Paste your WordPress plugins and check each against WordPress.org: removed from the directory, abandoned, or untested with current WordPress. The plugins you forgot about are the ones that get you hacked. Runs in your browser.
Open the live tool or see it check a sample.
Most WordPress compromises are not clever. They come from a plugin with a known, published vulnerability that nobody updated, because nobody remembered it was installed. Two situations deserve immediate attention, and both are invisible from inside wp-admin:
- Removed from the directory. When WordPress.org pulls a plugin, it is often for an unresolved security issue. The plugin keeps running on your site but stops getting updates and vanishes from search, so you may never hear there was a problem.
- Abandoned. A plugin untouched for years is a bet that no vulnerability will ever be found in it, and that bet worsens every month.
This tool checks a whole plugin list against the live WordPress.org directory in seconds.
For each plugin it looks up the WordPress.org plugin API and returns a verdict:
| Verdict | Meaning |
|---|---|
| GONE | Not in the directory. Possibly removed for a security or guideline problem (urgent), or a premium/custom plugin the directory never listed. |
| ABANDONED | No update in roughly two years or more. |
| CHECK | Stale (about a year), only tested against an old WordPress version, or very few installs. |
| HEALTHY | Recently updated and tested with current WordPress. |
The current WordPress version is fetched live from WordPress.org so "tested against an old version" stays accurate over time.
Any of these, mixed freely, one per line:
- Plain slugs:
woocommerce - Folder or file paths as WordPress stores them:
woocommerce/woocommerce.php - Directory URLs:
https://wordpress.org/plugins/woocommerce/
To get your list: in the dashboard open Plugins and copy the names, or run wp plugin list --field=name with WP-CLI, or read the folder names in wp-content/plugins/.
The tool never touches your site and needs no login. You paste a list of names; it looks each name up in the public WordPress.org plugin API from your browser, sending nothing except the slugs it has to query. It is a static page with no backend.
No install: jaydenyoonzk.github.io/wp-plugin-checkup
Run locally:
git clone https://github.com/JaydenYoonZK/wp-plugin-checkup.git
cd wp-plugin-checkup
npm run serve # http://localhost:8421docs/checkup.js is a dependency-free ES module:
import { parseSlugs, apiUrl, verdict } from "./checkup.js";
const slugs = parseSlugs(pastedList);
// fetch apiUrl(slug) yourself, then:
const v = verdict(slug, info, { now: Date.now(), currentVersion: "7.0" });npm test19 tests cover slug parsing across formats (including comma-separated lists and WP-CLI CSV), the WordPress x.y version comparison, the API date format, and every verdict path against fixed dates.
This checks maintenance status, not specific vulnerabilities. A maintained plugin can still have had a bug; the difference is that it ships a fix and an abandoned one never does. For known-vulnerability lookups, a dedicated feed is the right tool, and keeping everything current is what neutralizes most of them.
MIT. Built and maintained by Jayden Yoon ZK. Part of a WordPress toolkit with WP Serial Fix and WP Config Doctor.