Snapize

ven the smallest and simplest of WordPress websites needs plugins. Akismet is a must if the site has a blog. A security plugin like Defenderis non-negotiable. And a solid contact form is needed if you intend on collecting leads.

For the most part, though, we know that these commonly used and referenced WordPress plugins are safe. They come with millions of downloads, high ratings, and plugin developers who’ve worked hard to build a positive reputation in the community by creating error-free plugins and providing top-notch support.

But what about everything else? How do you know if that seemingly popular WordPress plugin (that would really do wonders for your site) is safe to use? With plugins, unfortunately, being responsible for a high percentage of security breaches (Wordfence last put that number at 55.9%), it’s kind of scary to think that any decision you make to use one is a dangerous gamble.

What I’d like to do now is talk about how you can tell if a WordPress plugin is safe. Specifically, I’m going to share the 15 warning signs you should pay attention to that will let you know when it’s best to skip downloading one.

15 Warning Signs That a WordPress Plugin Is Unsafe

I always feel bad having to put this advisory out there about WordPress plugins because, really, they’re great. When they’re coded well and properly managed, they can do wonderful things inside of WordPress. But that’s sadly not always the case.

Sometimes you get a plugin that was made by a newbie developer just hoping to make some money, but who didn’t put the right amount of time into coding it. There are also times when you run into a plugin that is coded well, but an errant line of code conflicts with another plugin and tears your whole site down in an instant. And, of course, there’s always the risk of a hacker or fake WordPress developer getting their hands on it.

So, this means you need to be extra vigilant about which ones you let inside–even if the original developer’s intentions were good.

In order to be diligent, you should know how to spot the warning signs of a bad WordPress plugin. First, start by using a system of checks to make sure the plugin is the right one for your site. Then, you can start digging deeper to see if you can spot any of the warning signs.

1. The Plugin Repository Looks Odd

Let’s start with where you’re hunting down these WordPress plugins. For instance, say you were interested in finding a plugin that adds a feature that’s not too commonplace. You do a Google search for the feature (like “gender reveal plugin”) and the top results point you to a number of independent WordPress developer websites that claim to sell a plugin that does just that.

Some warning bells should be going off in your head, in that case. While it doesn’t mean that the source of the plugin can’t be trusted if you get to the site and it looks like it was built in the early ‘00s and there’s no way to contact the developer except through an email address at AOL… well, that’s a huge red flag.

In general, always look for WordPress plugins that come from reputable sources. Start with:

• The WordPress plugins repository
• Plugin marketplaces like CodeCanyon
• WordPress plugin developer sites like WPMU DEV

If you start there, you’ll greatly reduce the chances of running into a bad apple on your travels.

2. A Tarnished Developer Reputation

Next, look at the plugin developer’s reputation. You don’t necessarily need to know who the person is, where they live, what their educational background is, or anything like that (unless you’re curious). What you’re looking for here are red flags that tip you off to something not being right.

Here are some of the warning signs:

• They are a brand new owner of the plugin and have no prior history as a developer, which might mean they purchased a somewhat popular plugin to use it as a vehicle to inject malicious code into websites.
• A Google search of their name doesn’t pull up any results. Not even their own WordPress website.
• Or, a Google search of their name does yield results, but you see things like, “Don’t trust [developer name]” or “[Developer name] is a fraud.”
• Clicking on their name in the WordPress repository or CodeCanyon marketplace pulls up a website that is seriously outdated and throwing up red flags of its own.

The nice thing about the CodeCanyon marketplace is that it provides statuses and awards for plugin authors based on sales, achievements, and ratings. So, if you’re really worried about who the person or team is behind the plugin, you can look there for validation.

3. The Plugin Is Deemed Unsafe

Of course, you also should look into the reputation of the WordPress plugin itself. Like I said earlier, sometimes the developer didn’t even mean to introduce bad code into the plugin or they were just too new to know any better. So, even if they have a squeaky-clean image, the plugin might not.

There are a number of elements you can check that will help you verify the safety of a WordPress plugin, but for this one, I want to focus on explicit mentions that a plugin is not safe for use. This means going to Google and searching for words like “unsafe,” “hacked,” and “compromised” in conjunction with the name of the plugin. If you see any results that provide proof of safety concerns, walk away.

4. The Code Looks Suspicious

This one might not be the easiest to verify since not everyone knows how to write code for a plugin. However, if you’re familiar enough with what the file structure and directives look like, you can at least check to make sure all the essentials are in place.

You can use the WordPress Codex guide to Writing a Plugin to do this. Remove the required code from the file and focus just on what remains. If anything looks suspicious, get out of there and find a new plugin.

5. Not Enough Downloads

In WordPress, you will be able to see the number of active installations:

This is great since you’re not just seeing how many people may have downloaded and later removed the plugin. It’s the number of websites that currently have it installed, which is a good indicator of trustworthiness.

Plugin marketplaces include numbers like total sales, which are good too, though you’ll have to rely on other data to confirm that they really mean anything:

In general, I would suggest avoiding WordPress plugins with less than 1,000 downloads. Really, you should want a higher number than that (probably more like 5,000), but sometimes that’s not possible if it’s a brand new feature that hasn’t caught on yet or a plugin that handles something not commonly used.

6. Incompatible with the Latest WordPress Version

When scoping out WordPress plugins in the repository, there are two statistics you will want to look at as it pertains to the WordPress version:

The “Requires WordPress Version” will let you know how far back your WordPress version can go in order to work properly with the plugin. That said, you really should never be letting your site run on an old version of WordPress.

“Tested up to” is the other field to look at here. This one will tell you if it’s compatible with the latest and greatest core update. If it’s not, but the last WordPress update recently went out in the last couple of days, give it a couple more. If the plugin hasn’t updated to the latest version by then, skip it.

And, if you see this message, run:

7. Not Updated Recently or Frequently Enough

It’s not just important that a WordPress plugin has been updated recently. It also needs to be updated frequently.

In both WordPress and plugin marketplaces, you can find out how long it’s been since the last update. Anything older than three months really shouldn’t be used. That said, there are some plugins that are highly simplistic in nature and may not need much change with each new core release. So, three months is ideal, but one year should be the breaking point.

8. The Ratings Aren’t Great

Ratings and reviews are really important in this day and age. Think of websites like Yelp or TripAdvisor that can instantly turn you off to a restaurant simply by showing you anything less than a four-star rating. The same happens with WordPress plugins and rightfully so:

You can’t tell me that this abysmal plugin rating doesn’t make you instantly want to hit the back button. Even if poor ratings came from a time when the plugin was new and still in progress, that’s still not a very good reflection on the developer or the tool.

However, let’s say you see the poor ratings, but you just can’t believe that they’re a valid warning sign since you’ve heard so many people talk positively about the plugin. That’s when you need to turn to the reviews people left alongside the ratings.

What you’re looking for here, specifically, are the dates that the bad ratings were left (as well as what was said). If you should find that all bad ratings occurred prior to 2015 and it looks as though everyone is really impressed with the latest iteration, the plugin may be worth installing. It may also be that the developer found a bunch of people to plant positive reviews, too. So watch out for a lot of entries that just say “Good” or “Great plugin”. The WordPress community is usually more descriptive in their feedback.

One other thing to consider here is how the plugin owner responds to negative reviews. WordPress is slow to remove negative comments because they believe “the way you react to those poor experiences [comments] is going to impact your reputation, and that of your plugin, a heck of a lot more than that review.”  That’s why it’s important to not only check what a reviewer says, but also the authors response. Did they offer to investigate and fix a fringe issue? Were they willing/able to provide a patch? Was the bad review actually the result of misuse, user error or a conflict out of the authors control?

Of course, if you see any reviews or comments that mention security concerns, walk away. That is non-negotiable.

9. Support Is Non-Existent

Even though you are a WordPress developer and have a good handle on troubleshooting within the CMS, you shouldn’t have to figure out why your plugin won’t install, doesn’t work as promised, or has caused the white screen of death. When security is a primary concern, support needs to be there.

So, it’s really nice that we have this information easily at our disposal to peruse in WordPress. There are three things I would look for with this:

1. Look at the percentage rate at which they actually respond to support requests.
2. Read through some of the developer’s responses to make sure they’re actually helpful.
3. Scan through the response dates. If the developer hasn’t provided any support responses (or even comment responses) in the last three months, that’s not a good sign.

If support matters to you, don’t let this one go unnoticed.

10. There’s No Documentation

For some WordPress plugins, it might not make sense to write up a bunch of documentation on how to install or configure it. Screenshots might not be needed either if it’s a set-it-and-forget-it kind of plugin (like Akismet).

However, for plugins that require some work to get them moving or that tackle a highly technical function or feature, there need to be screenshots at the very least as well as documentation in case you have questions about it. If none are available, verify that it’s not tucked away somewhere on the website. And if you’re still at a loss, don’t download it. It’s the same as getting no support from the developer.

10. It’s Too Big

Performance is incredibly important in WordPress, so you should make conscious decisions about what you put inside of it that could adversely affect its speed and, consequently, security. Slow WordPress plugins are a problem, but sometimes it’s just because of how bloated they are in size.

When dealing in free WordPress plugins, I’d advise you to download them to your desktop (rather than directly into your WordPress). Take a look at the file size. Can your server reasonably hold this with everything else that’s already on there? If not, find something else.

11. It Doesn’t Play Well with Others

WordPress plugin conflicts can occur for a variety of reasons. Sometimes they conflict with other plugins and sometimes it’s a theme or the WordPress core itself they just don’t play well with.

Again, do your research before you install the plugin to your site. See if the user comments say anything about known conflicts in WordPress. Google should be able to tell you the same.

If you’re feeling confident enough that the plugin won’t cause your site harm, I’d still recommend installing it on a testing sub-site. Just to be on the safe side. Having to deal with bringing your site back up online or fixing a broken feature on the site just isn’t worth your time if you can verify the safety of the plugin that way.

12. The WPScan Website Says It’s a Problem

The WPScan Vulnerability Database keeps a log of all known vulnerabilities (with corresponding dates) of WordPress plugins.

You can use the search function to locate the specific plugin you’re interested in using on your site. This will instantly clear its name of any wrongdoing. I would also recommend signing up for email alerts. That way, if it (or any of your other plugins) should show up on the vulnerability list, you won’t have to actively dig around for that information.

13. Your Web Host Says It’s Disallowed

Did you know that web hosting companies will sometimes keep a list of disallowed or banned plugins? Usually, these have to do with plugins that overlap with the functionality they provide to users (like caching plugins), but that’s not always the case. Sometimes they will outright ban a plugin with known security issues.

Here are some examples of disallowed plugin lists:

• FlyWheel
• GoDaddy
• Kinsta
• Pagely
• WPEngine

14. Your Favorite Blog Says They’re No Good

Actually, with this one, it doesn’t even need to be that your favorite WordPress security blog says that the WordPress plugin is unsafe or no good. If the blog flat-out never mentions them as a trusted or secure plugin, then why bother using it? You trust these guys enough to read their articles on a regular basis, so you should have faith they’ll steer you in the right direction.

15. Your Checkup Tool Indicates There Are Problems

Finally, look at what your checkup tool says (if you’re not using WP Checkupyet… what’s going on?) Yes, this will require you to actually install the plugin on your site. However, it will let you know if there’s anything suspicious going on with it.

Just remember to run the checker before installation so you have a baseline to compare it against. If the tool throws any new security warnings after installation, you know what caused the problem. Delete the plugin and all its files immediately. And never look back.

Wrapping Up

A WordPress plugin can go sour in so many different ways, so you need to do your due diligence before you entrust any of them to your site. Then, you must keep on reviewing them to make sure they don’t go off the rails while you’re not looking. If you spot any of these 15 warning signs, skip downloading that new plugin.

General best practices for web design are all over the web, but applying those rules to real WordPress sites you’re building is something else entirely. That’s why I tend to write about how to design WordPress sites for different audiences–like designing for global versus local customers, or designing for users based on age. The one-size-fits-all approach doesn’t work in web design.

Of course, best practices are established as the “best” for a reason, so I’m not saying we should stop adhering to them. Instead, I think that, with best practices laid down as a baseline, we should then customize our web design approach based on the audience. One way to do this is by industry segmentation. Another is to break it down by business-to-business (B2B) or business-to-consumer (B2C) sales and marketing.

In the following roundup, I’ve compiled a number of comparisons between B2B and B2C websites and established the key factors that influence those differences. Even if you choose not to specialize in designing for one or the other, this guide will be helpful in defining rules you can abide by when building sites for any buyer type.

