Plugin inspection:

WP Smush plugin

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


At over 15,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess. The plugin is focused on backend admin functionality, which helps avoid front-end issues. The front-end ‘lazy loading’ option will defer to native WordPress lazy loading if enabled (for WordPress > 5.5).

Possible concerns include:

Privacy: “Smush sends images to the WPMU DEV servers to optimize them for web use”.  There are also options to use Smush/Stackpath Content Delivery Network (CDN) or Amazon S3 storage. These may raise privacy concerns as images would be stored or transferred externally.

Impact on server configuration: During installation, the plugin attempts to set or prompts for required server configurations, notably for WebP image functionality. This should be done by suitable person, moderating the settings for suitability. It is recommended to first install and test on a testing/development site. The ‘Directory smushing’ feature allows image processing outside standard WordPress folders. This is likely not generally required, but does requires custom tables, which again may need server admin assistance, depending on the WordPress configuration.

Feature limitations: Note that it supports images with size up to 32Mb (Pro)- this should be sufficient for most requirements.

No major issues have been identified with the plugin from this inspection. The concerns are provided for information for potential users.

Reason for the 'Use with caution' result

The plugin has been given this recommendation at the tester's discretion:

There are no major issues identified with the plugin. The rating reflects that there are potential privacy impacts and installation considerations that the potential user may want to assess.

Failure criteria

  • Very large codebase

Read more about our failure criteria.