Join Jeff Starr for an in-depth discussion in this video Remove unused plugins and themes, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we go through the different parts of a WordPress installation and look at how to clean things up, which files and plugins are safe to remove from the server, where to look, and so on. Running a tight ship is a key part of good security and removing unused files and plugins, eliminates potential attack factors and helps keep your site clean and organized. There are three main areas where we want to clean things up: unused files and folders, unused and outdated plugins, and unused and outdated themes.
It's all about limiting your site's liability. Less code on the server means less code that could potentially be exploited should a vulnerability exist. Depending on the circumstances, even inactive themes and plugins may put your site at risk. Here in the WordPress Admin area, the first thing to check is the plugins page. We want to take a good look at our installed plugins to see if there are any that we don't need, are no longer supported, or are outdated or otherwise obsolete.
For example, here is the ubiquitous Hello Dolly plugin. Here on this demo site, this plugin is inactive and never used so we can remove it to keep things clean and focused. Just click the Delete button and then click Yes to confirm. Repeat this process for any unused or inactive plugins that may be lurking on your site. We also want to check our installed themes. Even if themes are inactive, any vulnerabilities may be exploited on the server. Here on the Themes page, we can check for any unused themes.
Now it's perfectly okay to keep inactive themes installed, technically it doesn't hurt anything, but whenever possible, removing unnecessary code helps to minimize the overall liability to your site. For example, the Skulls theme here was used in a previous screencast and is no longer needed so we can go ahead and delete it. You click on Theme Details and then in the corner here click on Delete. We can always reinstall the theme later, if needed. After cleaning things up in the Admin area, we can also visit our site's files on the server and remove anything that's not needed.
There are a few default files included with WordPress that may be safely removed: the sample configuration file, the readme.html file, and the license.txt file. In addition to these three files, we want to check for any non-WordPress directories, files, scripts, images, and so forth that aren't required. Here is a list of some common development assets and other loose files that you may find lurking on the server: backup files, log files, version control files, and temporary/test files.
As you go through your files, you may want to archive any removed content. For each of my sites, I like to keep an offline folder where I store development files, unused code snippets, notes, and so forth. That keeps rogue files and other junk off the server but readily available if needed. Or, instead of deleting loose files, you can simply protect them from any external access. For example, this slice of code may be copied from the Exercise Files and placed into the htaccess file that's located in the root directory of our site.
Just paste the code before any existing WordPress rules and then save the file and upload it to the server. With this code in place, many types of loose files will be safe and secure. In fact, that code snippet is protecting the following file types: Files beginning and ending with a #, files that end with a ~, various readme files, common development files, the WordPress sample configuration file, and files with the following extensions.
We can verify this by returning to the browser and trying to access the site's readme.html file on the server. Before adding the htaccess code, the readme file was readily accessible, as seen here. But now, with our code in place, any request for the file returns a 403 Forbidden response. This shows us that our htaccess snippet is working to keep prying eyes away from our readme.html and other loose files.
In this video, we've cleaned up our plugins, themes, and core files for better organization and easier to manage site security. Of course, good housekeeping and running a clean machine helps to minimize your site's liability and is an important part of any comprehensive WordPress security strategy.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security