WordPress powers over 43% of all websites in 2025, according to W3Techs. Plugins are the heart of WordPress. They add features like online stores, contact forms, and security tools. But over 59% of WordPress plugins (more than 34,000) haven’t been updated in over two years.
That’s a huge number! When so many plugins are outdated, it’s a problem. Not being updated means developers are just abandoning those plugins. But why? Is it creating a plugin crisis in the WordPress ecosystem? Is it worsening the future of WordPress for both developers and users?
I will help explore the WordPress plugin abandonment crisis in this case study. I’ll explain why so many plugins are left behind, who makes them, and what risks they bring. Though my audience is developers, website owners, and agencies, they will find this helpful too.
Let’s dive into the post accompanied by valid data, stories, and statistics.
The Scale of the Crisis: Data and Statistics
The WordPress plugin directory has over 58,000+ free plugins in 2025, according to WordPress.org and WPExperts. These plugins have been downloaded billions of times.
But the shocking part is that 34,000+ plugins (59.3%) haven’t been updated in two years or more. That’s almost six out of every ten plugins!
Let’s break it down by how many people use these non-updated plugins (active installs). (The percentages shown in the rows of the table are based on how much they represent out of the total 59.3%):
Number of Installations |
Number of Plugins |
Plugins’ Condition |
Less than 100 installs |
26,940 plugins (78.99%) |
The most outdated |
100–999 installs |
5,601 plugins (16.42%) |
have users, but neglected |
1,000–9,999 installs |
1,333 plugins (3.91%) |
popular but still outdated |
10,000–99,999 installs |
222 plugins (0.65%) |
widely used but risky |
100,000–999,999 installs |
10 plugins (0.03%) |
super popular but abandoned |
# Analysis of the Data
What does this tell us? About 79% of outdated plugins have fewer than 100 installs. They never got popular. But 232 plugins (222 with 10K–99K installs and 10 with 100K–999K installs) are used by thousands or even millions. That’s a big concern.
For example, a plugin like Easy Google Fonts has over 100,000 installs but hasn’t been updated in four years, per WordPress.org data.
# Other Key Facts
- 22.7% of these outdated plugins (about 7,700) were uploaded once and never touched again. Their publish date is the same as their last update date.
- Plus, over 50% of all plugins have never received a user review, and 3% have never been updated at all.
- The top 10 plugins, like Yoast SEO and Wordfence, account for 25% of all installs.
This means that a significant percentage of WordPress plugins have no good user base.
Types of WordPress Plugin Developers and Their Motivations
Why do so many plugins get abandoned? To understand, we need to know who makes these plugins and why. Not all developers are the same. We can group developers into five types. Each has different goals, which affect whether they keep their plugins updated.
Type 01: Business-Oriented Developers
These developers build plugins to make money. They offer free versions with premium upgrades or support services. For example, Elementor, Dokan, Yoast SEO, Rank Math, etc.
Developers behind these plugins, like weDevs, update their plugins regularly to keep customers happy. They have staff, revenue, and a business plan. Abandonment is rare because updates drive sales. These plugins are the big players with millions of installs.
Type 02: Portfolio and Learning-Focused Developers
Many developers use the WordPress repository to show off their skills or learn coding. They might be students or hobbyists. Their goal is to build a resume or practice WordPress development.
For example, they create a simple plugin, upload it, and move on. This explains why 22.7% of plugins have never been updated after they were uploaded. These developers don’t expect users. Abandonment is common here.
Type 03: Client-Specific or Niche Developers
Freelancers or agencies make plugins for specific clients, like a custom eCommerce tool. They might share it on WordPress.org to reach more users. If the client stops paying or the plugin doesn’t get popular, they stop updating.
Plugins like GeoDirectory (for location-based sites) start this way. Abandonment happens if the plugin doesn’t grow beyond its niche.
Type 04: Open-Source Enthusiasts
These developers love WordPress and want to help the community. They make free plugins for everyone. Their goal is to contribute or gain recognition. But burnout or new priorities can lead to abandonment. Sometimes, the community takes over their plugins, keeping them alive.
Type 05: Opportunistic or Low-Effort Developers
A small group creates plugins quickly to make a fast buck or spam the directory. These plugins are often low quality. They might sell on marketplaces like CodeCanyon, but abandon them after. Patchstack reported 827 abandoned plugins with vulnerabilities in 2023. These developers don’t care about maintenance, so abandonment is intentional.
All these developers face challenges – getting noticed in a directory with 58,000+ plugins, finding time to update for free, or competing with big names. These issues lead to abandonment, especially for non-business developers.
The Hidden Risks: Security, Compatibility, and Performance
Outdated plugins can cause big problems, especially the 232 with 10,000+ installs. Let’s look at the risks:
Risk 01: Security Vulnerabilities
Plugins are a major weak spot. Patchstack reports that plugins were responsible for 97% of all new security vulnerabilities. Outdated plugins might have flaws that hackers can exploit.
For example, the Eval PHP plugin (10K+ installs) was used in attacks because it wasn’t updated, per BleepingComputer. Even simple plugins can have issues. A user named ‘chaoticbean14’ compared it to old code in programming languages like PHP, which led to hacks.
Risk 02: Compatibility Issues
WordPress releases updates often (three times a year, roughly). In 2025, we’re at version 6.8. Plugins not tested with 6.8 or newer PHP versions (like 8.2) might break. For instance, a plugin might stop working after a WordPress update, crashing your site.
Risk 03: Performance Problems
Old plugins might not use the latest coding tricks. This can slow your website, which annoys users and hurts your Google ranking. Search Logistics says site speed is critical for SEO in 2025.
Risk 04: User Trust
If a plugin says ‘Tested up to 4.8’ when we’re at 6.8, users like ‘bkthemes’ won’t trust it. Even if it works, it looks risky.
# Why Do People Still Use Outdated Plugins?
Some have no good alternatives. Others fear that switching will break their site. Many just don’t know the risks. For example, Easy Google Fonts (100K+ installs) hasn’t been updated in years but is still popular because it’s simple and unique.
Is Plugin Abandonment a Real Threat to the WordPress Plugin Business?
Here’s a big question – does this abandonment crisis hurt the WordPress plugin business? We think not. At least not for serious developers. Let’s break it down.
Why It’s Not a Major Threat!
The plugin business is thriving. The top 10 plugins have 70+ million active installations. These are built by business-oriented developers who update regularly and offer premium versions.
For example, Elementor’s premium plan and WooCommerce’s extensions generate millions in revenue, per WPExperts.
CodeCanyon, a premium marketplace, has over 5,200 plugins, many from dedicated teams.
These businesses aren’t affected by the 79% of low-traction plugins (<100 installs) that get abandoned. Portfolio or learning plugins don’t aim to make money, so their abandonment doesn’t disrupt the market. It’s like a lemonade stand closing – it doesn’t hurt big drink companies.
Why It’s Still a Problem!
Even if the business is fine, abandonment hurts the ecosystem. Outdated plugins increase security risks, as seen with 827 vulnerable plugins in 2023 (Patchstack). They clutter the repository, making it hard to find good plugins.
This frustrates new developers who can’t get noticed. It also erodes user trust. If someone installs a risky plugin and their site gets hacked, they might blame WordPress itself.
Balanced View!
The plugin business is strong for those who treat it like a business. But the flood of abandoned plugins creates challenges for everyone else. It’s not a crisis that will kill the market, but it needs fixing to keep WordPress healthy.
WordPress.org Policies and Repository Management
WordPress.org has rules to handle outdated plugins, but they’re not perfect. Here’s what they do:
1. Current Policies
Plugins not updated in about three WordPress releases (roughly two years) get a warning on their page. They also rank lower in search results. If a plugin fails a security check, it’s removed from the directory.
2. What’s Wrong
The repository doesn’t automatically delete old plugins. This means 34,000+ outdated plugins stay available, cluttering the system. There’s no clear way to tell if a plugin is ‘simple but safe’ or truly abandoned. Users want stricter rules, like removing plugins after 6–12 months without updates.
3. Community Ideas
Some suggest letting the community adopt abandoned plugins. Others want WordPress.org to require ‘Tested up to’ updates for every major release. Tools like PluginInsight show a plugin’s health, and WordPress.org could utilize similar ideas.
Implications for Developers and the WordPress Eco-system
This crisis affects everyone in WordPress. Let’s take a look at how it affects, especially developers and the WordPress ecosystem.
For Developers
Keeping plugins updated is hard, especially for free ones. Business-oriented developers succeed by offering value, but others struggle with visibility or time. New developers might give up if their plugins don’t get noticed.
For the Ecosystem
Too many outdated plugins make the repository messy. This hides good plugins and slows innovation. Users lose trust, and security risks grow. The top 25% of installs dominate, leaving smaller developers in the dust.
Solutions, Best Practices, and Recommendations
Now, in this section, I will cover some solutions and best practices people can use to get rid of this issue.
For Developers
- Update the ‘Tested up to’ tag with every major WordPress release (e.g., 6.8). It takes minutes and shows your plugin is active.
- If your plugin doesn’t need updates, say so in the description.
- Open-source your plugin if you can’t maintain it. Let the community help, like with ‘norcross’ and Comment Blacklist Manager.
- Focus on one task per plugin. Plugins from JeffStarr or bPlugins are great examples. They’re simple and clash less with others.
For Website Owners and Agencies
- Check your plugins every three months. Look at the ‘Last Updated’ and ‘Tested up to’ fields on WordPress.org.
- Use tools like Wordfence, WPScan, or Patchstack to spot risky plugins.
- Replace outdated plugins with active ones. Look for community forks if you love the plugin.
- Keep a spreadsheet for all your sites’ plugins. It saves time.
For WordPress.org
- Remove plugins not updated in 6–12 months or 2–3 major releases.
- Highlight well-maintained plugins in search results.
- Add a ‘maintenance score’ to plugin pages, like Classic Monks does.
