Plugin - WordPress Glossary

A plugin is a piece of software you install on your WordPress site to add functionality that doesn’t exist out of the box. Contact forms, SEO tools, ecommerce storefronts, backup systems — all plugins. Think of WordPress as the foundation of a house, and plugins as the appliances and fixtures you install to make it livable.

WordPress ships intentionally minimal. The core handles content management, user accounts, and basic publishing. Everything else is meant to come from plugins. That’s not a limitation — it’s the architecture working as designed.

How It Works

A plugin is a PHP file (or collection of files) stored in the wp-content/plugins/ directory. At minimum, a plugin needs a single PHP file with a header comment that tells WordPress what it is:

<?php
/**
 * Plugin Name: My Custom Plugin
 * Description: Adds a custom greeting shortcode.
 * Version: 1.0
 * Author: Elena Rodriguez
 */

function wpschool_greeting_shortcode( $atts ) {
 $atts = shortcode_atts( array(
 'name' => 'friend',
 ), $atts );

 return '<p>Hey there, '. Esc_html( $atts['name'] ). '!</p>';
}
add_shortcode( 'greeting', 'wpschool_greeting_shortcode' );

Drop that file into wp-content/plugins/my-custom-plugin.php, activate it from Plugins > Installed Plugins in your dashboard, and you’ve got a working [greeting name="Reader"] shortcode.

WordPress loads active plugins on every page request. The add_shortcode, add_action, and add_filter functions are how plugins hook into WordPress without touching core files. This hook system is the backbone of the entire plugin ecosystem.

You install most plugins through Plugins > Add New in your dashboard, which pulls from the WordPress.org plugin directory — currently home to over 60,000 free plugins. Premium plugins from third-party vendors are uploaded as .zip files through the same screen.

Common Use Cases

Contact forms. Nearly every business site needs one. WPForms is the go-to for most WPSchool readers — drag-and-drop builder, spam protection built in, and templates that save you from starting blank. Install the plugin, drop a shortcode or block into a page, done.

SEO optimization. WordPress handles basic SEO, but plugins like Rank Math add meta tag control, XML sitemaps, schema markup, and content analysis. The kind of stuff that moves you from page three to page one.

Ecommerce. WooCommerce turns a standard WordPress install into a full online store with product listings, cart, checkout, payment processing, and shipping. It’s a single plugin that spawns an entire ecosystem of its own extensions.

Security hardening. Plugins like Sucuri or MalCare add firewalls, malware scanning, login protection, and activity logging. WordPress core security is solid, but these plugins handle the threats that target the wider ecosystem — vulnerable themes, brute-force attacks, and outdated software.

Why It Matters

Plugins are the reason WordPress powers over 40% of the web. They let a small business owner add features that would otherwise require a developer and a five-figure budget. A $49 form plugin replaces a custom-coded solution. A free caching plugin cuts your page load time in half.

But here’s the part most guides skip: every plugin you install is code running on your server. Bad plugins cause slow sites, security holes, and mysterious crashes. The right way to handle this is to keep your plugin count intentional. Install what you need, audit what you have quarterly, and delete anything that’s deactivated.

Before installing any plugin, check three things: when it was last updated, how many active installations it has, and what the recent reviews say. A plugin that hasn’t been updated in two years is a liability, not a feature. Stick with well-maintained plugins from reputable developers, and your WordPress site stays fast, secure, and stable.

How It Works

Common Use Cases

Why It Matters

Related reading