Albert Zaharovits discusses best practices for developing plugins to work alongside the X-Pack Security Plugin for Elasticsearch, emphasizing the importance of adhering to established authentication and authorization frameworks. As there is no stable plugin API in Elasticsearch, developers should consider the necessity of custom plugins, especially since many features are now part of the core Elastic Stack. The Security plugin provides various features such as inter-node secure communication, HTTPS, and auditing, but it does not automatically detect invalid access patterns by other plugins. Authors should focus on implementing TransportAction for custom requests, using a distinct naming convention for actions to ensure they align with privileges, and delegating execution properly. It is crucial not to splice authentication onto actions or manage users and roles, as these are handled by the Security plugin. Developers should use ThreadContext and TransportService to maintain thread safety and rely on NodeClient for executing actions, ensuring that all actions are named hierarchically to facilitate authorization through predefined role privileges.