disabled plugins, security risks and alternatives

  • I think a lot of people suffer from too many plugins. I know I do. I’m building a new site from scratch and I’m up to almost 20 plugins and I’m doing my darndest to keep them to a minimum (but that’s not the topic of this thread) lol

    I also think a lot of people underestimate the importance of keeping plugins up to date as well as removing unused plugins (ie not just deactivating).

    A disabled plugin is still a security risk as the raw file is still accessible and any exploited security hole in the plugin is almost certainly available to a hacker (correct me if I’m wrong, but place a file in any directory and try accessing it from outside; plugin or not, activated or not, certain vulnerabilities are still exploitable.)

    People will keep deactivated plugins around for various reasons: they don’t want to lose the settings; they don’t want to search through the myriad of plugins available if ever they want that feature again; they’ve bough the plugin; they want to keep it up to date… the list goes on.

    To my point: I have long thought about “why not move deactivated plugins out of the plugin directory?”

    I see the primary reason for not doing it would be the fact that those plugins would no longer receive updates.

    Is there a need for the development for a plugin manager that can move deactivated plugins away into another directory and keep tabs on them for the purposes of updates and keeping them up to date?

    on an aside: is it worthwhile just moving the plugin directory? Is that enough to stop some hacks (probably just the lazy ones)? Is there a way for a hacker to detect the current plugin directory? Since WordPress knows about it anyway, is there a way to extract that information from a hackers perspective? (even if there is, I don’t want to know about it and I would suggest not posting it here :P)

Viewing 5 replies - 1 through 5 (of 5 total)

  • I have 31 plugins activated at my site and 15 more standing ready for whenever I might need one to do an occasional task. As far as site function is concerned, the challenge with plugins is only that they all play nicely together and not overload the server. Keeping them all updated does require some vigilance, however, and I have been thinking about possibly using automatic updates for doing that.

    A disabled plugin is still a security risk…

    Reducing the number of plugins does not make a site more secure, it only reduces the number of potentially-exploitable files at a given site. So, the issue is security and not one of how many things need to be secured.

    I have long thought about “why not move deactivated plugins out of the plugin directory?”

    Because obscurity and security are not synonymous.

    Something I try to help people see is that updates reducing exploitable vulnerabilities do not inherently increase security. For example: You can add a trigger lock to a gun, but that does not help to block an intruder from ever reaching the gun. So, I place my first focus on actual security and then take care of updates whenever they come along.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to How-To and Troubleshooting as this is not what Hacks is for. ??

    Having any number of deactivated plugins on your site is not a security risk, regardless of if you have 1 or 150. It’s not the volume that matters, it’s the one plugin that may be exploitable.

    Reducing the number of deactivated plugins doesn’t do anything for that risk because you need to keep your code updated regardless if it’s activated or not.

    That all said, it is a good administrative practice to only keep that code that you actually use. If you do not use a plugin then delete it from your installation. Same with themes (though don’t touch the Twenty Fifteen theme, it’s used for troubleshooting). The reason I say that is because I do not like scrolling through unused plugins and themes and asking myself “Why do I have that again?”

    *Drinks more coffee*

    But again, that’s just good administration practices. I’m not more secure for doing that. It’s the keeping up the code that makes me safe.

    I do not like scrolling through unused plugins and themes and asking myself “Why do I have that again?”

    Agreed…and then is when I typically delete it if I cannot recall an answer within just a few seconds!

    Thread Starter madivad

    (@madivad)

    G;day guys, thanks for your replies.

    Because obscurity and security are not synonymous

    I agree with that whole-heartedly, but given I want these plugins for whatever reason (finding them again to reinstall can be painful) but want to keep potential risks minimal, the thought of moving them out of existing paths could be beneficial. (discussed further below)

    Having any number of deactivated plugins on your site is not a security risk, regardless of if you have 1 or 150. It’s not the volume that matters, it’s the one plugin that may be exploitable.

    I’m not sure if we’re on the same point here: my intent is that a quantity of plugins (activated or not) are a POTENTIAL security risk, ie, those plugins where vulnerabilities have been discovered by the hackers and NOT by the authors/users. My point specifically is that deactivated plugins are (in as far as I can tell) STILL exploitable. If I want to keep a plugin around, I’d prefer to keep those potential risks at a minimum.

    Reducing the number of deactivated plugins doesn’t do anything for that risk because you need to keep your code updated regardless if it’s activated or not.

    Agreed, and my hope is that everyone DOES keep their plugins up to date. As mentioned above, it’s more about the quantity of POTENTIAL risks which is all plugins, not just activated vs deactivated.

    I think my sentiment here is that 20 active and 30 inactive (up to date) plugins are more of a risk than 20 active (and again up to date) plugins.

    I suppose the only surefire way to reduce those risks is to remove (ie delete) the plugin and reinstall as necessary, but that could introduce other problems such as retaining unnecessary database entries/configurations if not used again, or losing them if they are required (depending on the deactivation process).

    I haven’t yet automated my updates, although I am pretty much on top of them as needed these days. I like to handle them manually, especially for those that might not play nicely with others. Plus, for those days away from WordPress (they do exist lol) I get my email which tells/reminds me that plugins are required to be updated.

    On a slightly side note: do people ever incorporate simple plugins into their own functions.php file whereby negating the need for the plugin? I wrote a plugin for myself some years ago that allowed me to haver a functions.php file outside of the theme. Well, technically it wasn’t a functions.php file, it was in fact a plugin, and I could chop and change it as necessary without changing themes being an issue. (Yes these are theme independent changes). I ended up adopting an actively updated plugin that checks my code. I liked the idea of removing these simple plugins, but realise that generally these would provide less of a risk than other plugins anyway. ie Just by nature of their changes such as one line hooks/filters etc.

    Coffees and beers all round ??

    do people ever incorporate simple plugins into their own functions.php file whereby negating the need for the plugin?

    Yes, I have done that, and now more recently I have pulled most of those from there to here:
    https://www.ads-software.com/plugins/search.php?q=Code+Snippets

    Some are theme-specific and others are about site function.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘disabled plugins, security risks and alternatives’ is closed to new replies.