WordPress recently introduced the Plugin Check Plugin (PCP), an automated screening tool that checks every plugin submission for security issues. If you manage WordPress sites for clients, this is worth knowing about.
Why WordPress Built This
In 2024, researchers found nearly 8,000 security vulnerabilities in the WordPress ecosystem. 96% of those were in plugins (7,633 flaws in total). Meanwhile, WordPress core itself had just 7 vulnerabilities.
These weren’t just problems in rarely-used plugins. Over 1,000 vulnerabilities showed up in plugins installed on more than 100,000 sites. And some of the affected plugins were actually used by millions, for example:
- Really Simple Security (4 million sites) had a bug that let attackers bypass login.
- WPML (1 million+ sites) had a remote code execution vulnerability.
- LiteSpeed Cache (5 million sites) faced critical cross-site scripting issues.
The bigger issue is that 33% of plugin developers don’t fix bugs even after they’re publicly disclosed. Plus, many plugins get abandoned entirely, leaving sites vulnerable with no fix coming.
What the Plugin Check Plugin Does
The new Plugin Check Plugin (PCP) runs automated tests on every new plugin submitted to the WordPress.org directory. It acts as a first layer of review before the manual approval process, helping catch preventable issues early. Developers can also install and run PCP themselves. That way, they can fix any problems before release and ensure better long-term maintenance.
The new plugin screens for:
- Common security vulnerabilities like SQL injection and cross-site scripting
- Performance issues that could slow down sites
- Compatibility with current WordPress versions
- Deprecated functions and poor coding practices
In short, if a plugin fails these checks, it doesn’t get published until the developer fixes the problems.
What Else WordPress is Doing
The Plugin Check Plugin is part of a larger security push. All plugin and theme authors must now use two-factor authentication. This prevents attackers from compromising developer accounts and pushing malicious updates.
WordPress can now also automatically push critical security patches to vulnerable sites, even if the site owner has updates disabled. This only happens for severe vulnerabilities being actively exploited.
What This Means for Agencies
The Plugin Check Plugin helps reduce risk, but it doesn’t eliminate it. Anna, Head of Maintenance Team at White Label Agency, sees this as a step forward that still requires careful attention from agencies.
“The tool only screens new submissions and updates,” Anna explains. “Plugins already in the directory weren’t retroactively scanned.” This means you can’t assume existing plugins on client sites are safe just because they’re in the official directory.
She recommends starting with an audit of your existing plugins. Reviewing what’s installed on client sites and removing anything outdated or abandoned. “If a plugin hasn’t been updated for years, that’s a red flag,” she says. “It usually means the developer has moved on.”
At WLA, we always try to check the maintenance status before installing any new plugin. We look at the last update date and how actively the developer responds to support requests. These signals tell us whether someone will be there to fix problems if they arise.
Anna also suggests limiting plugin count wherever possible. “Every plugin is a potential vulnerability. Most sites don’t need 30+ plugins.” She recommends focusing on essential functionality and avoiding installing plugins for features you could handle with a few lines of code.
WordPress Outsourcing Services
Enhance your agency’s capabilities with our WordPress outsourcing services. Get expert development, design, and maintenance support tailored to your needs.
The Reality of Plugin Security: Wrap Up
WordPress plugins will always carry some risk. The platform’s openness is both its strength and weakness.
We need to consider that there are over 60,000 plugins in the directory, built by thousands of developers with varying skill levels. Some are maintained by professional teams. Others are side projects that get abandoned.
The Plugin Check Plugin makes the directory safer by catching obvious problems before publication. But your security strategy can’t rely entirely on WordPress.org’s screening. You still need to be careful about what you install, keep things updated, and regularly audit what’s running on your sites.
Need WordPress Maintenance and Security Support?
At WLA, we work with 600+ agencies, providing white-label WordPress services, including ongoing maintenance, security monitoring, and plugin management. We act as your invisible back office, taking care of the technical side of website work. Learn more about our WordPress maintenance services or schedule a call with our sales team today.
