Inactive plugins that keep on updating

Hi everyone.
I have a question here. Can someone explain to me why the inactive plugins keep on updating though they are not in use?
I have the notion that it would be more normal for the plugins to get updated when they are used, or better say it upon their activation whenever I need to use them and not every other day simply because I have them installed in my website.
Can someone explain to me why they get updated though they are inactive?

I think it’s for security reason. A plugin, even if not active, is in the filesystem and can be called.
So it must stay up-to-date.
Try this link on my website :stuck_out_tongue_winking_eye:. The plugin is inactive.


As @Simone said, inactive outdated plugins may be used by hackers to hack your site. When a plugin (active or not) is not up-to-date it may have security issues. More often than not plugin/theme updates consist in security patches.

You learn something new every day :astonished:

Hi Simone ha ha !!
I see … though I still don’t understand what sort of security risk might be the maintenance mode plugin that I have it permanently deactivated and I turn it on once in a blue moon that I want to fix something in my website. What I mean is that some plugins are completely unrelated with the theme or with any wordpress functions.
I have installed and inactive for instance the plugin that I used to switch posts into pages. And another one that rebuilds the thumbnails of the photographs when I run it, something that is needed from time to time on websites that have a lot of photographs. But I bother to do so once a year.

That is the reason I asked. :slight_smile: I’m clueless about some things on wordpress.

Most plugins are not a security risk just sitting there. But some could be if they take input from arguments passed in the URL or don’t sanitize what they use. Because you can go to any URL, and it’s open source (you can read the code to figure out how to hack it), you can invoke a file out of context (without loading the whole CMS).


Hm… But how do we know that those who maintain the plugins they do it right? Who is checking out the updates before they come out?

Likely no one.

LOL… so what sort of security updates are these? If no one is checking out the code for errors or in purpose created vulnerabilities then I can’t see where is the security…

Any plugin that is installed on your site will be checked for updates. This is an important distinction. When you deactivate a plugin, it’s still installed…it’s just not run. This is why you will see update notices even for plugins that are deactivated. The updates are not automatically applied, you still have to click to perform the update. And, note that those aren’t even necessarily security updates – any time a new version of the plugin is released, it will nag you to update…whether the update was for security, a basic patch, more features…or whatever.

1 Like

Anyway you can use “Block Specific Plugin Updates” plugin to block a specific plugin to be updated.

They are not updated automatically but if you don’t get the updates then you keep on seeing notifications in the dashboard that some of them might be more important than others. You might miss something important if you ignore for a while the updates as these pile up in time.

I think that it would be more convenient to have a default blocking option for the inactive plugins without using yet another plugin that will need updates too.

Generally speaking I prefer to keep my plugins as minimal as possible and that because I don’t know how to merge the cms and make them load faster. So by the time that whatever plugins I run on my website load individually and by doing this delay the speed that my website loads, I use only the nesessary ones and I disable those that I need to use occassionally or I’m bored to install and uninstall whenever I need them.
I keep them installed to have them handy and not for any other particular reason. I have 9 active permanently and 6 inactive ( almost permanently).:slight_smile:

And now that I’m thinking about it I think that some of the functions that the major plugins offer ought to be offered along with the cms. Not as features of the individual themes but as part of the cms.
I use for instance a plugin for the lightbox, a plugin for disabling the right click on images ( who doesn’t disable the copy paste of images? ) another one to block pinterest, a plugin to block unwanted ips etc.
These features should exist as part of the cms by the time that the majority of users need these features and get them with the plugins. These are very basic things.

The solution is simple: if you (fully) uninstall those plugins, 1) they won’t show you update notices, and 2) you won’t open your site to getting hacked by leaving unpatched security holes that may arise from time to time.

This doesn’t actually secure your images in any way. Your images can be saved in a number of other ways that are equally fast and easy. Or the visitor can just disable your scripts. If you want to protect your images, watermark them – that will make them less likely to be lifted and used elsewhere.



My images are already watermarked or better say I have embedded on them the url of my website. The problem is not after all that some people copy the images of my paintings. It is that they don’t bother to mention where they got them. That is the reason why I blocked completely pinterest after all ( that is an awful website. It steals people’s images by transferring the responsibility to its users and it messes up search engines’ image results. I have blocked it on the searches too).

I can disable completely the right click on my website but I prefer not to do it because there are people who are interested to my tutorials and perhaps they want to print or copy them.
By disabling completely the right click it makes the blog unusable.

But whatever is the case, blocking some things could have been a default feature of CP.

As it is now it differentiates from WP only on whatever has to do with the text editor but not that much else as all extra functions have to be done with plugins which plugins, depending on how they are written or maintained, can be vulnerable to attacks or malware.

I see your point.
What CP is aimed at is arriving there. To offer a core lean and fast equipped with a bunch of “main plugins” that are part of core and that you may enable/disable according to your needs.
What I think is that differentiation takes time, working on all those features means collecting competent devs around the project and plan every step with dedication and care.
Thanks to inputs like yours @Marialena.S the community and the project gain scope and shape. The revolution had to start somewhere, gb was the occasion to start this new “trip to the unknown and beyond, where no human has ever been”. For sure, people in the long run aren’t going to buy in just for the absence of GB, but the fact people are actively thinking about solutions and implementing new ideas while discussing the bigger picture it’s winning people who are willing to help CP grow. That is IMHO the point.

I explain it better in the last posts of this discussion.

Blocking some things is going to be a feature of ClassicPress. That’s part of the point of the concept of core plugins. But it will never be possible for ClassicPress to stop someone copying your images unless someone changes how the web works. I know Sir Tim Berners-Lee would like to do so …

1 Like

Core plugins is the best idea ever. But start with the basics in order to get rid off some plugins for a start.

I have solved the image stealing matter long time ago.This is not something that bothers me anymore.

The truly correct answer to this is to read and understand the code for any plugin you install on your site, and verify proper security practices (inputs validated/sanitized correctly, appropriate error handling, query parameters and output escaped properly, etc.)

Often this is not realistic, so we have to rely on trust and on the “many eyes effect” of open-source software in order to find most vulnerabilities.

Here is a plugin I’ve started using recently that notifies about known vulnerabilities for any other plugins installed on the site:

1 Like