Book a consultation
Free plugin safety check

Is that plugin safe to install?

Drop in any WordPress.org plugin and we'll score it live across five signals: update recency, version compatibility, installs, ratings and support. You get a clear Low, Moderate or High risk verdict. No sign-up to see results.

No sign-up to see results Live WordPress.org data Takes about 3 seconds
Try:
Enter a plugin above to see its live risk score
How the score works

Five signals, one honest verdict.

Every check pulls live data from the WordPress.org Plugin API. Each of the five factors below is graded green, amber or red, worth 3, 2 or 1 points. We total them, divide by the maximum and turn it into a percentage. 75% or above is Low Risk, 50 to 74% is Moderate, anything below 50% is High Risk.

Last Updated

How long it's been since the developer last shipped a release to WordPress.org.

Plugins that go quiet for a year or more typically aren't getting security patches. Three years without an update is effectively abandoned.

  • Under 6 months
  • 6 to 14 months
  • Over 14 months (3+ years counts double)

WordPress Compatibility

How recent a version of WordPress the developer has explicitly tested the plugin against.

WordPress ships major releases roughly every four months. A plugin that hasn't been tested against the current branch may break, conflict with core changes, or quietly fail on newer PHP versions.

  • Within 1 version of current
  • 2 to 3 versions behind
  • 4 or more versions behind

Active Installs

How many live WordPress sites are running this plugin right now.

A large install base means real-world testing across thousands of stacks, and a higher chance someone has already reported any nasty edge case. Tiny plugins can be brilliant, but they get less scrutiny.

  • 10,000+ active installs
  • 1,000 to 9,999
  • Under 1,000

User Rating

The average WordPress.org user rating, weighted by how many ratings the plugin has received.

Ratings expose what the changelog won't: frequent breakage, dark patterns, support that ghosts you. A handful of five-star reviews from a brand-new plugin isn't meaningful, so we flag low sample sizes amber regardless of the score.

  • 4.0+ stars with 10+ ratings
  • 3.0 to 3.9 stars, or fewer than 10 ratings
  • Below 3.0 stars

Support Resolution

The percentage of support threads in the plugin's WordPress.org forum that the developer has marked resolved.

It's the cleanest available signal that someone is actually behind the wheel. A plugin with a healthy install base but a dead support forum is a plugin you'll be debugging alone.

  • 80% or more resolved
  • 50 to 79% resolved
  • Under 50% resolved

One nuance worth flagging: the Last Updated check counts double when a plugin is more than three years old. Abandonment is the single strongest risk signal, so we weight it accordingly rather than letting a healthy install base mask a long-dead codebase.

What to do next

A score is only useful if it leads to a decision.

Here's how we'd act on each verdict, based on a decade of cleaning up WordPress sites that didn't.

Low Risk

You're probably fine. A few habits keep it that way.

  • Set a reminder to re-check the score every six months. Healthy plugins drift, and today's green can be tomorrow's amber.
  • Follow the developer's changelog or WordPress.org profile so you hear about major rewrites before they land on your live site.
  • Whatever you install, install on staging first. Even a perfectly maintained plugin can collide with your specific stack.
Moderate Risk

Worth a closer look before you commit to it.

  • Open the support forum and read the most recent ten threads. Are users being answered, or talking to themselves? Tone tells you a lot in two minutes.
  • Check the changelog. A long quiet period followed by a single small commit is often a developer doing the bare minimum to look maintained.
  • Search for alternatives. If two plugins solve the same problem and one is Low Risk, that's usually the call, even if the Moderate one has a feature you like.
  • If you already run it, make sure you have a recent off-site backup and that you would notice if it broke something quietly, like analytics, forms or payments.
High Risk

Treat this as a real exposure and plan a way out.

  • Audit where the plugin runs and what it touches: admin pages, the database, payment flows, user data. The blast radius determines how urgently you act.
  • Look for an actively maintained alternative or a fork. For popular abandoned plugins the community usually publishes a replacement, so check WordPress.org and GitHub first.
  • If there is no replacement and you cannot remove it yet, lock down what you can. Restrict admin access, disable unused features, and put it behind a Web Application Firewall if you have one.
  • Set a deadline to remove or replace it. Abandoned plugins don't get safer with time.
Questions

Good to know.

How is the risk score calculated?

Each plugin is graded on five live signals from WordPress.org: how recently it was updated, the WordPress version it is tested up to, active installs, user ratings, and support-thread resolution. Each factor scores green, amber or red, worth 3, 2 or 1 points. The total becomes a Low, Moderate or High risk verdict.

Where does the data come from?

Every figure is pulled live from the official WordPress.org Plugin API at the moment you check. It is the same public data the plugin directory shows, scored consistently.

Does it work for premium or off-directory plugins?

No. It scores plugins listed in the WordPress.org directory. Premium plugins sold only on a vendor site are not in that API, so they cannot be scored here.

Running a site you'd rather not vet plugins on yourself? Prystine looks after WordPress sites: updates, security and the boring-but-critical stuff, so you don't have to.