A plugin is listed here if it has not received a code update in 12 or more months. This is the point at which security researchers consider a plugin at elevated risk — enough time for unpatched vulnerabilities to be discovered and exploited.
Free Tool · Updated 1st of Every Month · Data from WordPress.org + Wordfence
WordPress Plugins
No One Is Maintaining Anymore
No update in 12+ months. Known security vulnerabilities. Active install counts. If your site runs any of these, it's a target.
90
Unmaintained plugins
47
Have active vulnerabilities
6
Critical risk
15
High risk
4.2M+
Sites exposed
Updated 2026-06-14 · Refreshes automatically on the 1st of every month
Why does an unmaintained plugin put your site at risk?
WordPress plugins are code running on your server. When a developer stops releasing updates:
- Security vulnerabilities are discovered but never patched
- The plugin falls out of compatibility with newer versions of WordPress and PHP
- Hackers specifically target abandoned plugins because they know fixes won't come
The plugins in this directory haven't received an update in over 12 months. Many have known, publicly documented security vulnerabilities — meaning exploit code already exists.
If your site runs any of these, the risk is real and the fix is straightforward: remove or replace the plugin.
Browse the directory
Showing 90 of 90 plugins
| Plugin | Risk Level | Last Update | Sites Running It | View Plugin |
|---|---|---|---|---|
Limit Login Attempts limit-login-attempts | CRITICAL (4) | 2023-04-04 | 300K+ | WP.org ↗ |
Search & Replace search-and-replace | CRITICAL (3) | 2024-08-26 | 100K+ | WP.org ↗ |
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin | CRITICAL (10) | 2024-11-11 | 100K+ | WP.org ↗ |
OptionTree option-tree | CRITICAL (5) | 2019-05-19 | 50K+ | WP.org ↗ |
WP-Polls wp-polls | CRITICAL (9) | 2025-01-18 | 40K+ | WP.org ↗ |
Temporary Login temporary-login | CRITICAL (1) | 2024-11-26 | 40K+ | WP.org ↗ |
String locator string-locator | HIGH (4) | 2025-01-15 | 100K+ | WP.org ↗ |
CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress advanced-nocaptcha-recaptcha | HIGH (7) | 2025-06-11 | 100K+ | WP.org ↗ |
Custom Product Tabs for WooCommerce yikes-inc-easy-custom-woocommerce-product-tabs | HIGH (3) | 2025-04-12 | 80K+ | WP.org ↗ |
Facebook Chat Plugin – Live Chat Plugin for WordPress facebook-messenger-customer-chat | HIGH (6) | 2022-07-05 | 80K+ | WP.org ↗ |
Duplicate Page and Post duplicate-wp-page-post | HIGH (6) | 2024-09-23 | 80K+ | WP.org ↗ |
WP fail2ban – Advanced Security wp-fail2ban | HIGH (8) | 2025-04-29 | 60K+ | WP.org ↗ |
Web Stories web-stories | HIGH (3) | 2025-05-15 | 60K+ | WP.org ↗ |
Simple Sitemap – Create a Responsive HTML Sitemap simple-sitemap | HIGH (8) | 2025-05-20 | 60K+ | WP.org ↗ |
Add From Server add-from-server | HIGH (4) | 2020-12-11 | 60K+ | WP.org ↗ |
WP-DBManager wp-dbmanager | HIGH (7) | 2024-11-24 | 60K+ | WP.org ↗ |
Blogger Importer blogger-importer | HIGH (1) | 2024-10-21 | 60K+ | WP.org ↗ |
CMS Tree Page View cms-tree-page-view | HIGH (8) | 2024-04-12 | 50K+ | WP.org ↗ |
WP Extra File Types wp-extra-file-types | HIGH (1) | 2023-10-28 | 40K+ | WP.org ↗ |
User Profile Picture metronet-profile-picture | HIGH (4) | 2024-07-18 | 40K+ | WP.org ↗ |
Cornerstone cornerstone | HIGH (4) | 2024-07-16 | 30K+ | WP.org ↗ |
Template Kit – Import template-kit-import | MEDIUM (1) | 2024-08-01 | 400K+ | WP.org ↗ |
Health Check & Troubleshooting health-check | MEDIUM (11) | 2024-07-25 | 300K+ | WP.org ↗ |
WP Sitemap Page wp-sitemap-page | MEDIUM (1) | 2025-04-15 | 200K+ | WP.org ↗ |
Table of Contents Plus table-of-contents-plus | MEDIUM (7) | 2024-11-21 | 200K+ | WP.org ↗ |
PHP Compatibility Checker php-compatibility-checker | MEDIUM (1) | 2023-12-14 | 200K+ | WP.org ↗ |
