high risk

How to Fix Outdated and Vulnerable WordPress Plugins

Outdated plugins are the number-one way WordPress sites get hacked. A single vulnerable plugin can expose the whole site to XSS, SQLi, or remote code execution. Keeping them current — and dropping the ones nobody maintains — closes most of your attack surface.

  1. 1

    Update every plugin, theme, and core

    Apply all available updates. Enable automatic updates for plugins you trust, and check the site after major updates.

  2. 2

    Remove abandoned plugins

    A plugin that hasn't been updated in 1–2 years (or was removed from the directory) will never get security fixes. Find a maintained alternative and delete it.

  3. 3

    Check plugins against known vulnerabilities

    Before trusting a plugin, look up its security history. Our vulnerability database tracks known issues for thousands of plugins and themes.

  4. 4

    Scan regularly

    New vulnerabilities are disclosed weekly. Run an external scan after every update so you catch newly-vulnerable versions fast.

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides