Disabled plugins are security holes – rumor or reality?

I’ve read many WordPress Security blog articles where the Security Experts are recommending some special steps to take care when somebody is concerned about their WordPress site’s security. One of them is:

WordPress Security Tips:
Remove unnecessary plugins, that are not in use.

Read More

A plugin that has security holes, whether by code, structure or db connections, can be fatal for a site even if it’s activated on a site. On the other hand, a well structured, well coded, and securely db-connected plugin may not have a security hole even when it’s deactivated. So where’s the issue exactly?

I have a site where there are some plugins I use occasionally. I actually don’t want to delete them but when they are not needed I just deactivate them from the site. Do I need to delete them to secure my site and if so, why?

Related posts

3 comments

  1. A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren’t using.

    1. If you have plugins that you aren’t using, you often don’t care about keeping them updated. As a result, they won’t get any security updates, and that will be a vulnerability on your site. People often think that a plugin that is not running can’t negatively affect your site, but in the case of security, an attacker can exploit a security hole in a plugin that is installed, even if it is not activated.

    2. Think about why the plugin is not running in the first place. If it is a plugin that you use regularly, and you just turn on and off as needed, that is fine. However, it could be a plugin that didn’t work right, or is no longer being maintained. This second category of plugins are especially a problem for security, as they are often the source of security holes.

    If your deactivated plugins are actively maintained and are kept updated, they aren’t a problem. But if you have plugins installed that aren’t being used and aren’t being updated, it is best to remove them.

  2. I’ve seen some pretty crappy plugins, some can include stand-alone scripts that can be attack vectors and not updating or removing those can leave you open to attack.

    Disabled plugins from 3rd-party repositories won’t receive update notifications because they need to be activated for their update check code to run. Thus, if a vulnerability is discovered in a plugin that is disabled, no update notification will be given — but hackers will know to test for it.

    I’ve seen a site that had been attacked multiple times through an SQL injection attack performed through a gallery template plugin that had been removed from wordpress.org. Because there was no newer version in the repository, it didn’t generate any warnings that the plugin was “out of date” / vulnerable to attack.

    Best to only keep plugins that are active and kept updated. Also a good idea to keep track of vulnerability notices, and a matrix of plugins that are installed on which sites so that you can react to a threat before it becomes a problem. I watch this RSS feed for WP-related vulnerabilities:

    http://rss.packetstormsecurity.com/search/files/?q=wordpress

  3. If you check your error logs you will see machines scanning your site for plugins with security holes – so it doesn’t matter if plugins are activated or not, as they’ll go straight to the problem files, and not try and access them via your WP install per se.

Comments are closed.