WooSidebars woosidebars | MEDIUM (1) | 2024-04-03 | 100K+ | WP.org ↗ |
WP Downgrade | Specific Core Version wp-downgrade | MEDIUM (1) | 2023-05-08 | 100K+ | WP.org ↗ |
LuckyWP Table of Contents luckywp-table-of-contents | MEDIUM (6) | 2025-04-16 | 100K+ | WP.org ↗ |
BackUpWordPress backupwordpress | MEDIUM (4) | 2024-04-24 | 90K+ | WP.org ↗ |
Hotjar hotjar | MEDIUM (1) | 2023-10-25 | 70K+ | WP.org ↗ |
Async JavaScript async-javascript | MEDIUM (7) | 2023-06-22 | 70K+ | WP.org ↗ |
WP Show Posts wp-show-posts | MEDIUM (4) | 2024-04-16 | 70K+ | WP.org ↗ |
Better Font Awesome better-font-awesome | MEDIUM (3) | 2025-02-12 | 70K+ | WP.org ↗ |
Enhanced Media Library enhanced-media-library | MEDIUM (1) | 2024-07-15 | 60K+ | WP.org ↗ |
Dynamic Conditions dynamicconditions | MEDIUM (1) | 2025-02-11 | 60K+ | WP.org ↗ |
A2 Optimized WP – Turbocharge and secure your WordPress site a2-optimized-wp | MEDIUM (1) | 2025-02-10 | 60K+ | WP.org ↗ |
All In One Favicon all-in-one-favicon | MEDIUM (2) | 2023-08-08 | 60K+ | WP.org ↗ |
Sydney Toolbox sydney-toolbox | MEDIUM (5) | 2024-12-17 | 50K+ | WP.org ↗ |
If Menu – Visibility control for Menus if-menu | MEDIUM (2) | 2024-12-05 | 50K+ | WP.org ↗ |
Image Hover Effects – Elementor Addon image-hover-effects-addon-for-elementor | MEDIUM (6) | 2024-07-12 | 40K+ | WP.org ↗ |
WP Edit wp-edit | MEDIUM (1) | 2018-10-15 | 40K+ | WP.org ↗ |
underConstruction underconstruction | MEDIUM (5) | 2024-03-08 | 40K+ | WP.org ↗ |
FancyBox for WordPress fancybox-for-wordpress | MEDIUM (4) | 2025-05-07 | 30K+ | WP.org ↗ |
Enhanced Text Widget enhanced-text-widget | MEDIUM (7) | 2024-07-17 | 30K+ | WP.org ↗ |
DethemeKit for Elementor dethemekit-for-elementor | MEDIUM (14) | 2025-03-13 | 30K+ | WP.org ↗ |
Adapta RGPD adapta-rgpd | No vuln (3) | 2025-06-17 | 40K+ | WP.org ↗ |
WP-PageNavi wp-pagenavi | No vuln | 2024-12-19 | 500K+ | WP.org ↗ |
AMP amp | No vuln | 2025-04-10 | 400K+ | WP.org ↗ |
WooCommerce Legacy REST API woocommerce-legacy-rest-api | No vuln | 2025-01-23 | 400K+ | WP.org ↗ |
Child Theme Configurator child-theme-configurator | No vuln | 2025-06-10 | 300K+ | WP.org ↗ |
Really Simple CAPTCHA really-simple-captcha | No vuln | 2025-02-01 | 300K+ | WP.org ↗ |
Layout Grid Block layout-grid | No vuln | 2023-07-11 | 200K+ | WP.org ↗ |
Easy Google Fonts easy-google-fonts | No vuln | 2021-07-23 | 100K+ | WP.org ↗ |
Simple Custom CSS Plugin simple-custom-css | No vuln | 2025-03-11 | 100K+ | WP.org ↗ |
Edit Author Slug edit-author-slug | No vuln | 2025-05-27 | 100K+ | WP.org ↗ |
AddQuicktag addquicktag | No vuln | 2021-05-20 | 100K+ | WP.org ↗ |
Local Google Fonts local-google-fonts | No vuln | 2025-05-01 | 100K+ | WP.org ↗ |
Disable REST API disable-json-api | No vuln | 2023-09-14 | 90K+ | WP.org ↗ |
Widget CSS Classes widget-css-classes | No vuln | 2024-11-12 | 90K+ | WP.org ↗ |
Invisible reCaptcha for WordPress invisible-recaptcha | No vuln | 2020-04-07 | 80K+ | WP.org ↗ |
Fixed Widget and Sticky Elements for WordPress q2w3-fixed-widget | No vuln | 2023-03-30 | 80K+ | WP.org ↗ |
PHP Code Widget php-code-widget | No vuln | 2022-03-30 | 80K+ | WP.org ↗ |
Display Posts – Easy lists, grids, navigation, and more display-posts-shortcode | No vuln | 2024-10-14 | 80K+ | WP.org ↗ |
Heartbeat Control heartbeat-control | No vuln | 2023-08-31 | 80K+ | WP.org ↗ |
Advanced Excerpt advanced-excerpt | No vuln | 2024-01-19 | 80K+ | WP.org ↗ |
Title Remover title-remover | No vuln | 2021-06-03 | 70K+ | WP.org ↗ |
Brazilian Market on WooCommerce woocommerce-extra-checkout-fields-for-brazil | No vuln | 2024-02-17 | 70K+ | WP.org ↗ |
Easy Theme and Plugin Upgrades easy-theme-and-plugin-upgrades | No vuln | 2022-04-20 | 70K+ | WP.org ↗ |
Column Shortcodes column-shortcodes | No vuln | 2022-10-11 | 60K+ | WP.org ↗ |
