How many active installs make a WordPress plugin safe enough?

By Josh Cox · 25 May 2026

Every WordPress plugin page shows an active install count, and it’s one of the first things most people look at. The instinct is right — it’s a useful signal. But the conclusions people draw from it are often too simple in both directions: “1 million installs, must be safe” and “only 500 installs, probably dodgy.” Neither holds up reliably.

Here’s how to read install count the way it’s actually useful — and what it genuinely can’t tell you.

What “active installs” actually means

The number you see on a WordPress.org plugin page isn’t an exact headcount. WordPress.org rounds active install figures into approximate buckets: “1+ million,” “900,000+,” “500,000+,” “100,000+,” “10,000+,” “1,000+,” and so on down to specific small figures for brand-new plugins. The system counts WordPress sites that have the plugin installed and have recently checked in with WordPress.org update servers — which most sites do automatically.

This means:

• The number is an approximation. “1+ million” could mean 1.1 million or 3 million — you can’t tell from the badge.
• It reflects the currently-installed base, not cumulative downloads. Installs drop when people remove a plugin.
• It lags slightly. Install counts update on a delay, so a plugin that just had a troubled release won’t show a drop immediately.

None of that makes the number useless. It’s still a meaningful proxy for one specific thing.

What install count actually predicts

A high active install count is best understood as a proxy for scrutiny — not for quality, security, or ongoing maintenance.

A plugin running on 800,000 sites has been tested across an enormous variety of hosting environments, server configurations, WordPress versions, themes, and other plugin combinations. If it had a systematic problem — a conflict with popular themes, a breaking change that crashed admin pages, a security flaw with an obvious attack path — someone would have hit it, written about it in the support forum, or raised it publicly. That collective pressure-testing is genuinely valuable. Bugs that survive a million real-world installations tend to be the subtle kind.

A plugin with 300 installs hasn’t had that pressure. It may be perfectly excellent — every plugin starts at zero — but the crowd hasn’t vetted it for you. You’re relying more heavily on your own judgement and the other signals.

What the thresholds look like in practice

Here’s a rough guide to what install counts typically indicate, read alongside everything else on the plugin page:

• 1 million+. Widely used, heavily scrutinised. Major security researchers, hosting companies, and WordPress security teams have had eyes on plugins at this level. High-profile vulnerabilities in million-install plugins tend to get patched fast — often within hours — because the stakes are so public. Still: a popular plugin can be abandoned, and popularity makes it a higher-value target for attackers.
• 100,000+. A solid, established install base. Bugs and conflicts are likely to have surfaced by now. Support forums tend to be active. This is the range where a well-maintained plugin is a fairly comfortable choice.
• 10,000+. Meaningful but modest. The plugin has a real user community and has been used in production widely enough for the obvious problems to surface. More due diligence is still worthwhile on update recency and support responsiveness.
• 1,000+. Small. The plugin hasn’t been extensively pressure-tested across diverse environments. Niche tools often sit here and can still be trustworthy — but you should lean harder on the developer’s maintenance track record and the other signals.
• Fewer than a few hundred. The install count alone isn’t telling you much. This is where the other signals — how recently was it updated? is the developer active? are there real reviews? — do almost all of the work.

Why install count isn’t the whole story

The most important thing a high install count cannot tell you is whether the plugin is still actively maintained.

A plugin can accumulate hundreds of thousands of installs over years and then go quiet. The developer stops responding to support, stops shipping updates, stops watching for security disclosures — but the installs don’t vanish. The plugin keeps running on those sites, looking popular, while slowly drifting into risk. The install count reflects the past; the update date and support forum reflect the present.

It works the other way too. A brand-new plugin from a credible, experienced developer might have 800 installs today and be an excellent choice — because the developer is active, responsive, and shipping updates regularly. The low count reflects how new it is, not how trustworthy it is.

And popularity makes high-install plugins more attractive targets. When a vulnerability is found in a plugin running on two million sites, the window between disclosure and mass exploitation can be very short. Popular plugins tend to get patched quickly because there’s more pressure — but they’re also attacked more aggressively because there’s more to gain. This isn’t a reason to avoid them, but it underlines why keeping your plugins updated matters even more for the widely-used ones.

How to use install count properly

Use it as one input, not a verdict. The right mental model:

1. High installs + recent update + active support. The crowd has vetted it and someone is still watching. Low risk.
2. High installs + stale update + dead support. The plugin is riding its reputation while going unmaintained. Riskier than the number implies.
3. Low installs + recent update + active developer. The crowd scrutiny hasn’t happened yet, so read the other signals carefully — but don’t write it off.
4. Low installs + stale update + no support. Nothing is working in your favour here. Treat it as high risk.

For a full breakdown of how all five risk signals work together — install count, update recency, compatibility, ratings, and support — How to check if a WordPress plugin is safe walks through each one and how they interact.

If you’d rather not read every signal manually, Plugin Risk Score pulls all of them live from the WordPress.org API and returns an instant Low, Moderate, or High risk verdict with each factor broken out. It’s free and takes about five seconds per plugin.

The bottom line

There’s no install count that makes a plugin automatically safe, and no count that makes it automatically unsafe. A million installs buys you evidence of battle-testing — not a maintenance guarantee. A few hundred installs means you’re doing more of the vetting yourself, not that the plugin is bad.

Read the number for what it is: a measure of how many eyes have been on the plugin, not how trustworthy the developer is today. Pair it with update recency and support activity, and you’ll have a much more reliable picture than any single number can give you.

Check any plugin’s install count alongside all its other risk factors — it takes seconds and shows you the whole picture at once.