Slow WordPress Plugins Can Hurt Your Site!
You'll find me talking on the blog and in my email blasts about WordPress plugin security, but one area I haven't covered is how plugins can slow your website down.
Did you know that even if a WordPress plugin is disabled it can still affect your site's load time?
Yes, it's true! Every time someone opens your site, the database is checked to see which plugins need to be loaded, including the disabled ones. Your WordPress installation queries the database to see which plugins are active and which ones load on the post/page that your visitor has clicked on. It may only take a nano-second, but it does affect load time for each and every plugin you have.
For more help with plugins slowing down your site, be sure to check out Kimberly Castleberry's blog post: “How To Find Out Which WordPress Plugins Are Making Your Site Slow.”
Of course, I have to mention WordPress Plugin Security too!
Did you know that even if a plugin is disabled/deactivated it can pose a security risk on your site?
Even if a plugin is not active, it can still be reached in a browser.
Bottom feeders (malicious hackers) can have a 15-course meal off of any vulnerabilities they've found.
For example: Hackers can search Google for inurl:wp-content/plugins/PLUGINNAME and try to attack every site using it.
Or let's say they know of a plugin they can break into (active or deactivated). They can visit your site and try to open http://yourdomainname.com/wp-content/plugins/yourvulnerableplugin/yourvulnerableplugin.php. If it's there, it's dinner time!
Just so you understand, when you deactivate a plugin you're telling WordPress not to load said plugin. But it still exists on your hosting server and is accessible.
The moral of the story is, if you're not using a plugin delete it to help speed up your site and remove the security risk. And always remember to keep the plugins up to date.
P.S. When you look at your list of plugins, please don't say, “Well, I want to leave it there in case I want to use it later.” If you want to use it in the future then install it when you're ready to activate it!
Need help? Click here for WordPress Security and Maintenance Services or click here for quick jobs. You may want to consider our monthly maintenance and support options, which can save you time and aggravation in the long run!
LEAVE YOUR FEEDBACK
Would love to hear how many plugins you “deleted” after reading this post. Please leave your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
Just an update. I deactivated and removed the Related Posts plugin and it made a huge difference on my load time.
Thanks Regina, I deleted unused 5 plugins from host.
Hi Hakan,
Good job! That’s 5 potential security risks you got rid of. I just installed the P3 (Plugin Performance Profile) plugin recommended by Kim to see which of my active plugins are making my site load slow.
Thank you again for suggesting this great plugin. Will be very helpful in providing balance between functionality and speed of the plugins.
I may just dump Pretty Link Pro after reading Kim’s post. I have been using a great redirect script instead of the plugin, so it is probably just dead weight for me.
As for deleting non-activated plugins, yes – I have been doing that since you’re great NAMS presentation webinar last fall!
All the best – Richard
Hi Richard,
Dang, Prettylink Pro eats some resources. If you don’t mind me asking, which redirect script do you like?
Glad your keeping up with deleting your deactivated plugins. 😉
I just create subdomains and pop the link into the “manage redirects”. I have found scripts and plugin to occasionally not work.
Hi Kathy,
Thanks for the tip. I really like the tracking features of PrettyLink Pro being at my fingertips. But it does use alot of resources.
Also helpful in reducing load time is the smushit plug-in available to wordpress.org
Hey Robert, thanks for bringing that up. I use WP Smush.it as well. Works great.
Good post I will check my plugin tomorow and will also take a look at P3.
Awesome great I really like your post coz i was searching how to secure WP thanks
I am very guilty of leaving unused plugins inactive, going to use them later. Trying to break my hoarding habit. Some cookies or something keep adding too many open connections back to my website when viewing it. Thought it was a DOS attack, but, I’m not really sure what it is, but, it’s probably from a plugin, driving me nuts 🙂
Hi Joey,
I think we all fall in to the hoarding plugins trap at one time or another. You might want to check out the link that Kim recommended at http://tools.pingdom.com to see what’s loading on your site. Note: Be sure to click on the little link “Settings” and uncheck to make your results public before clicking “Test Now.”
“
Yoast is recommending using Use Google Libraries plugin to load jQuery and other libraries from Google instead of your own site.
Hi Christine,
Thanks for the tip. Do you have a link from Yoast about it?
Here’s a webinar he did with SEO Brain Trust http://yoast.com/wordpress-seo-webinar-seo-braintrust/
Thanks Chris. I’ll check it out.
Thank you for the valuable information about plugin security for wp.
I tried to do a search on Google for my wordpress site following the URL path as given below:
http://mydomainname.com/wp-content/plugins/yourvulnerableplugin/yourvulnerableplugin.php
But I got a HTTP 500 error message.
The brownser simply couldn’t display the details of my plugin page. Why?
Is that also mean bottom feeders (hackers) can not find the plugin details too?
Cheers!
Thanks for your question.
Try doing a Google search on inurl:mydomainname.com/wp-content/plugins/ < making sure you change mydomainname.com to your own domain and see if you find any results. If you don't find any then your plugins are not showing up on Google. By not having your plugins indexed on Google means you're a little safer from them finding what plugins you have installed. For extra protection, be sure to delete any unused (deactivated) plugins.
