Spring Clean WordPress to Make It Secure and Faster

Written: 18.2.2020 Updated: 19.2.2020

Over time, even well-maintained WordPress sites tend to accumulate some cruft: excess files, unused plugins, unnecessary database contents, and logs that are lying around. They might not be directly affecting the site but are potentially causing a risk for how well the website works in the future.

First of all, think about the environment. The storage of all files consumes some resources. The less there is excess data, the less hardware and electricity will be required.

Secondly, think about security. A site owner committed to following GDPR should make sure there are no excess backups around that are accidentally stored forever, potentially violating data removal requests. Having data in a temporary backup for some time (e.g., 30 days) is acceptable, but having a permanent copy of data that should have been deleted can constitute a violation of the GDPR.

Excess files can also be a security risk directly. Quite often, we come across sites that have a database dump exposed in some location an outsider could potentially download and leverage on for criminal purposes.

Installed but inactive plugins are also a security risk since an attacker could potentially try to access the PHP files directly. The less code a site has, the smaller the attack surface. Also, an inactive plugin will still need to be updated and maintained, and if the update fails, it can affect the whole site. There is no good reason to keep around inactive plugins. If they are ever needed, one can always reinstall them fresh with just a few clicks. The same applies to inactive themes.

Remove inactive plugins and themes

Since WordPress 5.2, there has been a new section in the Tools called Site Health. This tool tells you about potential problems in your server environment or WordPress installation. One of the things it (rightfully) complains about is if you have themes or plugins installed that are inactive.

Please follow its recommendation and remove all inactive plugins and themes.

WordPress Site Health complains about inactive plugins – go ahead and remove them!

For the active plugins, please review the list and consider removing the ones you don’t need on your site permanently, for example, debugging plugins.

Remove other cruft files

Customers at Seravo have a few extra tools available in their WordPress, like, for instance, the Security page under Tools. It has many functions, and among them is that it finds potential cruft files.

The security page under Tools on sites at Seravo suggests removing any cruft files found.

Please review the list of cruft files and consider removing them. Note that the heuristics are not always entirely accurate, and thus we don’t delete anything automatically, only with the confirmation from a human.

Remove old logs

Browsing the site around with a SFTP client or on the command line with SSH is the best way to review all files in the installation. One typical file that should not be there is in wp-contents/debug.log that may appear if the debug configuration in wp-config.log is sloppy. We recommend removing files like these and making sure your wp-config.php states define('WP_DEBUG_LOG', '/data/log/php-error.log'); so all future debug logs (if written) end up in the correct location.

All logs for sites in Seravo’s upkeep should be written at /data/log/. This is a special directory that automatically applies log rotation and cleanup of old logs, to one does not need to worry about any manual cleanup at any point.

Trim down the database

Cleaning up the database is maybe the hardest part, and unfortunately most often the place that collects most cruft due to misbehaving plugins. A quick overview of the database status can be seen via the Seravo Plugin view under Tools > Database.

View at Tools > Database for sites in Seravo’s upkeep

To actually clean up the database one needs to access the site with SSH and utilize our tools wp-db-size, wp-db-info and wp-db-cleanup. The first one will list the size of the tables (just like the graphical tool above). The database info command will show how much the WordPress autoload will fetch from the database on every page load, what are the most common database rows, keys, and contents and other information that helps website developers figure out where there might potentially be wasteful database contents. This information can be used to manually clean up the database, either via command line SQL or graphically with Adminer.

The command wp-db-cleanup contains some common database cleanup commands that removes things like old post revisions and transients that on misbehaving sites might pollute the database.

Happy cleaning!

Cleaning up a site does not take long, especially with the help of the tools that Seravo provides. So what are you waiting for? Go to your website and spend a couple of minutes checking it out – and then you can permanently enjoy the added security and speed up the cleanup might provide. And also, the environment thanks you.

Leave a comment

Otto Kekäläinen

CEO

Search Seravo.com

Categories

More reading

WordPress 5.4 Is Out

3.4.2020

A new WordPress version 5.4 was released on March 31. As usual, WordPress releases are named after legendary jazz musicians. […]

April Fools 2020: WordPress Standup as a Service (SaaS)

1.4.2020

On the 1st of April, we announced that Seravo is Launching WordPress Standup as a Service (SaaS). We added that […]

Patterns for Getting Picked Up by Google Discover

30.3.2020

Veera Jussila has been blogging for about a decade. At first, she was blogging about her kids and family life. […]