A client site suddenly went all catatonic on me when I was trying to log in. I could key in username and password and click the login button, but nothing would happen.
The post request wasn’t sent. No error message came back. Nothing. I thought maybe security. My email address had been in a list of pwned emails so I thought maybe the security plugin suite was blocking my address.
But the client couldn’t log in either.
So I did the usual process of elimination ritual. I disabled all the plugins. I was able to log in.
I started adding the plugins back one at a time. The problem plugin was Awesome Flickr Gallery plugin. Apparently it was condemned in March 2020 for some guideline violation. But it’s been effectively orphaned for years.
“No worries,” the client said. “I’ve got a lot of other Flickr plugins I can use.”
“What? Why?”
“I try them all out and settle on the one that works best. Only I forget to uninstall the ones I don’t use. Is that bad?”
“Yes.”
It’s most assuredly bad to leave them activated. They can compete for the same variable names, API access etc., and drag each other — or even the whole site — down.
Worse still they can become windows of vulnerability for bots or hackers seeking unauthorized access to your site. And if you’re unwilling to take the trouble to deactivate and delete unused plugins, you’re almost certainly unwilling to keep up to date on which plugins have vulnerabilities that hackers are exploiting.
But even if you deactivate them, they can still cause you problems. The plugin’s files and directories are still present and could bring you unwanted attention.
By deactivating them, you tell WordPress not to run them. But through the magic such as cross-site scripting and other lovely tricks, hackers can run them for you, so to speak. And there is no way of knowing what path that sort of attack might take. But it won’t end well for you.
The update nag notices will still clutter your admin screen. You’ll become inured to them and ignore them so habitually that you won’t notice when something comes up that matters.
Please prune your plugins. By that I mean:
- deactivate the ones you can’t think of a use for;
- run a series of tests to see if your site behaves as expected (create a post, upload an image, attach a document, buy a product etc etc)
- if it does delete the plugin
- lather, rinse, repeat for every plugin until you’re left with activated plugins whose function you understand and require.
This cautionary tale is about a WordPress site and uses that platform’s lingo but the same logic applies to all other freely-available content management systems including Drupal and Joomla.