Short answer: there are three ways to install a WordPress plugin. From the WordPress plugin repository (Plugins > Add New Plugin > search > Install Now > Activate – works for any of the 60,000+ free plugins on wordpress.org). From a zip file (Plugins > Add New Plugin > Upload Plugin – works for premium plugins from Elementor Pro, WP Rocket, Yoast Premium, ThemeForest, etc.). Or by uploading the unzipped plugin folder directly into
wp-content/plugins/
through your hosting control panel’s file manager or SFTP, and activating from the dashboard. The repository method covers most cases, the zip upload is for premium plugins you have purchased, and the file manager / SFTP method is the fallback when a zip upload fails because the file is too large for your server’s upload limit. Whichever method you use, the only safe sources are wordpress.org and the original developer’s website – never nulled plugins from forums or “free download” sites.
Installing a plugin is one of the first things most people do after setting up WordPress. The mechanics are simple – the dashboard guides you through it – but two parts trip people up: knowing which method to use when, and knowing which plugins are safe to install in the first place. This article covers both.
How to install a WordPress plugin: methods at a glance#
| Method | Best for | Time | What it needs |
|---|---|---|---|
| WordPress plugin repository | Free plugins listed on wordpress.org | Under 1 minute | Admin access only |
| Zip file upload | Premium plugins you have purchased | 1-2 minutes | The plugin zip file |
| File manager or SFTP | Plugins too large to upload through the dashboard, or when the dashboard upload fails | 3-5 minutes | Hosting control panel file manager or SFTP/FTPS credentials |
| WP-CLI | Bulk installs, scripted deployments, developer workflows | Under 1 minute per plugin | SSH access + WP-CLI |
The first two cover most cases. The dashboard handles both. The file manager / SFTP method exists for the edge case where a zip upload fails on shared hosting because the PHP upload limit is set lower than the plugin file size. The WP-CLI method is for anyone managing multiple sites or scripting deployments.
Method 1: Install a plugin from the WordPress plugin repository#
The WordPress plugin repository hosts roughly 60,000 free plugins, all reviewed against basic coding standards before they are listed. This is the most common way people install plugins because it is built into the dashboard.
- Go to Plugins > Add New Plugin in your WordPress admin.
- Search by plugin name, feature, or keyword in the search box at the top right.
- Find the plugin you want and click Install Now.
- After the install finishes, the button changes to Activate. Click it to make the plugin active.
You can also browse by Featured / Popular / Recommended / Favorites tabs at the top of the same page. Each plugin tile shows the active install count, the average rating, the last-updated date, and the tested-with-WordPress version – all useful signals for whether a plugin is worth installing (covered below).
The repository listing is searchable from inside WordPress and from the public wordpress.org/plugins/ website. Both pull from the same database.
Method 2: Upload a plugin from a zip file#
Premium plugins like Elementor Pro, WP Rocket, Yoast Premium, Advanced Custom Fields Pro, and most plugins from ThemeForest or commercial vendors are distributed as zip files. So are private plugins you or a developer have built for your own site.
- After purchasing or building the plugin, download the zip file to your computer. Do not unzip it.
- Go to Plugins > Add New Plugin in your WordPress admin.
- Click Upload Plugin at the top.
- Click Choose File, pick the zip file, and click Install Now.
- After the install finishes, click Activate Plugin.
If the upload fails with an error about the file being too large, your server’s upload limit is lower than the plugin file size. This is the same 413 Request Entity Too Large error that happens with any oversized upload. The fix is either to raise the upload limit or to install the plugin through the hosting file manager or SFTP (Method 3 below).
The Upload Plugin button is also where you re-install a plugin after a manual update – some premium plugins distribute updates as new zip files rather than through automatic update channels.
Method 3: Install a plugin via the file manager or SFTP#
When the dashboard zip upload fails – usually because the plugin is too large for your server’s upload limit, or because the dashboard is throwing a timeout – you can install the plugin by placing the unzipped folder directly into the plugins directory. The fastest way is your hosting control panel file manager (no external client required); SFTP or FTPS works too if you prefer a dedicated client.
- Unzip the plugin file on your computer. You should get a folder named after the plugin (e.g.
elementor-pro/oradvanced-custom-fields-pro/) containing PHP, CSS, and template files. - Open the hosting control panel file manager or connect to your site via SFTP or FTPS.
