What is the Abandoned Plugin Scanner and how does it work?

Running your site using WordPress plugins that have been abandoned is an unnecessary risk. 

To learn what abandoned plugins are and problems that they might represent for you, read this blog article here.

What is the Abandoned Plugin Scanner?

The Abandoned Plugin Scanner is a part of the Hack Guard module. It detects and alerts to presence of abandoned plugins.

When the scanner is enabled, it'll monitor your site for plugins that have been abandoned by their authors and are no longed maintained.

This means that in at least 2 years:

  • there have been no bug fixes
  • there has been no adjustment to the code to account for changes in the WordPress core
  • there have been no code enhancements
  • if vulnerabilities were discovered, then they haven’t been patched

Note: Many paid plugins for WordPress that were not listed on nor purchased through WordPress.org, may only be updated by signing into the author’s site. While often kept up and current for many years, updates are only known by checking in to the site purchased from.

Because of this reason, the abandoned plugins scanner only works with WordPress.org plugin as we can't automatically determine the last update time for premium plugins.

How does the Abandoned Plugin Scanner work?

For better explanation on how this scanner works, we'll use an example. 

Let's say you enabled the scanner and you have the following abandoned plugin installed on your site:

All-in-one Bookmarking Button v1.1

If you go to the Scans section > Scan Results > Plugins, you'll see a notice that the scanner has automatically detected this plugin and the all details about it.

Upon reviewing plugin details, you can choose to ignore the notice and so Shield wont tell you about them again:

Or you can take the opportunity to get proactive. You can either replace the plugin if you need the functionality, or remove it altogether.

We also highly recommend you to read A Complete Guide To The Shield Security Scans here.