How Plugin Risk Score works

Plugin Risk Score gives any WordPress.org plugin an instant Low, Moderate, or High risk verdict. There's no black box — the score comes from five public signals, each pulled live from the WordPress.org Plugin API every time you run a check. Here's exactly how it's calculated.

How we score plugins

Every check pulls live data from the WordPress.org Plugin API. Each of the five factors below is graded green, amber, or red — worth 3, 2, or 1 points. We total them, divide by the maximum, and turn it into a percentage. 75%+ is Low Risk, 50–74% is Moderate, anything below 50% is High Risk.

Last Updated

How long it's been since the developer last shipped a release to WordPress.org.

Plugins that go quiet for a year or more typically aren't getting security patches. Three years without an update is effectively abandoned.

  • Under 6 months
  • 6–14 months
  • Over 14 months (3+ years counts double)

WordPress Compatibility

How recent a version of WordPress the developer has explicitly tested the plugin against.

WordPress ships major releases roughly every four months. A plugin that hasn't been tested against the current branch may break, conflict with core changes, or quietly fail on newer PHP versions.

  • Within 1 version of current
  • 2–3 versions behind
  • 4 or more versions behind

Active Installs

How many live WordPress sites are running this plugin right now.

A large install base means real-world testing across thousands of stacks, and a higher chance someone has already reported any nasty edge case. Tiny plugins can be brilliant, but they get less scrutiny.

  • 10,000+ active installs
  • 1,000–9,999
  • Under 1,000

User Rating

The average WordPress.org user rating, weighted by how many ratings the plugin has received.

Ratings expose what the changelog won't — frequent breakage, dark patterns, support that ghosts you. A handful of five-star reviews from a brand-new plugin isn't meaningful, so we flag low sample sizes amber regardless of the score.

  • 4.0+ stars with 10+ ratings
  • 3.0–3.9 stars, or fewer than 10 ratings
  • Below 3.0 stars

Support Resolution

The percentage of support threads in the plugin's WordPress.org forum that the developer has marked resolved.

It's the cleanest available signal that someone is actually behind the wheel. A plugin with a healthy install base but a dead support forum is a plugin you'll be debugging alone.

  • 80% or more resolved
  • 50–79% resolved
  • Under 50% resolved

One nuance worth flagging: the Last Updated check counts double when a plugin is more than three years old. Abandonment is the single strongest risk signal, so we weight it accordingly rather than letting a healthy install base mask a long-dead codebase.

What to do with your result

A score is only useful if it leads to a decision. Here's how we'd act on each verdict, based on a decade of cleaning up WordPress sites that didn't.

Low Risk

You're probably fine. A few habits to keep it that way.

  • Set a reminder to re-check the score every six months. Healthy plugins drift; today's green can be tomorrow's amber.
  • Subscribe to the developer's changelog or follow them on the WordPress.org profile so you hear about major rewrites before they land on your live site.
  • Whatever you install, install on staging first. Even a perfectly maintained plugin can collide with your specific stack.
Moderate Risk

Worth a closer look before — or instead of — installing.

  • Open the support forum and read the most recent ten threads. Are users being answered, or talking to themselves? Tone tells you a lot in two minutes.
  • Check the changelog. A long quiet period followed by a single small commit is often a developer doing the bare minimum to look maintained.
  • Search for alternatives. If two plugins solve the same problem and one is Low Risk, that's usually the call — even if the Moderate one has a feature you like.
  • If you already run it, make sure you have a recent off-site backup and that you'd notice if the plugin broke something quietly (analytics, forms, payments).
High Risk

Treat this as a real exposure and plan a way out.

  • Audit where the plugin runs on your site and what it touches — admin pages, the database, payment flows, user data. The blast radius determines how urgently you act.
  • Look for an actively-maintained alternative or a fork. For popular abandoned plugins, the community usually publishes a replacement; check WordPress.org and GitHub before assuming there isn't one.
  • If there's no replacement and you can't remove it yet, lock down what you can — restrict admin access, disable any unused features, and put it behind a Web Application Firewall if you have one.
  • Set a deadline on your calendar to remove or replace it. Abandoned plugins don't get safer with time.

Try it on a plugin

Paste in any plugin and you'll see all five factors scored in seconds. Free, no account.

Score a plugin →