WordPress will pester you about pretty much everything. A new core version is available. Your theme has an update. Three plugins want your attention. Your dashboard turns into a Christmas tree of notification bubbles, and you click through them or ignore them depending on the day.
Here’s what WordPress will not tell you: when a plugin you installed three years ago has quietly stopped getting updates entirely.
Plugins that need updating get loud. Plugins that have been abandoned by their developer go silent. They keep working, more or less, but the code stops getting patched. Security flaws stop getting fixed. Compatibility with newer PHP versions and newer WordPress versions stops getting tested. Because nothing in your dashboard signals there’s a problem, you don’t go looking.
This is one of the more common security gaps we find on client sites. Here’s how to check if a WordPress plugin is abandoned on yours, in about ten minutes.
What “abandoned” actually means
WordPress.org’s working definition is a plugin that hasn’t received an update in two years. The reasoning is straightforward. Software needs maintenance. WordPress itself releases major versions multiple times a year. PHP gets new versions. New vulnerability research keeps surfacing issues in older code. A plugin that hasn’t been touched in two years has missed all of that and is almost certainly drifting into incompatibility, security risk, or both.
Two years is a threshold, not a cliff. A plugin updated 18 months ago isn’t great. A plugin updated 12 months ago deserves attention. A plugin updated six months ago that has a silent support forum and no public roadmap is worth keeping an eye on. The longer the silence, the higher the risk.
The reason this matters is the same reason any unpatched software matters. In 2023, roughly 97% of new WordPress security vulnerabilities came from plugins, not from the core platform. The platform is well maintained. Its enormous third-party ecosystem is uneven. When a plugin developer walks away, every site running that code is left holding the bag.
Two ways to check if a WordPress plugin is abandoned
The manual method works and costs nothing. Log into your WordPress admin, open the Plugins page, and for each plugin, click “View details.” A modal opens with a “Last Updated” date. If it’s been more than a year, flag it for review. More than two years, you should be moving toward replacement or removal.
The faster method is to let a security plugin do the work. The free version of Wordfence (installable from the WordPress plugin directory like anything else) runs a scan that flags abandoned plugins automatically. It tells you which plugins have been silent too long, and if any of them have known unpatched vulnerabilities, it bumps the severity from medium to critical. That’s the alert you really care about: a plugin that is both abandoned and already known to be exploitable.
Run the scan. Read the results. Don’t panic at the medium warnings, but take them seriously.
What to do when you find one
There are basically two paths.
If the plugin isn’t doing anything important, disable and delete it. A lot of WordPress sites carry plugins that were installed years ago for a one-time purpose, a feature that’s no longer used, or a developer’s experiment that nobody cleaned up. If you can’t articulate what a plugin is doing for your business right now, that’s your answer.
If the plugin is doing something important, you need to replace it. Search the WordPress repository for active alternatives. Look for plugins with recent updates, a healthy install base, and a responsive support forum. Install the replacement, configure it, test it on a staging copy of your site if you have one, then swap the old plugin out. Don’t leave both running in parallel longer than you have to.
One thing to watch for: premium plugins bought outside the WordPress.org repository often update through their own systems and won’t show up in Wordfence’s abandonment check. If you paid for a plugin three years ago and haven’t heard from the vendor since, that’s also abandoned. The fact that it once cost money doesn’t make it safer.
If your site is hosted with E11, this is already handled
We don’t make our clients check whether their WordPress plugins are abandoned. We run a custom notification system across every site we host that flags them the moment they cross the line, and the alerts route straight to our developers. They deal with it (sometimes before you ever know there was a problem to deal with). It’s part of the reason hosting with us is hosting, not just a server with your name on it.
Why this is worth your morning
If your business runs on your website, your site is part of how customers find you, contact you, and decide whether to trust you. A breach doesn’t just mean a cleanup bill. It means downtime, search ranking damage, and the awkward email to your customer list explaining what happened. The cost of preventing the problem is a coffee’s worth of time. The cost of cleaning up after it is significantly more.
Ten minutes. A free scan. A short list of plugins to deal with. That’s the whole project.
