There are three ways of installing WordPress plugins, two from within the WordPress Admin pages and one using file transfer such as FTP, SFTP or SCP. None of these are particularly more difficult than the other, but nevertheless, we'll cover how to install WordPress plugins step by step using each of the methods listed.
The easiest and most popular way to install WordPress plugins is through the WordPress Admin plugins page.
The advantage of this method is that you can search for plugins by function, like "security", "firewall", "facebook", etc. and then browse through the search results, right from within the WordPress Admin plugin page, choosing a plugin after you've had a chance to scan through several other competing plugins. If you already know the name of the plugin, then this isn't much of an advantage, but is worth mentioning nonetheless.
Rather than doing a search and browse approach to finding the ideal plugin to install, the upload method relies on you having the plugin ZIP file that you'd like to install. This is particularly useful when you've got plugins from somewhere other than the wordpress.org plugin repository, which is what Method A relies on.
If you've bought a plugin from a developer or large repository site like codecanyon.net, then Method B will give you the flexibility to upload the zip file and install it directly without needing to conduct a wordpress.org search first.
As you can see, the steps are remarkably similar to those from Method A. The only difference is that you're uploading a local ZIP file rather than locating the plugin on wordpress.org.
Occasionally you'll find some hurdle which gets in the way of trying to install a plugin using Method B. You've got a ZIP file, but aren't able to use the upload function within the WordPress Admin Plugins page Add New function. Perhaps you've got a standard list of 10 or 20 plugins to add and you'd like to speed up the process. In that case, uploading the ZIP files in batch will give you a chance to handle half of the plugin install process in one fell swoop.
Method C relies on you having installed and configured a file transfer client to move files between your local machine and your WordPress hosting filesystem. You could use cPanel File Manager, but it's slower and requires you to login to cPanel and use File Manager.
In Method C, we're assuming that you're using FTP, SFTP, SCP, FXP or some other file transfer software that's already installed and configured.
This method does bypass some of the checks that would otherwise prevent you from installing malicious code in your WordPress site, so use it with caution, making sure that the plugin you're installing is indeed the one intended and that you trust the source fully.
The problem with installing WordPress plugins is that you don't always know beforehand if they are actually safe to install and use. There is no giant flashing warning light saying, "Don't Install Me - I'm Harmful!".
There are a few sanity checks that you can perform, before installing a plugin, to help you decide whether or not it's going to be safe to install.
Rule 1 - Consider the Source
Is the plugin from a known reputable source like wordpress.org, codecanyon.net or wpmudev.org? Or, is it from a site you've never heard of - a site that may look dodgy, offer dodgy content (like spying, hacking, keyloggers, eavesdropping or other extremely questionable purpose plugin)?
Rule 2 - Read the Reviews
Don't just look at plugin ratings. Sometimes old plugins die and are taken over by those with evil intent. You might see 4.8 out of 5.0 stars and think it's awesome, then take a look at the reviews and realize it was 5.0 out of 5.0 up until a year ago at which point it's got a string of 1.0 reviews because it's now some type of malware, suspected information stealer or just plain insecure. Have you checked the reviews before installing?
Rule 3 - Visit the Developer Site
Plugins are created by developers, many of whom rely on income from premium versions in order to pay the bills. Checking out the developer site means more than just visiting, it means doing a few minutes of investigating.
Search for the developer site and plugin name in Google and try adding words like "hacked", "compromised" and "unsafe". Search for the developer site on Google and see if Google gives a warning about the site being unsafe or malware-related. If you're using an anti-virus application or have a plugin that checks a site reputation, do any warnings go off before you visit or when you try to click and visit?
Installing plugins is more than just clicking Install and Activate. You, as a responsible site owner, have a duty to protect yourself (and others) by casting a critical eye upon software you're about to install, particularly when other people will be interacting with it and when your livelihood is on the line.
Take the time to look, think, look, then ask, whenever you come into contact with plugins, extensions, themes or anything that you're going to install to your web hosting account. You'll be glad you did!