Inherited WordPress sites often have years of plugin history. Before changing anything, get a quick but thorough inventory. An inherited site with 30+ plugins is not just a maintenance burden — every active and inactive plugin is part of the attack surface.
Step 1: Full plugin inventory
Start with the basics:
wp plugin list
wp plugin list --format=csv > plugin-audit.csv
wp plugin list --status=active --format=json | jq '.[] | {name, version, update}'
wp plugin list --status=inactive --format=json | jq '.[] | {name, version}'Count them:
wp plugin list --status=active --format=count
wp plugin list --status=inactive --format=countSites with more than 40 active plugins need a review. Every plugin adds PHP execution time, database queries, and potential conflicts.
Step 2: Identify the problems
Plugins with no recent updates
wp plugin list --fields=name,version,update_version --format=csvPlugins showing no update with a version more than 12 months old are a warning sign. Cross-reference with WordPress.org to confirm abandonment rather than a versioning quirk.
Duplicate functionality
Common patterns to flag:
- Multiple caching plugins — W3 Total Cache + WP Super Cache + a host-provided cache layer
- Multiple security plugins — Wordfence + Solid Security + Sucuri
- Multiple SMTP plugins — More than one mail-sending plugin active
- Multiple page builders — Elementor + WPBakery + Gutenberg blocks all loaded
- Multiple SEO plugins — Yoast + Rank Math + All In One SEO
Stale and abandoned plugins
Look for:
- Inactive plugins that have been sitting unused for months
- Plugins with no recent updates on WordPress.org
- Plugins whose authors have archived the repository
- Old builder add-ons for themes no longer installed
- Premium plugins with expired licences that block updates
Suspicious plugins
Watch for:
- Plugins installed from unknown sources
- Nulled or cracked premium plugins
- Plugins whose names do not match their purpose
- Plugins whose update source is not WordPress.org
Check the source:
wp plugin list --fields=name,version,update,auto_update --format=tableStep 3: Check core and theme versions
wp core version
wp core check-update
wp theme list
wp theme list --update=availableAn outdated WordPress core combined with updated plugins can create incompatibilities. Record the version gap.
Step 4: Database impact check
Plugins leave tables, options, and transients. Check for orphaned data:
wp db tables --all-tables | grep -v 'wp_commentmeta\|wp_comments\|wp_links\|wp_options\|wp_postmeta\|wp_posts\|wp_termmeta\|wp_terms\|wp_term_relationships\|wp_term_taxonomy\|wp_usermeta\|wp_users'Any table not in the default WordPress set is plugin-created. Cross-reference with installed plugins to identify abandoned tables:
wp db query "SELECT option_name FROM wp_options WHERE option_name LIKE 'widget_%' OR option_name LIKE '%_transient_%' LIMIT 30;"Step 5: Frontend impact analysis
Before deleting anything, check what each plugin does:
- Does it provide shortcodes used in content?
- Does it register post types or custom fields?
- Does it handle redirects?
- Does it manage forms, payments, or integrations?
- Does a builder plugin leave behind content that breaks without it?
Test on a staging site first. Use Query Monitor to identify which plugins load on key pages.
Step 6: Safe removal process
- Take a full backup (files + database)
- Clone to staging if available
- Deactivate one plugin at a time
- Check the frontend and admin for breakage
- If stable for 24 hours, delete the plugin
- Run a database cleanup pass
- Repeat
Commands:
wp plugin deactivate plugin-slug
wp plugin delete plugin-slug
wp db optimizeCheck for leftover files after deletion:
ls wp-content/plugins/Step 7: Document the baseline
After the audit, record:
- Which plugins were removed and why
- Which remain and what they do
- What risks were identified
- When the next review should happen
A plugin audit is not a one-time task. Schedule it quarterly for actively maintained sites and immediately for any inherited site. The goal is a lean, intentional plugin list where every entry earns its place.