When a client has been hacked or their site is running slower than they’d like, one of the first things we do is run a plugin audit to check for an abundance of plugins on their WordPress dashboard.
It’s not unusual to find clients with dozens of plugins installed. And it makes sense, right? After all, if there’s something you want to do on your site, chances are there’s a plugin for that. And who can resist the ease of installing a plugin that helps you change the design of your site, adds important functionality, or just makes your life easier?
The problem, of course, is plugins use server resources. And poorly designed plugins use even more of those precious resources. Plugins also present all kinds of security challenges. You can think of each one as a potential “back door” into your site. And savvy hackers are pros at finding any vulnerabilities.
Are we saying you shouldn’t use plugins? No, of course not. In fact, there are several we recommend for Agathon clients. So how do we balance the usefulness of plugins with these inherent concerns?
Introducing: the plugin audit
A plugin audit is a great way to step back and evaluate all of the plugins on your site. It’s an opportunity to decide which are worth the potential cost (in performance and security) and which should go.
You should be auditing your plugins (along with other WordPress maintenance) on a regular basis. If you haven’t done a plugin audit before—or it’s been awhile—we recommend setting aside some time to ask some hard questions, make some tough decisions, and give yourself a fresh start.
Some of you are wondering if you really need to take time out of your busy schedule for a plugin audit. After all, things are working okay right now, so why mess with something that’s not broke. But now is actually the best time to do an audit because you can evaluate and make decisions without the panic of something being wrong on your site!
In addition to the security and speed concerns I mentioned above, the plugins, themes, WordPress core, and PHP on your server all interact. That means each additional plugin also presents a potential incompatibility as other pieces are updated.
How to do a plugin audit
Okay, hopefully I’ve convinced you this process is worth your time. What now? How exactly do you perform a plugin audit in a way that doesn’t waste your time, break your site, or leave you trying to retrace your steps later on?
Here’s an easy process to follow:
Start with the inactive plugins
If you have already deactivated a plugin, it’s probably safe for you to delete it altogether. And it’s important to do so because even an inactive plugin can create a backdoor onto your site for hackers.
Review each inactive plugin to confirm you can delete it. Then click the Remove link to delete it from your site. We recommend making a list of these inactive plugins before you delete them. If something does go wrong, this list can help you retrace your steps.
What happens to my data when I delete a plugin?
In most cases, when you delete a plugin, you’re also deleting all of its data. This includes settings, history, etc. You may be tempted to leave the plugins installed and deactivated for this reason. But it’s much better to fully delete them. If you’re concerned about the impact this might have on your site, screenshot any settings and leave the plugin deactivated for a week or two before deleting it completely.
Make a list of your active plugins
Your next step is to make a list of your active plugins. You might be tempted to skip this step. But if something does go wrong, this list can help you fix the issue without needing to revert back to an older version of your site or start the process over again.
Once you’ve made your list, ask yourself these questions:
What functionality does each one offer? Are there any duplicates?
It’s not uncommon for us to see sites running multiple plugins that overlap or provide the exact same features. One example of this is WP Rocket and Autoptomize. We do recommend clients use Autoptomize alongside a caching plugin like WP Super Cache or server-level caching. However, in addition to caching, WP Rocket also includes the same minimization functionality as Autoptomize, so it’s not necessary when running that plugin.
This can also be true for sites that have switched from one plugin (social sharing, for example) to another but haven’t yet deleted the first one.
Are there any plugins you used at one time but don’t need anymore?
Maybe you used a plugin like WWSGD or Click to Tweet during their heyday and have left it active even though you’re no longer using it. If so, it’s a good candidate for deleting.
NOTE: If the plugin you’re getting rid of uses shortcodes within the body of your blog posts (like Click to Tweet), you’ll want to remove those. You can do this manually if it only impacts a handful of posts, or you can use a search and replace tool. Agathon clients can email support if you need help with that process!
Are any of the plugins you’re using outdated or unmaintained?
Finally, even if all of the plugins you’re using feel necessary, it’s important to make sure they’re being updated regularly. This part will take some detective work. First, go to the Plugins page. Next, click on the View Details link on each plugin’s description. You want to check the following fields.
- Last Updated—hopefully within the last 6 months
- Compatible Up To—should be the most recent version of WordPress
- Active Installations—more is always better, but at least 1,000 is reassuring
- Average Rating—4 stars or more is ideal
It’s worth noting these are guidelines and there will be exceptions. For example, we are still recommending the Stop XML-RPC Attack plugin even though the plugin author has essentially abandoned it. This, however, is an exception to the rule. This plugin’s code is extremely simple and lightweight, and our developers have reviewed it themselves. While exceptions do exist, they should remain exceptions. Don’t use the exception to justify other plugins that pose a potential risk to your site!
Give each plugin a rating
As you ask yourself the questions above, label each plugin on your list with one of four labels: keep, delete, replace, investigate.
Keep: These are plugins that are important to the functionality of your site and have solid reputations.
Delete: Whether it’s Hello Dolly or an Instagram feed plugin you used before your designer hardcoded the feed into your theme for you, make a list of any plugins that can now be deleted.
Replace: Maybe you adore the functionality one of your plugins offers but the plugin info is looking a bit sketchy. In that case, tag the plugin with “replace” so you can do that sooner rather than later.
Investigate: Finally, you may find there are plugins you rely on that might not be necessary. As long as the plugin is being updated and maintained, you don’t need to make an immediate change. However, you do want to mark these for investigation so you can start reaching out to other bloggers and WordPress professionals to get their recommendations for a replacement.
Before you delete a plugin
It’s worth saying one more time: before you do anything, be sure to run a backup of your site. That way, if something goes sideways, you can restore the backup without losing any of your hard work.
Next, once you’ve identified the plugins you think you can live without, start by deactivating them one by one. After each change, spend some time clicking around your site to make sure everything looks like it’s working properly. You may want to wait a few days before you delete the plugins altogether just to be sure you haven’t overlooked a breaking change.
Remember: inactive plugins still create possible security vulnerabilities. You’ll want to revisit the list after a few days to finish the process of deleting those altogether.
What do I do if a plugin is outdated and I need the functionality
The unfortunate reality is at some point you’ll probably come across an outdated or unsafe plugin your site relies on. What now?
First, start by looking for another plugin that provides the same functionality. There are SO MANY plugins available, so chances are you’ll be able to find one.
If not, you can always hire a designer/developer to hardcode the change for you. Yes, this involves investing some money upfront, but trust us when we say protecting your site is worth the cost!
I have a lot of plugins… and I like them all
Your ultimate goal doesn’t need to be to eliminate all plugins. In fact, many successful sites use lots of plugins. The goal is to eliminate unnecessary, redundant, vulnerable, or heavy plugins so your site can perform its best.
If you’re a professional WordPress blogger who relies on your site for income, you may want to invest money in having a designer or developer create some of that functionality without the use of a plugin. As I mentioned before, each plugin can impact your site’s speed, security, and stability, so this investment can be good for your business in the long run.
Get the plugin audit toolkit!
Our plugin toolkit includes a plugin audit spreadsheet to stay on top of your plugins plus a decision tree to help you decide whether to install that next nifty plugin or skip it.
With 10 years of experience as a professional blogger—and as a former Agathon hosting client herself—Mandi’s passionate about the good work Agathon does and sharing that message with more people.