Abandoned WordPress plugins and the risk they pose to your sites

Blog

A few years ago, WordPress.org got a more proactive in its management of plugins on their repository.

They started flagging plugins in a few different ways. This included indicating that the plugin hadn’t been updated in a few years, or hadn’t been updated for the most recent few WP core versions.

This is great when you’re installing a plugin and checking its status, but after while, time moves on, and we’re not as diligent in checking that a plugin is still being maintained throughout the life of the site.

Not a lot of us will do that. We should, but then there’s no shortage of things should be doing.

In this article, we’ll outline what abandoned plugins are, problems they might represent for you, and how you can check your plugins.

Watch The Article Summary of WordPress Abandoned Plugins

Abandoned doesn’t mean “security vulnerability”

When we refer to abandoned plugins, we’re not talking about security vulnerabilities.

Are there abandoned plugins with security vulnerabilities? For sure.

Are there abandoned plugins with no known security vulnerabilities? No doubt!

The purpose of this article is to provide some background, not to scare you into trawling through your site to remove abandoned plugins because “you’re at risk”.

We want to commicate a potential risk that every admin should be aware of. Half the battle of reducing our exposure is having the necessary data to make informed decisions and knowing the state of our plugins is part of this.

For a plugin to be considered abandoned, for our purposes, we’re going to make the cut-off point a generous 2 years. That means, if a plugin author hasn’t released an update to the plugin code for 2 years or more, we’ll consider it abandoned.

What are the potential risks associated with abandoned plugins?

To get an sense of just how many abandoned plugins there are, take a look this brilliant article by Isabel Castillo.

She’s gone through the entire WordPress repository and queried the latest update status of each plugin. Some date back as far as 2009 and have 100,000+ installations!

There’s no shortage of abandoned plugins, and there’s a high chance that you’re running one of them.

An abandoned plugin, as we said earlier, is one where the plugin author hasn’t updated any of the release code for over 2 years.

This means that in at least 2 years:

  • there have been no bug fixes
  • there has been no adjustment to the code to account for changes in the WordPress core
  • there have been no code enhancements
  • if vulnerabilities were discovered, then they haven’t been patched

I don’t know about you, but I’m not comfortable running that sort of code on a production website.

Sure, there may be no vulnerabilities in there, but how do I know?

Taking our Shield Security plugin as an example, we’re enhancing and improving that code all the time, if not fixing bugs and adding new features. Shield 7.0 was a major refactor in many ways, where we completely rewrote large sections, so that we could take advantage of better code structure.

Software development never really ends, and once a project has been abandoned, it’s only a matter of time until it becomes a problematic.

Running your site using WordPress plugins that have been abandoned is an unnecessary risk. There are nearly always alternatives or workarounds through newer plugins.

How can you check for abandoned plugins on your site?

Now that we know that abandoned plugins exist, and they may be on our websites, what can we do to find out if we have one?

The first thing you can do to a simple plugin review. You’ll need to take each plugin in-turn and fire up its WordPress.org plugin page.

When you do this, you’ll find a few bits of information that will be immediately useful for you.

This example is a screenshot of an abandoned plugin that hadn’t been updated for at least 4 years. But there’s nothing stopping you from installing it on your site from WordPress.org.

Of course, not being updated for 4 years doesn’t mean that there’s anything wrong with the code. It just means that in all likelihood, you’re going to run into trouble at some point. Perhaps this is when you upgrade your PHP version, or WordPress upgrades to an incompatible version, or some other random catastrophe.

It’s always better to mitigate risk when there isn’t a disaster happening right now.

You have a choice to make:

  1. Fix and replace problematic, outdated code while the site is fully functional and stable; or
  2. Wait for the site to crash, an while it’s offline and spewing errors to your customers:
    1. Try to isolate the actual problematic code within your plugins
    2. Determine what’s breaking
    3. Find a replacement
    4. Test the replacement
    5. Install and setup the replacement

These sorts of risks are better fixed long before a site crashes while everything’s working and we’re not stressed out with a disaster.

A New Shield Scan to notify you of abandoned plugins

With Shield Security 7.2+ you’ll have a scanner that notifies you when your site has plugins installed that are considered abandoned.

You can of course ignore these notices and so Shield wont tell you about them again, or you can take the opportunity to get proactive. You can either replace the plugin if you need the functionality, or remove it altogether.

Shield 7.2 is due for release in early March, so watch this space.

Comments and Suggestions

As always we welcome comments and suggestions about our articles and the Shield Security plugin. If you’d like to make a feature suggestion, please drop-in and either vote up an exciting suggestion, or add one that you’d like.

You can always leave us a comment below and we’ll get right back to you. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

×