8 Comments

  1. David Anderson

    As I commented on the “Site Health” article at wordpress.org – https://make.wordpress.org/core/2019/04/25/site-health-check-in-5-2/ – if that percentage score/graphic stays, then every site builder/plugin author/web host is going to need to brace themselves for the onslaught of site owners who believe that if they don’t score 100% then there’s a fault that needs fixing, and the resulting wasted man hours spent either applying fixes to non-problems or educating site owners in complex technicalities.

    Report

  2. Ashutosh Mishra

    Can someone please explain how an inactive plugin can be considered a security threat? I thought they cannot execute code and are perfectly safe to keep around. I will have to remove about half a dozen of those from my sites now!

    Report

    • toto

      your plugin code could become a back door even if not activated :

      https://example.com/wp-content/plugins/inactiveplugin/somecode.php

      Report

    • Kyle Pott

      You should remove all unused plugins and themes for two reasons.

      1. Even if they are deactivated in wp-admin, the code is still directly accessible on your server. Here’s an example of an exploit that works even when the plugin is deactivated.

      https://technicalagain.com/2019/04/14/conwell-quotes-wordpress-plugin-with-a-backdoor/

      2. The themes and plugins may fall out of date if inactive and you stop updating them. The more they age, the more likely exploits will become known and published. WordPress has a very active community of security researchers and hackers that make exploits very easy to scan for and execute.

      Bottom line is deactivate and delete anything that is unneeded. Update as soon as practicable.

      Report

    • Clorith

      Inactive plugins can still run code if you access them directly and they do not have any checks preventing this built in.

      They are also less likely to be updated, think “I’m not using it, so it doesn’t need to be updated”.

      Report

    • Dan Feidt (hongpong)

      when it’s inactive that just means that its hooks are not scanned and applied in the system. that is really all that it means, if i’m not mistaken.

      Report

  3. Steve Pheriche

    If deactivated plugins are marked as insecure because they might have a vulnerability then do these same plugins become more secure if I re-activate them? Nope. So why are deactivated plugins scored any differently from active ones? They have the same objective level of vulnerability. The only difference is an assumption that they are not being watched by the site admin, but does that really have any bearing on the threat level?

    There are certain dev utility plugins which I keep deactivated on client sites and only activate them when I am doing maintenance. I deactivate them just in case they are hooking in and using 1% of resources in wp-admin, or for a number of other reasons . For example: many plugins clutter the sidebar, or a client may have admin rights and I don’t want them seeing Query Monitor, or doing a search and replace!

    I’ll now have to remove those plugins and reinstall them every time I need them.

    Report

Comments are closed.

%d bloggers like this: