Feel like being scared?
Then here’s something to consider: We all know a bad WordPress plugin can affect a site, but did you know it can work EVEN IF NOT ACTIVE?
All code on your site in the form of PHP files is runnable from a URL. WordPress plugins as a rule go to fixed locations, so a visitor (or more likely a nasty webbot) knows from your blog URL exactly where to call a plugin’s code if present. It’s up to the plugin coder to make sure this call can’t do anything bad, but mistakes happen. Combine someone with malicious intent and an old plugin with a known problem in the code, and keeping it inactive may not be enough to protect your site.
What to do? At a minimum review and cleanup your plugin list regularly via the Plugins link:
- For every plugin you want to keep, make sure you have the latest by updating, usually an update link is directly below the plugin entry. Of course, make sure you have a backup of the current one in case there’s any upgrade problems (you DO back up your website regularly, don’t you?)
- For every plugin you want gone, use the delete link under the entry to remove the files. As well, make sure you have a backup in case there’s a vital file or two you would like to retain (for example, settings you’d like if you ever reuse the plugin).
Don’t waste time – do it ASAP. And schedule a clean up regularly; you reduce the risk of hijacked plugins, and make your site a little more secure.