HTML Editor Syntax Highlighter html-editor-syntax-highlighter | No vuln | 2024-03-16 | 50K+ | WP.org ↗ |
ActiveCampaign Postmark for WordPress postmark-approved-wordpress-plugin | No vuln | 2024-11-18 | 50K+ | WP.org ↗ |
Easy SSL Plugin for SAKURA Rental Server sakura-rs-wp-ssl | No vuln | 2019-11-25 | 50K+ | WP.org ↗ |
Categories to Tags Converter wpcat2tag-importer | No vuln | 2024-10-21 | 50K+ | WP.org ↗ |
Contact Form 7 add confirm contact-form-7-add-confirm | No vuln | 2018-02-27 | 50K+ | WP.org ↗ |
Portfolio Post Type portfolio-post-type | No vuln | 2020-08-29 | 50K+ | WP.org ↗ |
Clear Cache for Me clear-cache-for-widgets | No vuln | 2025-06-09 | 40K+ | WP.org ↗ |
Revision Control revision-control | No vuln | 2018-04-01 | 40K+ | WP.org ↗ |
Hide Page And Post Title hide-page-and-post-title | No vuln | 2024-09-23 | 40K+ | WP.org ↗ |
Increase Maximum Upload File Size upload-max-file-size | No vuln | 2023-08-14 | 40K+ | WP.org ↗ |
Login Logo login-logo | No vuln | 2024-09-11 | 40K+ | WP.org ↗ |
Disable Google Fonts disable-google-fonts | No vuln | 2019-02-24 | 40K+ | WP.org ↗ |
Really Simple CSV Importer really-simple-csv-importer | No vuln | 2017-11-28 | 40K+ | WP.org ↗ |
Schema schema | No vuln | 2025-06-14 | 40K+ | WP.org ↗ |
Disable Search disable-search | No vuln | 2025-04-14 | 40K+ | WP.org ↗ |
Export Media Library export-media-library | No vuln | 2023-04-05 | 30K+ | WP.org ↗ |
Hide Title hide-title | No vuln | 2019-05-22 | 30K+ | WP.org ↗ |
reCAPTCHA for MW WP Form recaptcha-for-mw-wp-form | No vuln | 2024-05-09 | 30K+ | WP.org ↗ |
Display PHP Version display-php-version | No vuln | 2023-05-16 | 30K+ | WP.org ↗ |
Elementor Beta (Developer Edition) elementor-beta | No vuln | 2025-03-04 | 30K+ | WP.org ↗ |
Frequently Asked Questions
According to Vimsy's Plugin Graveyard (updated June 2026), 90 WordPress plugins with 1,000+ active installations have not received a security or maintenance update in over 12 months. Of these, 47 have at least one known vulnerability documented in the Wordfence Intelligence database, affecting an estimated 4.2 million WordPress installations. Vulnerability severity is measured using the CVSS standard: 6 plugins carry critical-severity ratings, 15 carry high-severity ratings.
No. Unmaintained does not mean immediately compromised. It means the risk is elevated and growing. A plugin with no known vulnerabilities but no recent updates is a lower-risk concern than one with a documented CVE. This directory shows both, clearly labelled.
Deactivate and delete the plugin immediately if there's a known vulnerability. If there's no documented vulnerability but the plugin is abandoned, assess whether you still need it — if so, find a maintained alternative. If you're not sure, a WordPress site audit will tell you exactly what to do.
Vulnerability information comes from Wordfence Intelligence, one of the most comprehensive WordPress security databases. Install counts and plugin metadata come from the WordPress.org API. Data refreshes automatically on the 1st of each month.
"Working" and "safe" are different things. A plugin can function correctly while containing a security vulnerability that allows an attacker to access your site. Hackers don't break your site — they quietly use it.
If you believe a plugin has been incorrectly listed (e.g. it received an update not yet reflected in the data), email [email protected]. Data refreshes monthly but we'll review urgent corrections manually.
Know the moment new risks are added
Sent on the 1st of each month. Unsubscribe anytime.
Your site could be running one of these right now and you wouldn't know.
Vimsy audits your WordPress installation, flags every unmaintained or vulnerable plugin, and handles the cleanup. Monthly, automatically.