Disabled plugins are security holes – rumor or reality?

A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren’t using.

  1. If you have plugins that you aren’t using, you often don’t care about keeping them updated. As a result, they won’t get any security updates, and that will be a vulnerability on your site. People often think that a plugin that is not running can’t negatively affect your site, but in the case of security, an attacker can exploit a security hole in a plugin that is installed, even if it is not activated.

  2. Think about why the plugin is not running in the first place. If it is a plugin that you use regularly, and you just turn on and off as needed, that is fine. However, it could be a plugin that didn’t work right, or is no longer being maintained. This second category of plugins are especially a problem for security, as they are often the source of security holes.

If your deactivated plugins are actively maintained and are kept updated, they aren’t a problem. But if you have plugins installed that aren’t being used and aren’t being updated, it is best to remove them.

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  3. Are WordPress Plugins essential?
  4. What are the common security flaws I need to look for? [closed]
  5. Disabled plugins are they security holes – rumor or reality?
  6. How Can I Securely Implement a Password-less Login Feature?
  7. Security and .htaccess
  8. Why “Contact Form 7” doesn’t update PHPmailer library?
  9. Are there procedures to prevent malicious plugin updates?
  10. Secure WordPress paid plugin
  11. How to make media upload private? [duplicate]
  12. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  13. What does a security risk in a plugin look like?
  14. WordPress Capabilities: edit_user vs edit_users
  15. How to check plugins for malicious code?
  16. How to properly secure my WordPress installation?
  17. Where should my plugin POST to?
  18. Security error WP 4.0 + WP phpBB Bridge [closed]
  19. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  20. Prevent Brute Force Attack
  21. Why users disable the WordPress update?
  22. How many security plugins are too many? [closed]
  23. Will WordPress username displayed somewhere in the site?
  24. Is revealing just the AUTH_KEY a security issue?
  25. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  26. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  27. How to expire all wordpress user passwords instantly?
  28. How to limit WordPress pages during updates?
  29. rms_unique_wp_mu_pl_fl_nm.php
  30. Weird problems after recovery from security breach
  31. How can we deal with unmaintained plugins with vulnerabilities?
  32. Security checking in meta_box save is reluctant?
  33. Should you escape hardcoded URLs?
  34. Preventing BFA in WordPress without using a plugin
  35. How can I make uploaded images in the editor load with HTTPS?
  36. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  37. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  38. WordPress filter that hook after each action/filter hook
  39. How to delete Passwrd Protected posts cookies when a user logged out from the site
  40. wp_create_nonce function doesn’t work inside a plugin?
  41. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  42. Headers Content-Security-Policy CSP Major Issue
  43. How to block plugin activations with no known user or coming from unknown IP address range?
  44. Nonce failing on form submission
  45. Check for security updates
  46. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  47. Malicious File Upload [closed]
  48. Stop Plugin Enumeration [closed]
  49. Malware installation during plugin update?
  50. I should enable automatic updates?
  51. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  52. Security and Must Use Plugins
  53. Prevent direct access to WordPress plugin assets?
  54. Is it safe to use admin-ajax.php in the frontend?
  55. How to protect WordPress from security scanner [closed]
  56. Too many login attempts
  57. Website show Google Ads when we have no Google Ads linked to our website
  58. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  59. Custom API plugin to execute 3rd party API to retrieve data
  60. how do I secure my WP website from hackers? [closed]
  61. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  62. Webservice credential storage [duplicate]
  63. Regarding plugin security
  64. How do I determine if the user who registered is not spam?
  65. Is this plugin safe to run?
  66. Is the Block Bad Queries Plugin Still Relevant?
  67. 404 errors when updating options in admin dashboard
  68. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  69. Hide plugins and theme from public
  70. WordPress search shows protected content
  71. Security of a WordPress Plugin
  72. Can I disable xml-rpc by setting it to false?
  73. How can I disable new plugin and theme install, but allow updates?
  74. Help to Create a Simple Plugin to make a post
  75. Validating ajax search
  76. WordPress disable direct access of files in WordPress installation path
  77. Asking help regarding potential malware
  78. prevent anonymous access to WordPress site (non-admin site)
  79. Bing/msn bots is heavily requesting random of my website
  80. “Fire Secure” menu item
  81. Securing a plugin pop-up window
  82. Redux framework somehow added to my site, can’t locate in plugins
  83. Being hacked. Is there a list of WordPress security holes I can check against?
  84. wp_verify_nonce fails always
  85. How can i see/log all requests coming from a registration form (not from the UI)?
  86. Write mysql credentials in plugin
  87. Site is continuously accessing by several IPs
  88. Validating values using Settings API?
  89. SWF in wordpress post
  90. Unwanted Links and Spam WordPress Pages and Posts
  91. Problem with permissions in wp-content/plugins
  92. File permissions for wp-minify plugin
  93. What is the recommended way to be notified of security updates to my plugins? [closed]
  94. My WP site and password was hacked, what to do? [closed]
  95. How to resolve these findings from security audit
  96. How I can hide my wp folders from Inspect Element (Developer Tools)
  97. How to Find WordPress site has backdoor login Codes
  98. Stop the user if login from the cookies
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes

Leave a Comment

tech