Thanks so much for this article Regina. I deleted many, many plugins. Being here also prompted me to look at your resources and found your 25% discount for BackupBuddy! My subscription had expired and the discount was just what I needed to move forward. Thanks!
Hi Laura,
Glad you got your plugins cleaned up. What perfect timing for the coupon code. 🙂
Thanks for all the info Regina, this post in particular has given me a lot of action steps to follow. I wish I had one of those set-ups where you can manage all your blogs from one dashboard!
Thanks for this too “The moral of the story is, if you’re not using a plugin delete it to help speed up your site and remove the security risk. And always remember to keep the plugins up to date.” I had always wondered about deactivated plugins.
Alex
Thanks Alex. Glad I could help.
Interesting! I knew that some plugins were holding old Versions of jQuery and are hackable, but I did not know that this even works if the plugin is deactivated. And the linked post which tells about the P3 plugin is great too! I did not know this plugin! Really good thing to find “bad” plugins which slow down the wordpress site.
Thanks! Jens
It is no surprise at the popularity of this post, Regina! Keep up the great work that you do on a daily basis!
If this is off-topic or too techie to discuss in comments, just say so.
When you install a plugin, not only are files added to your hosting account, but there are entries in your WordPress database that are also added. In most cases, these entries do NOT get deleted. The plugin, CleanOption, can be used to identify these bits of information that have had their plugins deleted.
Any comments on this plugin?
Thanks.
Paul.
Dear Regina
Your post is awesome. I’ve found my Nextgen Gallery plugin being deactivated,although it was showing in Google search. I have deleted it and now it is fine. Many thanks.
I came to this site because I’m searching the solution for my website which suddenly become inaccessible after I installed 11 SEO related plugins for wordpress.
I wonder maybe this is because of the plugins. In that case, do you suggest I should remove all SEO plugins and move to manual SEO procedure?
Thanks in advance
Hey Goen!
Firstly, I would not recommend that many SEO plugins. All-in-one-SEO should do the trick for you, anything else that it doesn’t do can most likely be done manually.
If after installing those plugins the site broke, I would recommend deactivating all of them and checking to see if that fixes the issue. If so, you can individually activate them until it breaks again – then you’ll know which plugin was causing the issue. Delete that plugin and all should be well.
Remember that the more plugins your site has, the more likely it is to become vulnerable in just a matter of weeks or months – and it will also be more susceptible to slower speeds.
Great advice Michael.
I personally like SEO for WordPress by Yoast. Does all kinds of cool SEO stuff.
Goen, if your site is still broken and you need help be sure to let us know.
I’ve got to say, Regina, reading your posts are a double-edged sword for me sometimes. Take this one in particular for example. I have a whole bunch of plugins that I don’t use that are merely disabled on my WP blog – I had no idea that they could still be affecting the speed of my website (which is something we’re always trying to tighten up!) So, on one hand your posts give me great advice.
On the other hand, however, whenever I read one of them I’m blown away by yet another method hackers and malicious people are utilizing to harm, infect and disrupt the average internet user. I can’t believe that people can actually search for ALL blogs using a particular plugin. I suppose information like this, while worrying, also goes a long way to keep our blogs and personal information safe…
PS. I love SEO by Yoast also – I think it’s easily the most user-friendly SEO plugin you can install!
Had to delete SEO by Yoast after it was bogging down my site. My host told me to delete it as they’d had other sites with speed issues because of it. Deleted it and site sped right up.
As for the Google Libraries plugin supposed to increase your site speed — same thing. Killing all the sites I had it on. Deleted it and all my sites are back to their normal speed.
I’ve been reading about EWWW Image Optimizer, as an alternative to Smush’t. Seems to do the compression on your own server but I’m using it on shared hosting and all seems well for now.
Hi Carl,
I haven’t tried that one. Thanks for the advice.
I can really push EWWW Image Optimizer over Smush It. I stopped using Smush It when it kept having issues of timing out (that has since been resolved), but EWWW doesn’t have an image size cap that Smush It does (1 MB and over not allowed).
When I compared load times, EWWW definitely won easily over Smush It, but it also doesn’t slow your site down when it optimizes as you upload images. That’s a big help if you have a very image heavy site. It even works beautifully with NextGen Gallery when you upload a huge batch of images at once without any slow down.
That P3 plugin is a huge help to figure out what’s slowing you down and if can surprise you. I couldn’t believe that Gravity Forms was such a resource hog, and sadly after paying for it and mentioning it to the developers, they are very aware of it, but told me that wasn’t a concern of theirs. I was sadded that Pretty Link Pro was such a resource hog too after paying for it and realizing that a free redirect plugin like Thirsty Affiliates barely made a blip on the P3 radar.
Sometimes free plugins can work much more efficiently than those ones we pay for.
Regina, I came across this comment string at the perfect time. I have been trying reduce my page load and never realized that inactive plugins made a difference. Have you, or do you use Parallelize?
Hi Cheryl,
I have never tried Parallelize. Be sure to let us know what you think of it.