| Plugin | Status | Details |
|---|
🚪 Why old plugins are the real risk
Most WordPress compromises do not come from clever attacks. They come from a plugin with a known, published vulnerability that nobody got around to updating, because nobody remembered it was installed. Two situations deserve immediate attention:
- Removed from the directory. When WordPress.org pulls a plugin, it is often because of an unresolved security issue. The plugin keeps running on your site, but it stops receiving updates and quietly disappears from search, so you may never learn there was a problem. This tool flags any plugin the directory no longer lists.
- Abandoned. A plugin with no update in years is a bet that no vulnerability will ever be found in it, and that bet gets worse every month. WordPress itself warns you about plugins untouched for two or more years.
🚦 What the verdicts mean
| Verdict | Meaning |
|---|---|
| GONE | WordPress.org has no such plugin. Possibly removed from the directory (treat as urgent), or a premium or custom plugin the directory never listed. |
| ABANDONED | No update in roughly two years or more. Find a maintained alternative. |
| CHECK | Stale (about a year since the last update), only tested against an old WordPress version, or very few installs. Usually fine, worth confirming. |
| HEALTHY | Recently updated and tested with current WordPress. This is about maintenance, not a security guarantee. |
📋 Where to find your plugin list
Any of these formats works, mixed freely, one per line:
- Plain slugs, the last part of a plugin's directory URL:
woocommerce - Folder or file paths as WordPress stores them:
woocommerce/woocommerce.php - Directory URLs:
https://wordpress.org/plugins/woocommerce/
To get the full list from a live site: in the dashboard, open Plugins and copy the names, or with WP-CLI run wp plugin list --field=name. Over SFTP, the folder names inside wp-content/plugins/ are the slugs.
💬 Questions people ask
Does GONE always mean the plugin is dangerous?
No. Premium plugins (many page builders, form tools, and commercial extensions) are sold outside the directory and will always show as GONE here, which is expected. The verdict means only that the public directory does not list it. What matters is whether you recognize the plugin and trust where it came from. An unfamiliar plugin showing GONE is the one to investigate.
Is my site connected or scanned?
No. You paste a list of names; the tool looks each name up in the public WordPress.org plugin API from your browser. It never touches your site, needs no login, and sends nothing except the plugin slugs it has to look up.
A healthy plugin still had a vulnerability once. Does this catch that?
This checks maintenance status: is the plugin alive, current, and tested. It is not a vulnerability database. A well-maintained plugin can still have had a bug, the difference is that a maintained plugin ships a fix and an abandoned one never does. For specific known vulnerabilities, a dedicated vulnerability feed is the right tool, and keeping everything updated is what turns most of them harmless.
Can I use the engine in my own project?
Yes. docs/checkup.js is a dependency-free ES module: parseSlugs, apiUrl, and verdict. MIT licensed.