- Navigate to
wp-content/plugins/in your WordPress installation. - Upload the entire unzipped plugin folder into
wp-content/plugins/. Many control panel file managers also let you upload the original zip and extract it in place, which skips the local unzip step. - Once the upload finishes, go to Plugins > Installed Plugins in your WordPress admin. The new plugin will appear in the list – click Activate.
The
wp-content/plugins/
directory is where all installed plugins live on disk, whether active or not. For a deeper look at what this directory contains and why inactive plugins are still a security concern, see what is wp-content and what goes in it.
Method 4: Install a plugin via WP-CLI#
If your hosting provides SSH access and WP-CLI is installed, you can install and activate plugins from the command line. This is the fastest method when you are setting up a new site or managing multiple sites:
# List currently installed plugins
wp plugin list
# Install a plugin from the wordpress.org repository
wp plugin install wordfence
# Install and activate in one step
wp plugin install wordfence --activate
# Install a specific version
wp plugin install wordfence --version=7.11.0
# Install from a zip URL
wp plugin install https://example.com/premium-plugin.zip --activate
# Install from a local zip file
wp plugin install /path/to/plugin.zip --activate
# Activate an already-installed plugin
wp plugin activate wordfence
# Deactivate a plugin
wp plugin deactivate wordfence
# Delete a plugin (must be deactivated first)
wp plugin delete wordfenceThe WP-CLI install command works with the same wordpress.org repository the dashboard uses, plus arbitrary zip URLs and local zip files. The activate / deactivate / delete commands let you manage plugins without ever opening the dashboard.
Where to source plugins safely#
This is the part that matters more than the install method. WordPress plugins run with full PHP privileges on your server. A malicious plugin can read your database, exfiltrate user data, install backdoors, or rewrite your site. Picking a safe source is the difference between adding a feature and handing your site to an attacker.
Safe sources:
- The WordPress.org plugin repository (wordpress.org/plugins/). Every plugin here has passed a review for basic security and coding standards. The review is a quality filter, not a security guarantee – vulnerabilities still slip through and get patched later – but it is dramatically better than no review at all.
- The original developer’s website. For premium plugins, buy directly from the developer (elementor.com, wp-rocket.me, yoast.com, advancedcustomfields.com, etc.). You get the genuine file, the license that entitles you to updates, and the developer’s support.
- Reputable commercial marketplaces. Envato’s CodeCanyon, AppSumo, and similar platforms have a track record of selling legitimate plugins. The review process is lighter than wordpress.org’s, so apply more scrutiny to the active install count and review history before buying.
- Your own developer or agency. Custom plugins built for your site by a developer you trust are fine as long as the developer’s security practices are sound.
Sources to avoid entirely:
- Nulled plugins. A “nulled” plugin is a paid plugin made available for free by removing its license check. Forums, “GPL club” websites, and torrent sites distribute these. Most of them have been modified to include a backdoor that gives the distributor admin access to every site that installs the plugin. Nulled plugins are the single most common cause of compromised WordPress sites we see in incident response – more common than brute force, more common than outdated software. The “savings” are an illusion. You are paying with the entire site. My WordPress site was hacked: what to do right now covers what to do if you have already installed one and need to clean up.
- Random “free download” sites. Any site offering paid plugins for free is almost certainly distributing nulled copies. The exception is the official WordPress.org repository, which is the only legitimate source of free plugins.
- Plugins from anonymous GitHub repos or pastebins. The plugin code may be fine, or it may be a backdoor someone built last week. Without a track record, an identifiable maintainer, and active install metrics, you have no way to tell.
The bigger picture – why plugin sourcing is the single most important security decision in WordPress – is covered in why WordPress plugin vulnerabilities are out of control.
What to check before installing any plugin#
Even from a safe source, not every plugin is worth installing. The plugin tile in the dashboard repository and the plugin page on wordpress.org both show the metadata you need:
| Signal | What “good” looks like | What “skip this” looks like |
|---|---|---|
| Active installations | 1,000+ for a niche tool, 10,000+ for general-purpose, millions for big-name plugins | Under 100, or no count shown |
| Last updated | Within the last 3-6 months | Over a year ago, or “Untested with WordPress X.X” warning |
| Tested up to | Current WordPress major version (e.g. 6.5+) | Two major versions behind |
| Average rating | 4 stars or higher with multiple reviews | Below 3 stars, or one suspiciously high rating from a single review |
| Support forum activity | Active developer responses in the last month | No developer responses for months, or forum closed |
| Reviews | A mix of stars with developer responses to negative ones | Only 5-star reviews (often fake) or only complaints |
A plugin with 5,000 installs and a developer who replies in the support forum every week is a safer bet than a plugin with 50,000 installs that has not been updated in 18 months. Active maintenance matters more than install count, because an abandoned plugin is one disclosed vulnerability away from being unsafe to keep running.
For plugins that are themselves about security – which are easy to pick badly because the marketing is heavy – best WordPress security plugins (free and paid) compares the six most-installed options on what each one actually does well.
After installing: activate, configure, and review#
Installing a plugin does not turn it on. After installation, you have to Activate it from the Plugins > Installed Plugins page. Most plugins then prompt you to configure them, either by adding a settings menu item under Settings, Tools, or under their own top-level menu in the sidebar.
A few things to do right after activation:
- Check the plugin’s settings page. Most plugins ship with defaults that are not optimal for your site. The settings page is where you tell the plugin what to do.
- Confirm the site still works. Click around the dashboard and the front end. If something is broken, the new plugin is the likely cause – deactivate it and investigate.
- Review the plugin’s data collection. Some plugins phone home with usage data by default. The privacy policy or settings page usually has an opt-out.
- Check for capability changes. Some plugins add new user roles or capabilities. Review Users > All Users to see if any new roles appeared, and decide whether they should exist on your site.
Updating plugins safely#
A plugin you install today will need updating later – sometimes within days for a security patch, sometimes months for a feature release. The dashboard shows update notifications under Dashboard > Updates, and the Plugins page shows a yellow notice on each plugin row when an update is available.
Two safety steps before updating:
- Back up first. The plugin update mechanism overwrites the old files. If the update breaks the site, you need to restore from before.
- Test on staging if the update is major. For a minor patch (1.2.3 -> 1.2.4) on a popular plugin, just update. For a major version (1.0 -> 2.0) on a plugin central to your site (page builder, WooCommerce, security plugin), test on a staging site first.
The deeper picture – including how Hostney handles auto-updates and what severity actually means – is in the WordPress plugin vulnerability classification system.
How Hostney handles plugin installation#
Hostney’s WordPress hosting gives you all four install methods. The control panel’s built-in file manager is the recommended path when the dashboard zip upload fails or is not an option – it runs in the browser, supports drag-and-drop upload, a built-in code editor, archive extract-in-place (so you can upload a plugin zip and extract it without unzipping locally first), rename, delete, chmod, and search. For most people the file manager is faster than installing a desktop client. SFTP and FTPS are also available per account when a dedicated client fits your workflow better. SSH and WP-CLI are available on every WordPress site by default, so the command-line workflow above works out of the box without an upgrade.
Hostney auto-updates plugins (and themes and core) by default with configurable per-installation delays – typically 2 days for plugins and themes, 1 day for minor core releases, 5 days for major core releases. The Vulnerabilities page in the control panel lists any installed plugin with a known CVE, and a one-click override applies the patched version immediately if you do not want to wait for the auto-update delay. See is WordPress safe and secure for the broader picture of how installation, sourcing, and update discipline tie together.
Quick reference#
- Three main methods: WordPress repository (free), zip upload (premium), file manager or SFTP (fallback for large files or upload failures). WP-CLI is the fourth, scripted method.
- The repository method is the fastest. The zip upload is for premium plugins. The file manager / SFTP method is the fallback.
- Only install from wordpress.org or the original developer. Never install nulled plugins – they are the leading cause of compromised WordPress sites.
- Before installing, check active installs, last-updated date, tested-up-to version, average rating, and support forum activity.
- After installing, click Activate, configure the settings page, confirm the site still works, and review any new user roles the plugin added.
- Update plugins promptly. Critical security updates within 24 hours, regular updates within a week.
- Hostney auto-updates plugins by default with configurable delays; the Vulnerabilities page bypasses the delay for urgent CVEs.