WP Plugin Checkup

The plugins you forgot about are the ones that get you hacked.

A WordPress site collects plugins over the years, and the risky ones are rarely the ones you use daily. They are the abandoned helper you installed once, or the plugin quietly pulled from the directory for a security problem you never heard about. Paste your plugin list and check every one against WordPress.org in seconds.

🔒 Plugin names go to WordPress.org to look up their status. Nothing else is collected.

🚪 Why old plugins are the real risk

Most WordPress compromises do not come from clever attacks. They come from a plugin with a known, published vulnerability that nobody got around to updating, because nobody remembered it was installed. Two situations deserve immediate attention:

🚦 What the verdicts mean

VerdictMeaning
GONEWordPress.org has no such plugin. Possibly removed from the directory (treat as urgent), or a premium or custom plugin the directory never listed.
ABANDONEDNo update in roughly two years or more. Find a maintained alternative.
CHECKStale (about a year since the last update), only tested against an old WordPress version, or very few installs. Usually fine, worth confirming.
HEALTHYRecently updated and tested with current WordPress. This is about maintenance, not a security guarantee.

📋 Where to find your plugin list

Any of these formats works, mixed freely, one per line:

To get the full list from a live site: in the dashboard, open Plugins and copy the names, or with WP-CLI run wp plugin list --field=name. Over SFTP, the folder names inside wp-content/plugins/ are the slugs.

💬 Questions people ask

Does GONE always mean the plugin is dangerous?

No. Premium plugins (many page builders, form tools, and commercial extensions) are sold outside the directory and will always show as GONE here, which is expected. The verdict means only that the public directory does not list it. What matters is whether you recognize the plugin and trust where it came from. An unfamiliar plugin showing GONE is the one to investigate.

Is my site connected or scanned?

No. You paste a list of names; the tool looks each name up in the public WordPress.org plugin API from your browser. It never touches your site, needs no login, and sends nothing except the plugin slugs it has to look up.

A healthy plugin still had a vulnerability once. Does this catch that?

This checks maintenance status: is the plugin alive, current, and tested. It is not a vulnerability database. A well-maintained plugin can still have had a bug, the difference is that a maintained plugin ships a fix and an abandoned one never does. For specific known vulnerabilities, a dedicated vulnerability feed is the right tool, and keeping everything updated is what turns most of them harmless.

Can I use the engine in my own project?

Yes. docs/checkup.js is a dependency-free ES module: parseSlugs, apiUrl, and verdict. MIT licensed.