Live data · updated hourly

WordPress Plugin Security Trends

Name: WordPress Plugin Security Trends
Creator: WP HealthKit
License: https://creativecommons.org/licenses/by/4.0/

What's broken in WordPress.org plugins right now, by the numbers. Aggregate findings from 0 independent audits across the latest audit window.

Headline

—

of plugins ship with at least one CRITICAL finding

First-pass audit, no remediation applied

Headline

—

ship with at least one HIGH-severity issue

Includes XSS, missing nonces, capability gaps

Headline

—

contain hardcoded secrets or API keys

Tokens / passwords / credentials in source

Headline

—

bundle dependencies with known CVEs

Composer / npm vulnerabilities at audit time

Most common finding categories

% of audited plugins that ship with at least one finding in each category. Multiple categories can apply to the same plugin.

Category	Prevalence

Methodology

Statistics are computed from the last 2,000 public, completed plugin audits run by WP HealthKit. Each audit runs a multi-engine pipeline including deterministic scanners (Wordfence CVE database, OSV, PHPCS, PHPStan, Semgrep, Psalm, hardcoded-secret detection across 22 patterns) and AI-powered analysis for security, code quality, and accessibility.

“Prevalence” measures the percentage of plugins that contain at least one finding in a given category. A single plugin can contribute to multiple category counts but contributes at most once per category, so the percentages don't sum to 100.

Cached at 1-hour granularity. Re-audits are deduplicated by plugin slug (we count each plugin's most recent audit, not historical re-audits).

Want to cite this data? Link to wphealthkit.com/stats/trends. Released under CC-BY 4.0 — attribution requested but not enforced. Email [email protected] if you need raw figures or want to discuss methodology.

Want to know where your plugin sits in these numbers?

Free audit — no signup required to see your overall score and headline findings.

Run a free audit