The UBC CMS Support team reviews all plugins that are included as part of the WordPress installation. We do this to ensure that this platform remains a stable, secure and supportable product for the UBC community. The following are the initial criteria we use to evaluate a plugin.
- Are there any pending security bugs in the bug tracker? What are they and how long have they been there?
- Is it performing sql queries directly? If so, does the module escape user input?
- How does it handle user input? Is it being escaped? Is user input cleaned before printing it out in a page?
- Are permissions check in place? Are the checks manual or does the code rely on other core methods?
- Is the code well documented? Does it follow WordPress coding standards?
- Does it have readme, install and upgrade files?
- Does the plugin create or modify existing database tables?
- Is the license of the plugin GPL?
- Does this plugin write any file to the disk? if so where are the file stored and how does it handle file deletion in temporary or cache?
- Does the plugin prevent malware from inserting code inside the WordPress core?
- Does the plugin create any sort of remote connection to the developer's web server?
- Does the plugin use forms? Does it use nonces properly?
- How long has this plugin or 3rd party program been around?
- How many developers are working on it?
- Is there a roadmap? What does it look like? What is the release life cycle?
- What is the average turn around time for critical bugs?
- How active are the forums or mailing list discussions?
- Do other programs use or depend on this library?
- Is there user documentation? Is there documentation for developers?
- Is a documentation generation system like phpDocumentor used?
- How quickly do the developers respond to requests?
- Are newer and older versions of Wordpress supported?
- What is the learning curve like?
- Is the module usable through the Wordpress interface or does it require users to work with HTML, CSS, theme changes or other advanced techniques?
- Does the it conflict with other existing plugins or modules or other updates?
- Will the module work with Wordpress MU as is, or would some re-write be needed?
- How complex are patches to apply? (# of classes, files, and db tables affected)
- What % of our users would benefit from this new module or plugin?
- Is there a fee to purchase or use the plugin?
- Does the current setup already provide this service?
- Is this capability already planned for an upcoming WordPress release or update of a currently supported plugin?