websites and eCommerce we deliver run few extensions, chosen with these criteria: maintenance over the years costs less and the surprises can be counted on one hand.

Want an opinion before installing?

If you're about to add an important plugin to your site, or if the site is already full of extensions and you no longer know which ones you need, we can take stock together. We build and maintain websites and eCommerce with a selected, documented plugin stack. Book a free call and bring us your list: we'll tell you what we'd keep and what we wouldn't.

Related articles