February 22, 2019 by Paul G. | Blog

Abandoned WordPress plugins and the risk they pose to your sites

Abandoned Plugins

A few years ago, WordPress.org got a more proactive in its management of plugins on their repository.

They started flagging plugins in a few different ways. This included indicating that the plugin hadn’t been updated in a few years, or hadn’t been updated for the most recent few WP core versions.

This is great when you’re installing a plugin and checking its status, but after while, time moves on, and we’re not as diligent in checking that a plugin is still being maintained throughout the life of the site.

Not a lot of us will do that. We should, but then there’s no shortage of things should be doing.

In this article, we’ll outline what abandoned plugins are, problems they might represent for you, and how you can check your plugins.

Watch The Article Summary of WordPress Abandoned Plugins

Abandoned doesn’t mean “security vulnerability”

When we refer to abandoned plugins, we’re not talking about security vulnerabilities.

Are there abandoned plugins with security vulnerabilities? For sure.

Are there abandoned plugins with no known security vulnerabilities? No doubt!

The purpose of this article is to provide some background, not to scare you into trawling through your site to remove abandoned plugins because “you’re at risk”.

We want to commicate a potential risk that every admin should be aware of. Half the battle of reducing our exposure is having the necessary data to make informed decisions and knowing the state of our plugins is part of this.

For a plugin to be considered abandoned, for our purposes, we’re going to make the cut-off point a generous 2 years. That means, if a plugin author hasn’t released an update to the plugin code for 2 years or more, we’ll consider it abandoned.

What are the potential risks associated with abandoned plugins?

To get an sense of just how many abandoned plugins there are, take a look this brilliant article by Isabel Castillo.

She’s gone through the entire WordPress repository and queried the latest update status of each plugin. Some date back as far as 2009 and have 100,000+ installations!

There’s no shortage of abandoned plugins, and there’s a high chance that you’re running one of them.

An abandoned plugin, as we said earlier, is one where the plugin author hasn’t updated any of the release code for over 2 years.

This means that in at least 2 years:

  • there have been no bug fixes
  • there has been no adjustment to the code to account for changes in the WordPress core
  • there have been no code enhancements
  • if vulnerabilities were discovered, then they haven’t been patched

I don’t know about you, but I’m not comfortable running that sort of code on a production website.

Sure, there may be no vulnerabilities in there, but how do I know?

Taking our Shield Security plugin as an example, we’re enhancing and improving that code all the time, if not fixing bugs and adding new features. Shield 7.0 was a major refactor in many ways, where we completely rewrote large sections, so that we could take advantage of better code structure.

Software development never really ends, and once a project has been abandoned, it’s only a matter of time until it becomes a problematic.

Running your site using WordPress plugins that have been abandoned is an unnecessary risk. There are nearly always alternatives or workarounds through newer plugins.

How can you check for abandoned plugins on your site?

Now that we know that abandoned plugins exist, and they may be on our websites, what can we do to find out if we have one?

The first thing you can do to a simple plugin review. You’ll need to take each plugin in-turn and fire up its WordPress.org plugin page.

When you do this, you’ll find a few bits of information that will be immediately useful for you.

This example is a screenshot of an abandoned plugin that hadn’t been updated for at least 4 years. But there’s nothing stopping you from installing it on your site from WordPress.org.

Of course, not being updated for 4 years doesn’t mean that there’s anything wrong with the code. It just means that in all likelihood, you’re going to run into trouble at some point. Perhaps this is when you upgrade your PHP version, or WordPress upgrades to an incompatible version, or some other random catastrophe.

It’s always better to mitigate risk when there isn’t a disaster happening right now.

You have a choice to make:

  1. Fix and replace problematic, outdated code while the site is fully functional and stable; or
  2. Wait for the site to crash, an while it’s offline and spewing errors to your customers:
    1. Try to isolate the actual problematic code within your plugins
    2. Determine what’s breaking
    3. Find a replacement
    4. Test the replacement
    5. Install and setup the replacement

These sorts of risks are better fixed long before a site crashes while everything’s working and we’re not stressed out with a disaster.

A New Shield Scan to notify you of abandoned plugins

With Shield Security 7.2+ you’ll have a scanner that notifies you when your site has plugins installed that are considered abandoned.

You can of course ignore these notices and so Shield wont tell you about them again, or you can take the opportunity to get proactive. You can either replace the plugin if you need the functionality, or remove it altogether.

Shield 7.2 is due for release in early March, so watch this space.

Comments and Suggestions

As always we welcome comments and suggestions about our articles and the Shield Security plugin. If you’d like to make a feature suggestion, please drop-in and either vote up an exciting suggestion, or add one that you’d like.

You can always leave us a comment below and we’ll get right back to you. Thanks!

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@alkairaouan's Gravatar @alkairaouan

So far so good.

Wished the shield small box at the bottom was more unobtrusive…

@silencio55's Gravatar @silencio55

Replaced 3-4 Plugins with this Plugin

I feel so confident in this plugin that I removed 3-4 plugins including Akisment, Sucuri, Login Lockdown and Wordfence. Support is excellent. Be Sure to check this plugin out. After reading a recent article on Sucuri about how important it is to have a notification when someone logs into admin…

@roof55-no's Gravatar @roof55-no

What all you needed for security when using WP

Get all needed setup for best security solution!

@infogurushop's Gravatar @infogurushop

Shield Security is 100% PRO

Shield Security os 100% PRO for professional. They have the best product and support with TOP SECURITY I have seen on the web/Internet for any website in 10 years. 1. YOU WON’T GET HUNDREDS OF INBOX EMAILS SAYING INVALID ADMIN LOGIN – FILLING UP YOUR EMAIL ACCOUNT LIKE OTHER TOP…

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese