Abandoned WordPress Plugins Can Cause Serious Security Problems

One of the most compelling parts of the WordPress ecosystem is the huge number of high-quality plugins. If you want to add a feature to your WordPress site, there’s almost certainly a plugin that will do the job. Plugins allow WordPress to be flexible without becoming bloated and they allow the WordPress ecosystem to advance more quickly than a centralized development model ever could.

But plugins are software, and as with any software, WordPress hosting clients should be aware of potential security risks. The majority of plugin security issues can be avoided by updating plugins regularly. Updates bring fixes to security vulnerabilities; plugins that aren’t updated are quite likely to be vulnerable. Updating plugins is easy: all WordPress users need to do is press a button in the WordPress dashboard when they’re notified that a new version of a plugin is ready.

The update system works perfectly most of the time, but what happens when a developer never releases a new version of a plugin? The update system relies on developers to fix security vulnerabilities in their plugins. Sometimes that doesn’t happen. Developers may decide they no longer want to work on a plugin. Outwardly, there’s no obvious way for a site owner to tell if a developer has abandoned a plugin without investigating — the plugin is just never updated.

In some cases, a plugin is removed from the repository because it is discovered to contain a particularly bad security vulnerability, but that happens rarely. There are tens of thousands of plugins and the WordPress project doesn’t have the resources to check every one. The onus is on site owners to check that plugins are regularly updated and to investigate if they suspect a plugin might have been abandoned.

• If a plugin hasn’t been updated for six months, investigate to see if it’s still being actively developed.
• Investigate if a plugin isn’t promptly updated to make it compatible with the most recent version of WordPress.

In many cases the plugin won’t be abandoned and there’s no reason to stop using it. But I’m more than willing to spend the time checking — most of the information I need is available in the “more details” section of the “Plugins” pane of the WordPress dashboard.

Manually checking for abandoned plugins is workable if you have a small number of plugins on one site. But if you manage lots of sites or install a lot of plugins, you might want to think about an automated solution. WordFence recently added the ability to check for abandoned and removed plugins to their well-regarded WordPress security plugin. WordFence will let you know when a plugin may have been abandoned and any outstanding security issues.