Spring Clean WordPress to Make It Secure and Faster

Photo by The Creative Exchange on Unsplash

Over time, even well-maintained WordPress sites tend to accumulate some cruft: excess files, unused plugins, unnecessary database contents, and logs that are lying around. They might not be directly affecting the site but are potentially causing a risk for how well the website works in the future.

First of all, think about the environment. The storage of all files consumes some resources. The less there is excess data, the less hardware and electricity will be required.

Secondly, think about security. A site owner committed to following GDPR should make sure there are no excess backups around that are accidentally stored forever, potentially violating data removal requests. Having data in a temporary backup for some time (e.g., 30 days) is acceptable, but having a permanent copy of data that should have been deleted can constitute a violation of the GDPR.

Excess files can also be a security risk directly. Quite often, we come across sites that have a database dump exposed in some location an outsider could potentially download and leverage on for criminal purposes.

Installed but inactive plugins are also a security risk since an attacker could potentially try to access the PHP files directly. The less code a site has, the smaller the attack surface. Also, an inactive plugin will still need to be updated and maintained, and if the update fails, it can affect the whole site. There is no good reason to keep around inactive plugins. If they are ever needed, one can always reinstall them fresh with just a few clicks. The same applies to inactive themes.

Remove inactive plugins and themes

Since WordPress 5.2, there has been a new section in the Tools called Site Health. This tool tells you about potential problems in your server environment or WordPress installation. One of the things it (rightfully) complains about is if you have themes or plugins installed that are inactive.

Please follow its recommendation and remove all inactive plugins and themes.

WordPress Site Health complains about inactive plugins – go ahead and remove them!

For the active plugins, please review the list and consider removing the ones you don’t need on your site permanently, for example, debugging plugins.

Remove other cruft files

Customers at Seravo have a few extra tools available in their WordPress, like, for instance, the Security page under Tools. It has many functions, and among them is that it finds potential cruft files.

The security page under Tools on sites at Seravo suggests removing any cruft files found.

Please review the list of cruft files and consider removing them. Note that the heuristics are not always entirely accurate, and thus we don’t delete anything automatically, only with the confirmation from a human.

Remove old logs

Browsing the site around with a SFTP client or on the command line with SSH is the best way to review all files in the installation. One typical file that should not be there is in wp-contents/debug.log that may appear if the debug configuration in wp-config.log is sloppy. We recommend removing files like these and making sure your wp-config.php states define('WP_DEBUG_LOG', '/data/log/php-error.log'); so all future debug logs (if written) end up in the correct location.

All logs for sites in Seravo’s upkeep should be written at /data/log/. This is a special directory that automatically applies log rotation and cleanup of old logs, to one does not need to worry about any manual cleanup at any point.

Trim down the database

Cleaning up the database is maybe the hardest part, and unfortunately most often the place that collects most cruft due to misbehaving plugins. A quick overview of the database status can be seen via the Seravo Plugin view under Tools > Database.

View at Tools > Database for sites in Seravo’s upkeep

To actually clean up the database one needs to access the site with SSH and utilize our tools wp-db-size, wp-db-info and wp-db-cleanup. The first one will list the size of the tables (just like the graphical tool above). The database info command will show how much the WordPress autoload will fetch from the database on every page load, what are the most common database rows, keys, and contents and other information that helps website developers figure out where there might potentially be wasteful database contents. This information can be used to manually clean up the database, either via command line SQL or graphically with Adminer.

The command wp-db-cleanup contains some common database cleanup commands that removes things like old post revisions and transients that on misbehaving sites might pollute the database.

Happy cleaning!

Cleaning up a site does not take long, especially with the help of the tools that Seravo provides. So what are you waiting for? Go to your website and spend a couple of minutes checking it out – and then you can permanently enjoy the added security and speed up the cleanup might provide. And also, the environment thanks you.


One response to “Spring Clean WordPress to Make It Secure and Faster”

  1. Darshan Thanki Avatar
    Darshan Thanki

    Great Article, Otto!

    Cleaning up WordPress is very essential part of WordPress maintenance.

    Many business / website owners don’t even know how their website can perform well in search engines if it was 2 seconds less loading then it does currently. Fast website in turn brings more traffic and more business to them.

    Your list of items are great, here’s what other things I usually do:

    – Remove old media files
    – Reduce image sizes to fit in to the content width
    – Remove unused css
    – Use wp_is_mobile() function to remove desktop only blocks at PHP level!

    If you have any questions, tweet me @darshanthanki56 or DM me, happy to help!

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *