Are Your WordPress Plugins Making Your Site Slow And Vulnerable?

Malicious Hackers Can Hack Disabled Plugins

Slow WordPress Plugins Can Hurt Your Site!

You’ll find me talking on the blog and in my email blasts about WordPress plugin security, but one area I haven’t covered is how plugins can slow your website down.

Did you know that even if a WordPress plugin is disabled it can still affect your site’s load time?

Yes, it’s true! Every time someone opens your site, the database is checked to see which plugins need to be loaded, including the disabled ones. Your WordPress installation queries the database to see which plugins are active and which ones load on the post/page that your visitor has clicked on. It may only take a nano-second, but it does affect load time for each and every plugin you have.

For more help with plugins slowing down your site, be sure to check out Kimberly Castleberry’s blog post: “How To Find Out Which WordPress Plugins Are Making Your Site Slow.”

Of course, I have to mention WordPress Plugin Security too!

Did you know that even if a plugin is disabled/deactivated it can pose a security risk on your site?

Even if a plugin is not active, it can still be reached in a browser.

Bottom feeders (malicious hackers) can have a 15-course meal off of any vulnerabilities they’ve found.

For example: Hackers can search Google for inurl:wp-content/plugins/PLUGINNAME and try to attack every site using it.

Or let’s say they know of a plugin they can break into (active or deactivated). They can visit your site and try to open http://yourdomainname.com/wp-content/plugins/yourvulnerableplugin/yourvulnerableplugin.php. If it’s there, it’s dinner time!

Just so you understand, when you deactivate a plugin you’re telling WordPress not to load said plugin. But it still exists on your hosting server and is accessible.

The moral of the story is, if you’re not using a plugin delete it to help speed up your site and remove the security risk. And always remember to keep the plugins up to date.

P.S. When you look at your list of plugins, please don’t say, “Well, I want to leave it there in case I want to use it later.” If you want to use it in the future then install it when you’re ready to activate it!

Need help? Click here for WordPress Security and Maintenance Services or click here for quick jobs.  You may want to consider our monthly maintenance and support options, which can save you time and aggravation in the long run!

LEAVE YOUR FEEDBACK

Would love to hear how many plugins you “deleted” after reading this post. Please leave your comment below.

Securely yours,

Regina Smola

Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan

Comments

  1. says

    I may just dump Pretty Link Pro after reading Kim’s post. I have been using a great redirect script instead of the plugin, so it is probably just dead weight for me.

    As for deleting non-activated plugins, yes – I have been doing that since you’re great NAMS presentation webinar last fall!

    All the best – Richard

  2. says

    I am very guilty of leaving unused plugins inactive, going to use them later. Trying to break my hoarding habit. Some cookies or something keep adding too many open connections back to my website when viewing it. Thought it was a DOS attack, but, I’m not really sure what it is, but, it’s probably from a plugin, driving me nuts :)

    • says

      Hi Joey,

      I think we all fall in to the hoarding plugins trap at one time or another. You might want to check out the link that Kim recommended at http://tools.pingdom.com to see what’s loading on your site. Note: Be sure to click on the little link “Settings” and uncheck to make your results public before clicking “Test Now.”

    • says

      Thanks for your question.

      Try doing a Google search on inurl:mydomainname.com/wp-content/plugins/ < making sure you change mydomainname.com to your own domain and see if you find any results. If you don’t find any then your plugins are not showing up on Google. By not having your plugins indexed on Google means you’re a little safer from them finding what plugins you have installed.

      For extra protection, be sure to delete any unused (deactivated) plugins.

  3. says

    Thanks so much for this article Regina. I deleted many, many plugins. Being here also prompted me to look at your resources and found your 25% discount for BackupBuddy! My subscription had expired and the discount was just what I needed to move forward. Thanks!

  4. says

    Thanks for all the info Regina, this post in particular has given me a lot of action steps to follow. I wish I had one of those set-ups where you can manage all your blogs from one dashboard!

    Thanks for this too “The moral of the story is, if you’re not using a plugin delete it to help speed up your site and remove the security risk. And always remember to keep the plugins up to date.” I had always wondered about deactivated plugins.

    Alex

  5. Jens says

    Interesting! I knew that some plugins were holding old Versions of jQuery and are hackable, but I did not know that this even works if the plugin is deactivated. And the linked post which tells about the P3 plugin is great too! I did not know this plugin! Really good thing to find “bad” plugins which slow down the wordpress site.
    Thanks! Jens

  6. says

    It is no surprise at the popularity of this post, Regina! Keep up the great work that you do on a daily basis!

    If this is off-topic or too techie to discuss in comments, just say so.

    When you install a plugin, not only are files added to your hosting account, but there are entries in your WordPress database that are also added. In most cases, these entries do NOT get deleted. The plugin, CleanOption, can be used to identify these bits of information that have had their plugins deleted.

    Any comments on this plugin?

    Thanks.
    Paul.

  7. Evita says

    Dear Regina
    Your post is awesome. I’ve found my Nextgen Gallery plugin being deactivated,although it was showing in Google search. I have deleted it and now it is fine. Many thanks.

  8. Goen says

    I came to this site because I’m searching the solution for my website which suddenly become inaccessible after I installed 11 SEO related plugins for wordpress.

    I wonder maybe this is because of the plugins. In that case, do you suggest I should remove all SEO plugins and move to manual SEO procedure?

    Thanks in advance

    • says

      Hey Goen!

      Firstly, I would not recommend that many SEO plugins. All-in-one-SEO should do the trick for you, anything else that it doesn’t do can most likely be done manually.

      If after installing those plugins the site broke, I would recommend deactivating all of them and checking to see if that fixes the issue. If so, you can individually activate them until it breaks again – then you’ll know which plugin was causing the issue. Delete that plugin and all should be well.

      Remember that the more plugins your site has, the more likely it is to become vulnerable in just a matter of weeks or months – and it will also be more susceptible to slower speeds.

      • says

        Great advice Michael.

        I personally like SEO for WordPress by Yoast. Does all kinds of cool SEO stuff.

        Goen, if your site is still broken and you need help be sure to let us know.

  9. says

    I’ve got to say, Regina, reading your posts are a double-edged sword for me sometimes. Take this one in particular for example. I have a whole bunch of plugins that I don’t use that are merely disabled on my WP blog – I had no idea that they could still be affecting the speed of my website (which is something we’re always trying to tighten up!) So, on one hand your posts give me great advice.

    On the other hand, however, whenever I read one of them I’m blown away by yet another method hackers and malicious people are utilizing to harm, infect and disrupt the average internet user. I can’t believe that people can actually search for ALL blogs using a particular plugin. I suppose information like this, while worrying, also goes a long way to keep our blogs and personal information safe…

    PS. I love SEO by Yoast also – I think it’s easily the most user-friendly SEO plugin you can install!

  10. says

    Had to delete SEO by Yoast after it was bogging down my site. My host told me to delete it as they’d had other sites with speed issues because of it. Deleted it and site sped right up.

    As for the Google Libraries plugin supposed to increase your site speed — same thing. Killing all the sites I had it on. Deleted it and all my sites are back to their normal speed.

  11. says

    I’ve been reading about EWWW Image Optimizer, as an alternative to Smush’t. Seems to do the compression on your own server but I’m using it on shared hosting and all seems well for now.

  12. says

    I can really push EWWW Image Optimizer over Smush It. I stopped using Smush It when it kept having issues of timing out (that has since been resolved), but EWWW doesn’t have an image size cap that Smush It does (1 MB and over not allowed).

    When I compared load times, EWWW definitely won easily over Smush It, but it also doesn’t slow your site down when it optimizes as you upload images. That’s a big help if you have a very image heavy site. It even works beautifully with NextGen Gallery when you upload a huge batch of images at once without any slow down.

    That P3 plugin is a huge help to figure out what’s slowing you down and if can surprise you. I couldn’t believe that Gravity Forms was such a resource hog, and sadly after paying for it and mentioning it to the developers, they are very aware of it, but told me that wasn’t a concern of theirs. I was sadded that Pretty Link Pro was such a resource hog too after paying for it and realizing that a free redirect plugin like Thirsty Affiliates barely made a blip on the P3 radar.

    Sometimes free plugins can work much more efficiently than those ones we pay for.
    Curt recently posted…Personal Daily Horoscope For Thursday September 12, 2013My Profile

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge