Plugins are a great feature, but all too often, those plugins are so powerful that users are able to craft pages that bring the server to its knees.
Ideally, there should be controls in the plugin for a server administrator to manage that restrict users from being able to bring down the server. However, it seems that most plugins do not have these controls.
It would be extremely useful if Confluence itself had a configurable timeout for all calls out to a plugin. That way, the server admin could tweak this setting to a value that protects the server while still being useful.