Outdated plugins can introduce a serious security issue on your site. See easy ways to find outdated plugins and ones that have been removed from the WordPress Plugins Repository.
This post is part of the Seriously Old Plugin Challenge for the month of May.
Join us and get your site ready for PHP 7 and get rid of all those old plugins.
Old Plugins Pose Security Issues
The core WordPress code is changing with every update. The overwhelming majority of those changes are bug fixes and to plug security holes.
Plugins that don’t keep pace and aren’t compatible with the latest WP core changes may open your site to a serious security risk.
In fact, when the folks at WordPress find a plugin that has egregious security issues, they pull it from the Plugins Repository.
The problem is that WordPress never sends a notice that a plugin has been removed from the Plugins Repository.
So, you have no way to know that there is a ticking time bomb on your site.
They hope the plugin developer will update it and submit a reinstatement request to the Repository, but that doesn’t help you in the meantime!
Worse, if the developer never updates the plugin, you’re stuck with an unsupported plugin on your site that will keep falling farther behind in WP, PHP, and security standards.
Old Plugins Break
Well supported plugins that depend on WordPress core code will have a flag in them that lets them know what version of WordPress you are running.
When a WordPress update is imminent, they will either issue an update just prior or just after so that the plugin doesn’t break.
In other words, you may see a slew of plugin updates just ahead of a WordPress update.
It’s a good idea to update the plugins first, so they won’t break when you update WordPress.
Or, you may see a slew of plugin update notices immediately after you update WordPress. That’s because they rely on changes to the WP core.
It’s a good idea to update the plugins immediately so they stay in compliance with bug fixes and security issues in the WordPress core.
Plugins that Check for Old Plugins
There are two free plugins that can scan your site for plugins that are either no longer in the WordPress Plugins Repository, or have a warning that they have not been updated in over two years.
They both work, but I do have a preference for one over the other, and a slightly better way to check your plugins, as these plugin checkers are not always 100% accurate.
No Longer in Directory Plugin
This is a lightweight plugin that scans your plugins folder for any plugins that are no longer in the Plugins Repository, or those that have not been updated in over two years.
You do have to manually run the test, which is why I like this plugin and suggest it over the one listed below.
Any type of automated scan on your site is a performance issue.
The plugin is a little odd in that it lists the link to run it under the Plugins tab in your left admin sidebar, instead of under Tools or Settings, which is where most plugins put their links.
The only caveat of the plugin is that it will also flag your premium plugins, which are also not listed in the WordPress Plugins Repository.
k-OutDated Checker (k-OC) Plugin
This plugin scans your site twice a day and sends you an email alert for any outdated plugins.
It works, but most sites have zero need to be scanned on such a frequent basis.
Plus, the email shows all of your plugins, including those that are okay, and those that just have an update available.
And, it may false flag an premium plugins that are not in the WordPress Plugins Repository.
However, an automated scan might be ideal for those who maintain a lot of sites, or infrequently log into their site.
It’s worth noting that this plugin has not been updated in 2 years itself and has few installs.
A Better Way to Check Your Plugins
Honestly, the only way to check your plugins with 100% accuracy is to manually check each one.
See this quick video on best ways to verify your plugins and how to get my free Plugins Spreadsheet.
After you go through the initial check, perhaps running the No Longer in Directory Plugin on a quarterly basis would help you stay on top of your plugin security.
Avoid Knee Jerk Reactions
If any of your plugins gets flagged in one of the checking methods above, be careful not to ditch it too quickly.
Do your homework.
Some plugins are freemium, meaning they have a free version in the WordPress Plugins Repository and then a paid upgrade with more features.
WordPress is very strict about how the developers can advertise their paid version. And WordPress may temporarily remove the free version from the repository until the developers fix their language or links.
In other words, nothing is wrong with the plugin, and it’s just a temporary situation.
Plugins that have not been updated in over 2 years are not necessarily bad.
One of my favorite plugins, Login Lockdown, has twice received this 2 year update warning, yet nothing was ever wrong with the plugin.
The developer built it right the first time and it didn’t need updates.
But, to get that warning removed, the developer finally made minor changes and all was fine again.
Recommended Replacements
Visit the BlogAid Plugins page to see
- my top plugins that I won’t do a site without
- plugins I’ve pulled from my recommended list
- plugins used on my sites or client sites that are top notch
Check for PHP 7 Compatibility
Just because a plugin is still actively supported does not mean that it is PHP 7 ready.
We all need to move up to the latest PHP version to keep our sites fast and secure.
See this quick video on how to check your plugins and themes for PHP 7.
Check for Resource Hog Plugins
Just because a plugin is being kept current doesn’t mean that it’s a good plugin.
Some plugins are huge resource hogs and chew up your hosting bandwidth, CPU, and memory, leaving less of those resources for your human visitors.
And, they could be costing you more money with having to buy more hosting than you actually need.
A full site audit checks for all the performance drags on your site, including plugins that hog all the covers.
Do You Design or Maintain Sites?
The Webmaster Training courses were created just for you.
Learn how to set up sites securely and keep them performing at peak.
