Plugin Evaluation Criteria

The UBC CMS Support team reviews all plugins that are included as part of the WordPress installation. We do this to ensure that this platform remains a stable, secure and supportable product for the UBC community. The following are the initial criteria we use to evaluate a plugin.

Code Review

  • Are there any pending security bugs in the bug tracker? What are they and how long have they been there?
  • Is it performing sql queries directly? If so, does the module escape user input?
  • How does it handle user input? Is it being escaped? Is user input cleaned before printing it out in a page?
  • Are permissions check in place? Are the checks manual or does the code rely on other core methods?
  • Is the code well documented? Does it follow WordPress coding standards?
  • Is the javascript code and css well structured? Does it follow follow a standard?
  • Does it have readme, install and upgrade files?
  • Does the plugin create or modify existing database tables?
  • Is the license of the plugin GPL?


  • Does this plugin write any file to the disk? if so where are the file stored and how does it handle file deletion in temporary or cache?
  • Does the plugin prevent malware from inserting code inside the WordPress core?
  • Does the plugin create any sort of remote connection to the developer's web server?
  • Does the plugin use forms? Does it use nonces properly?


  • How long has this plugin or 3rd party program been around?
  • How many developers are working on it?
  • Is there a roadmap? What does it look like? What is the release life cycle?
  • What is the average turn around time for critical bugs?
  • How active are the forums or mailing list discussions?
  • Do other programs use or depend on this library?


  • Is there user documentation? Is there documentation for developers?
  • Is a documentation generation system like phpDocumentor used?
  • How quickly do the developers respond to requests?
  • Are newer and older versions of Wordpress supported?
  • What is the learning curve like?
  • Is the module usable through the Wordpress interface or does it require users to work with HTML, CSS, theme changes or other advanced techniques?


  • Does the it conflict with other existing plugins or modules or other updates?


  • Will the module work with Wordpress MU as is, or would some re-write be needed?
  • How complex are patches to apply? (# of classes, files, and db tables affected)
  • What % of our users would benefit from this new module or plugin?
  • Is there a fee to purchase or use the plugin?


  • Does the current setup already provide this service?
  • Is this capability already planned for an upcoming WordPress release or update of a currently supported plugin?

Leave a Reply

You must be logged in to post a comment.