Free · No account required

WordPress Plugin Risk Score

Check if a WordPress plugin is safe to install — know the risks before you hit 'install'.

Used by WordPress developers, agencies, and site owners.

Last Updated
How recently the plugin was maintained
WP Compatibility
Tested against the current WordPress version
Active Installs
Size and trust of the user base
User Rating
Community reception across verified reviews
Support Resolution
How well the developer handles issues
Data · WordPress.org Plugin API

About Plugin Risk Score

Plugin Risk Score pulls live data from the WordPress.org Plugin API and scores each plugin across five factors — recency of updates, WordPress version compatibility, install base, user ratings, and developer support responsiveness — giving you an instant Low, Moderate, or High risk verdict before you hand a third-party plugin the keys to your site.

How we score plugins

Every check pulls live data from the WordPress.org Plugin API. Each of the five factors below is graded green, amber, or red — worth 3, 2, or 1 points. We total them, divide by the maximum, and turn it into a percentage. 75%+ is Low Risk, 50–74% is Moderate, anything below 50% is High Risk.

Last Updated

How long it's been since the developer last shipped a release to WordPress.org.

Plugins that go quiet for a year or more typically aren't getting security patches. Three years without an update is effectively abandoned.

  • Under 6 months
  • 6–14 months
  • Over 14 months (3+ years counts double)

WordPress Compatibility

How recent a version of WordPress the developer has explicitly tested the plugin against.

WordPress ships major releases roughly every four months. A plugin that hasn't been tested against the current branch may break, conflict with core changes, or quietly fail on newer PHP versions.

  • Within 1 version of current
  • 2–3 versions behind
  • 4 or more versions behind

Active Installs

How many live WordPress sites are running this plugin right now.

A large install base means real-world testing across thousands of stacks, and a higher chance someone has already reported any nasty edge case. Tiny plugins can be brilliant, but they get less scrutiny.

  • 10,000+ active installs
  • 1,000–9,999
  • Under 1,000

User Rating

The average WordPress.org user rating, weighted by how many ratings the plugin has received.

Ratings expose what the changelog won't — frequent breakage, dark patterns, support that ghosts you. A handful of five-star reviews from a brand-new plugin isn't meaningful, so we flag low sample sizes amber regardless of the score.

  • 4.0+ stars with 10+ ratings
  • 3.0–3.9 stars, or fewer than 10 ratings
  • Below 3.0 stars

Support Resolution

The percentage of support threads in the plugin's WordPress.org forum that the developer has marked resolved.

It's the cleanest available signal that someone is actually behind the wheel. A plugin with a healthy install base but a dead support forum is a plugin you'll be debugging alone.

  • 80% or more resolved
  • 50–79% resolved
  • Under 50% resolved

One nuance worth flagging: the Last Updated check counts double when a plugin is more than three years old. Abandonment is the single strongest risk signal, so we weight it accordingly rather than letting a healthy install base mask a long-dead codebase.

What to do with your result

A score is only useful if it leads to a decision. Here's how we'd act on each verdict, based on a decade of cleaning up WordPress sites that didn't.

Low Risk

You're probably fine. A few habits to keep it that way.

  • Set a reminder to re-check the score every six months. Healthy plugins drift; today's green can be tomorrow's amber.
  • Subscribe to the developer's changelog or follow them on the WordPress.org profile so you hear about major rewrites before they land on your live site.
  • Whatever you install, install on staging first. Even a perfectly maintained plugin can collide with your specific stack.
Moderate Risk

Worth a closer look before — or instead of — installing.

  • Open the support forum and read the most recent ten threads. Are users being answered, or talking to themselves? Tone tells you a lot in two minutes.
  • Check the changelog. A long quiet period followed by a single small commit is often a developer doing the bare minimum to look maintained.
  • Search for alternatives. If two plugins solve the same problem and one is Low Risk, that's usually the call — even if the Moderate one has a feature you like.
  • If you already run it, make sure you have a recent off-site backup and that you'd notice if the plugin broke something quietly (analytics, forms, payments).
High Risk

Treat this as a real exposure and plan a way out.

  • Audit where the plugin runs on your site and what it touches — admin pages, the database, payment flows, user data. The blast radius determines how urgently you act.
  • Look for an actively-maintained alternative or a fork. For popular abandoned plugins, the community usually publishes a replacement; check WordPress.org and GitHub before assuming there isn't one.
  • If there's no replacement and you can't remove it yet, lock down what you can — restrict admin access, disable any unused features, and put it behind a Web Application Firewall if you have one.
  • Set a deadline on your calendar to remove or replace it. Abandoned plugins don't get safer with time.

Frequently Asked Questions

How is the Plugin Risk Score calculated?

The score is calculated across five factors pulled live from the WordPress.org Plugin API: how recently the plugin was updated, whether it has been tested against the current version of WordPress, its active install count, user ratings, and how well the developer responds to support threads. Each factor is rated green (3 pts), amber (2 pts), or red (1 pt). The total is expressed as a percentage — 75%+ is Low Risk, 50–74% is Moderate Risk, and below 50% is High Risk.

What do Low, Moderate, and High Risk mean?

Low Risk (75%+) means the plugin scores well across all five criteria and is generally safe to install. Moderate Risk (50–74%) means some factors warrant attention — the plugin may be slightly out of date or have limited rating data. High Risk (below 50%) indicates significant issues such as abandonment, incompatibility with the current WordPress version, or poor developer support.

How up to date is the data?

All data is fetched live from the WordPress.org Plugin API each time you run a check, so it always reflects the current state of the plugin at that moment.

Can I check premium or paid plugins?

Plugin Risk Score only works with plugins listed in the free WordPress.org plugin repository. Premium plugins sold exclusively through third-party marketplaces or a developer's own website are not available via the WordPress.org API and cannot be checked.

Is Plugin Risk Score free to use?

Yes, completely free. No account required, no limits, no paywalls.

Latest guides

All guides →

Practical, no-jargon advice on vetting WordPress plugins.

How to read WordPress plugin reviews and spot misleading ratings

A high star average on a WordPress plugin means less than you think. Here's how to read reviews properly and spot the patterns that mislead most site owners.

How many active installs make a WordPress plugin safe enough?

Active installs signal how battle-tested a plugin is — but the number is widely misread. Here's what the thresholds actually mean, and when they matter most.

What "tested up to" really means for WordPress plugin compatibility

The "tested up to" badge on every WordPress plugin page is widely misread. Here's what it actually tells you — and what to do when it lags behind.

More from Prystine

Expert WordPress Support

Need someone to manage your plugins?

Prystine handles WordPress maintenance, plugin management, and security for businesses who'd rather not worry about it.

Speak with Prystine →

Free plugin safety checklist

A one-page checklist for vetting any WordPress plugin before you install it — straight to your inbox.

More tools from Prystine

We build small, focused tools for the people who run websites. If Plugin Risk Score is useful to you, you might like these too.

Client Reporting SendTidings Beautiful automated monthly reports for your clients — no manual work. Visit SendTidings → Lead Qualification Quotify Interactive quote and estimate forms that qualify leads on autopilot. Visit Quotify →

The Tools We Recommend

Having worked with WordPress since 2016, we've tried a lot of tools to help us build and maintain sites safely and efficiently. These are the ones we trust and recommend to other site owners, all of which we have used ourselves and some on a daily basis.

Performance WP Rocket The benchmark WordPress caching plugin — speed up your site in minutes. Speed Up Your Site → Forms Fluent Forms The fastest drag-and-drop form builder for WordPress. Try for Free → Bookings Fluent Booking Appointment booking that lives inside your WordPress dashboard. Get the Deal → Themes Blocksy A lightning-fast, highly customisable theme built for Gutenberg. Get Blocksy → Legal Termageddon Auto-updating privacy policies and legal pages that stay compliant. Get Protected →

Read all our WordPress plugin and tool reviews on Prystine.

Please note these are sponsored links, we may receive a commission when you click through and make a purchase. We only recommend products we trust and use ourselves, but please always do your own research before purchasing.