Many developers are used to starting with an out-of-the-box plugin and tailoring it to fit their needs, because standard plugins don’t always have the necessary functionality.
You can control an amazing number of functions with a custom WordPress plugin. You’re only limited by your imagination! However, the most obvious way to customize a plugin – making direct edits to its code – can potentially bring on security vulnerabilities and a host of maintenance issues.
In this post, I’ll discuss why you might want to customize a plugin, some problems to avoid, and how to customize a plugin safely.
Why You Might Want to Customize a Plugin
Most plugin developers aim to satisfy the needs of a general user. However, a user may want custom functionality that isn’t part of the plugin and doesn’t necessarily belong in a theme.
According to developer Justin Tadlock, in terms of plugin customization, you might want to:
- Add new functionality – perhaps to an existing SEO or comments plugin.
- Change or remove functionality – say for an out-of-the-box post type plugin.
- Filter out certain functionalities – leaving others, perhaps, in a taxonomy plugin.
Common Problems with “Forked” Plugins
Your first thought may be to dive right in and start hacking or forking the plugin. After all, the plugin is free and open source, and the ability to customize open-source software is one of its biggest assets.
However, your modifications could have unintended consequences. You could introduce security vulnerabilities to your site. This even happens to professional plugins:
In order not to lose your changes, you might forego regular developer updates, which could include patches to known security issues, not to mention new features and functionalities.
Beyond security issues, you’ll have more maintenance issues with a forked plugin. The developer’s updates will overwrite your customization, so you won’t be able to update without adding your custom code back into the updated file.
If you’re forking a plugin for use in a client site, maintenance could become quite laborious. Clients could even break the functionality of their site by choosing to install a recommended plugin update.
However, the issues that come up with forked plugins don’t necessarily take away from your need for added site functionality.
Options for Safely and Securely Customizing a Plugin
A better idea is to leave as much of the plugin alone as possible, and use other methods to control the plugin in the way you desire. As Jeff Chandler points out, this approach extends the developer mantra – never edit core WordPress files – to plugin files.
Instead of adding your functionality directly to the plugin, you could:
- Contact the developer about your requested features.
- Create a new plugin that works alongside the out-of-the-box plugin.
- Rely on hooks and callbacks to get the functionality you need.
Web developer Ian Dunn gives an overview of all these possibilities in a post about doing customization the right way. In the rest of this post, I’ll talk about the benefits, drawbacks, and best use cases for each.
Your first step should be to contact the plugin’s developer. This could be less work for you if he or she agrees to build your requested changes into the next update. It could be that the developer is already mulling over your changes for a future update; your request could be the confirmation they need to hear in order to make it a priority.
On the other hand, the developer may be less enthusiastic. He or she could see a different direction for the development of the plugin that conflicts with your changes. Another thing to consider: if you’re asking the plugin creator for custom work, it could cost you.
If you prefer to skip this conversation, you could always offer to write the changes yourself for inclusion in the core plugin. Dunn points out this is often a win/win for you and other plugin users.
The benefit: the biggest plus to this approach, of course, is the future support your functionality will enjoy. Future updates will include your changes, meaning your work will become part of the canonical plugin’s core.
The drawbacks: you could end up paying the developer for your changes. There’s also the chance of hearing a “no” to collaborating on your modifications from the developer.
Creating Your Own Custom WordPress Plugin
If you just need to add functionality, one of the easiest methods can be to create your own custom WordPress plugin. This is the best solution if you don’t need to alter or remove any functionality from the out-of-the-box plugin, but just add to it. Your plugin will run alongside the out-of-the-box plugin, extending its functionality without altering it.
The benefit: with this approach, the developer’s plugin can still be updated with security patches and new features without your changes being lost or open to vulnerabilities.
The drawback: this method can only be used for add ons – it can’t modify or filter out functionality in the original plugin. With client users, there is also the risk of the client disabling your custom plugin, thus removing the functionality it added (although Justin Tadlock has found a smart way to prevent that scenario).
Using Custom Hooks
If you need to make changes to the functionality of the plugin or remove a particular function, Dunn points out that you can use custom hooks to do so (assuming the developer included custom hooks in their code). Using custom hooks will allow a new plugin, written by you, to customize the functionality of the out-of-the-box plugin.
The benefit: you still haven’t altered the original plugin, but you have gained significant control over its functionality. You’ll still be able to apply updates to the original plugin.
The drawbacks: you’ll still have to create a companion plugin that controls the functionality of the original. You also need the original plugin to include custom hooks so that the method will work, and not all do.
Dunn identifies one further way of customizing the original plugin without touching its code: overriding callbacks. The plugin’s callbacks are its built-in method to integrate with WordPress. In this approach, you remove the out-of-the-box callbacks and insert your own.
The benefits: with this approach you can take advantage of a ‘salad bar’ of functionality. You can also call individual functions you want and leave others untouched.
The drawback: not all plugins play nice with this approach. Some aren’t modular enough for you to be able to call functions you want, without having to also call other functions you don’t need. If you need to call a number of functions, this approach can become laborious.
Adding Custom Hooks
If the callbacks approach becomes too big a task, Dunn notes that you could try adding custom hooks to the out-of-the-box plugin. This isn’t ideal because you are in fact modifying the plugin, but the edits will be minimal.
Your changes will primarily go into your own custom-built plugin. Your edits to the out-of-the-box plugin will grant your plugin custom access to its functions through the added custom hooks.
The benefits: this approach lets you take advantage of that custom functionality without putting all your edits directly into the plugin. Adding custom hooks is a fairly standard edit and shouldn’t cause any new security issues.
The drawback: this method could take a little extra maintenance on your part. You’ll need to manually patch your custom hooks back into each new release. However, Dunn suggests sending your custom hooks to the developer to include in future releases. If the developer does this, you won’t have the extra maintenance.
An out-of-the-box plugin – even if it’s not perfect – can be a great jumping-off point to build the extra functionality you need.
However, you don’t want to create a maintenance hassle or security issue, so avoid altering the code of the out-of-the-box plugin as much as possible. Try collaborating with the plugin developer, create your own custom WordPress plugin, or use custom hooks and callbacks to gain your custom functionality.
With this article, the correct choice for you should be clear. However, if you have any questions or suggestions, please don’t hesitate to reach out via the comments section below!