7 Key Differences Between B2B and B2C Websites

Before we dig into the differences between B2B and B2C websites, let’s first acknowledge what the two have in common:

• Responsive design
• Clear language
• Intuitive and simplified navigation
• Performance optimization
• Web security

Obviously, your process isn’t going to differ too much in terms of project phases, milestones, wireframing and prototyping, QA, and so on. The framework of your process shouldn’t need to change. The differences then are more in how you approach designing various elements for a B2B or B2C website. So, if you’re nervous that this was going to call for a total revamp of your workflow, don’t be. We’re more talking about mindset and design application than anything else.

With that, let’s get down to it: the 7 key differences between B2B and B2C websites.

1. The Buyer

These are the people responsible for both the decision-making and the purchase.

B2B
With B2B websites, you’ll most likely have to wait on a number of individuals to assess the product or service and come to a decision. Studies done by the Nielsen Norman Group break these decision makers down into two types, which, as you might expect, greatly complicates things.

As NNG explains:

“Our studies revealed that there was typically a lot of dialogue and discussion between decision makers (known as ‘choosers’) and key staff that actually use the products (‘users’) during the purchase process. Frequently, a potential ‘user’ would become the main researcher, and would later present options to decision makers. Once this ‘user’ decided on a favorite product, he often became a proxy or surrogate for that product, seeking ways to justify it to his boss (the ‘chooser’).”

Make note of the word “researcher” in that description. Their decision-making process can realistically take days, weeks, or even months to come to fruition. As a result, B2B websites typically aren’t superficial hubs that quickly sell merchandise or services. Instead, they need to be robust portals full of descriptions, specifications, and research to help the buyer come to a decision.

B2C
There’s a huge difference between the CEO mulling the decision to purchase a new and very expensive CRM for a team of 20 and a mom-of-four looking for a quick replacement for an appliance that broke in her home. One is going to have an entire team behind them that needs to weigh in and, the other… well, they are going to pull the trigger on their own (most of the time).

B2C buyers will still want to research the product or service, but the turnaround is significantly quicker. They’re probably on your website because they have an urgent need to fill and want an instant solution, so, when designing these websites, there’s really no time to waste.

2. Purpose

Understanding the motive behind the purchase will help you craft a website that appeals to those needs or goals:

B2B
B2B websites aim to solve real (and usually costly) problems for businesses. In order to sell decision-makers on the validity of the solution and the promise of an ROI, these websites need to thoroughly explain:

• What the solution is
• How exactly it works
• What it does in respect to the buyer’s pain

There’s no point in trying to rush anyone into making a gut decision either. Focus on the benefits and drill it home from every angle possible.

Zoom, for instance, doesn’t just say, “We make business communications better!”

Instead, it focuses on the practical applications of its video and web conferencing platform. Each part of its solution also receives a dedicated page and informational video that explains what businesses stand to gain from it.

B2C
Consumers are much easier to appeal to in terms of emotions. Because many of them have arrived at this decision in order to fulfill an urgent need or to find a great deal, emotional branding is much more effective.

This is why you’ll see more done to increase the sense of urgency and appeal to a need to fill a void on these websites.

Here’s an example from Travelzoo:

As you can see, super attractive images are used to appeal to consumers’ senses. There is also a strong focus on the need to get away and to do so now while there are great rates on it.

3. Design

Design is a pretty broad term, but, for the purposes of this point, I’m using it to explain the general aesthetic and vibe of a website.

B2B
As a WordPress writer, most of the B2B companies I engage with are SaaS companies with solutions that help me run my business better. I’m going to guess your experience is similar. As such, we’re well aware of the style used to design these kinds of websites:

• Minimal design
• Safe choices when it comes to typography and imagery
• Bold swatches of color, though usually color choice isn’t too outlandish

Overall, B2B websites present a mostly buttoned-up image. And you can often tell what kinds of businesses they target based on the design. For example, look at a web hosting company like GreenGeeks.

Its website is, for the most part, conservatively designed. However, the top banner with the black background and use of bright green text stands out. They’re clearly trying to attract a very specific type of eco-conscious (and perhaps intense?) buyer.

B2C
There will be cases where a conservative brand appeals to a consumer audience and will design its website much like a B2B company would. But I’d say, in general, B2C websites tend to have a lot more fun with design, so long as it aligns with the brand’s overall look.

• Large, eye-catching imagery is almost always present (with minimal text laid atop or around it).
• Typography, spacing, and layout can break rules so long as readability isn’t compromised.
• Color and movement play a huge role in directing visitors to where they should go (that whole sense of urgency thing again).

One of my favorite examples of this is the YOTEL website.

The website is littered with shades of purple while all-capped headers tell visitors exactly what they need to know.

4. Content

The way the content is written for the website will greatly differ between B2B and B2C websites, too.

B2B
When writing content for a B2B website, you have to be careful as you’re speaking to a mixed audience. And it’s not just the differences between user and chooser either.

If the website caters to different industries, you need to write content that is generic enough and free of jargon that it could speak to any decision-maker (which is tough). Conversely, you could write content that speaks to users in different segments; however, this requires building out dedicated pages for each.

Rather than talk to all business owners about their communication pains and vaguely explain how G Suite can relieve them, it has anticipated who its audience is and created pages that explain the benefits for each.

B2C
On the other hand, B2C websites can make content be as simple as possible. Really, it depends on what the solution is and how easy it is to explain and sell to a customer.

With something as simple as Grammarly, there isn’t much to it:

In fact, the top header does a pretty good job explaining and showing how the tool works.

5. CTAs

Without the call-to-action button, it’ll be difficult to guide your visitors to conversion. But conversion looks different on these two kinds of websites.

B2B
Because the decision to buy doesn’t happen instantaneously with B2B customers, these kinds of websites should use a variety of CTAs. This way, you can reach prospects at different points in their journey, whether they’re first learning about the product, conducting deeper research, exploring pricing options, reaching out to schedule a demo, and so on.

B2B websites need to give a variety of options to educate and make contact, and you can do this by using a robust system of CTAs as Syscodoes:

Aside from the home page, it’s okay if CTAs are placed lower on the page. That is, so long as they appear directly after a relevant and educational section that helps educate the visitor.

B2C
On B2C websites, there’s no time to waste. Consumers know what they need, they’ve located it, they’ve confirmed that they can trust it, and they’re ready to buy. Don’t give them a maze of CTAs and pages to work their way through.

Let them take action immediately as premiere retailers like Zappos do:

Then, continue to use strongly-colored and above-the-fold-placed CTAs to direct the visitor through checkout and to the sale:

6. Contact Forms

On a related note, the way in which you design contact forms depends on how quickly the end user anticipates getting through the conversion process.

B2B
In general, there is a lot more information to collect in B2B communications. There are also different reasons why you would want to collect information, which means you need to build a variety of contact forms to fulfill those purposes.

Whereas the rule “only include fields you need” still applies, there is a lot more you have to ask from them. And you know what? These users will be okay with it. They want you to take the time to understand their needs and properly evaluate their queries.

Here is an example from Ironpaper.

Because their agency handles different kinds of marketing and design, it makes sense that they’d ask prospects to explain their needs and send over a link to their website for pre-assessment.

B2C
On B2C websites, there are different opportunities to collect information from visitors, but your goal should always be to ask the bare minimum as Ulta does here:

While it would be nice to ask what kinds of cosmetics or skincare the subscriber is interested in (for personalization purposes), now is not the time to pester them. Allow users to manage their own subscriber account, set their communication preferences, and choose how they want it personalized, so you can keep contact form intake quick.

7. Social Proof

There’s no doubt about it: social proof goes a long way in building trust and sealing the deal with conversions. It’s just handled differently between the two.

B2B
Because the lifecycle of the decision-making process is so much longer, a B2B website should include as much social proof as possible. For instance:

• Client testimonials (for services)
• Customer reviews and ratings (for products)
• High-profile company logos (of previous clients or current partners)
• Case studies
• Comparison tables pitting your product against the competition’s
• Awards and other recognition
• Blog and press
• White papers and other original research you’ve penned
• Social media links
• Pricing table callouts that indicate popularity of products or services

Dropbox Business uses logos from extremely well-known companies as proof of the power of its solution.

Find your unique and impressive social proof and capitalize on it.

B2C
With consumers, this is simple: include real customer ratings and reviews. Collect your own. Pull them in from Google. Allow another third-party (like ThemeForest or Amazon) to aggregate them. Do whatever you have to do to get real feedback from customers and let prospects use their words to sway them as See’s Candies does:

Not only that, they also include social share links, so current customers can share the love.

Wrapping Up

While you may encounter other ways in which B2B and B2C websites differ (like in how they deliver support or handle content marketing), those aren’t things to concern yourself with now. Get yourself into the B2B or B2C mindset and, then, focus on the essential elements influenced by the needs of your target audience so you can more effectively plan your WordPress website projects.