TL;DR
- Pressable’s WordPress plugin-evaluation guide names 100,000 active installs as a reliability marker — and most plugins in the directory miss it by an order of magnitude.
- Every WordPress plugin has a public record (readme.txt, 12-month changelog, support forum, recent 1-star and 2-star reviews). The work is reading all four for every candidate before you commit.
- Hand the four sources to an AI chat with one specific prompt asking for three lines back: maintenance status, top three risk patterns, verdict (install / avoid / staging-only). The three-line constraint is what makes the verdict readable.
- Three traps catch beginners: trusting the lifetime star average instead of the recent 1- and 2-star pile, skipping the developer-reputation check, and confusing popular with maintained.
- Six minutes of pre-install reading replaces six hours of post-install firefighting — pick the one you would rather spend.
Pressable runs WordPress sites for a living, and their plugin-evaluation guide names 100,000 active installations as a reliability marker. Most plugins in the WordPress directory miss that mark by an order of magnitude.
That single number explains why plugin selection feels paralyzing. You search for a contact form. You get forty results. Six of them might be safe. The other thirty-four are old or thin or unsupported, and you cannot tell which is which without opening every page.
The rational move is to read the readme, the changelog, and the recent reviews of every candidate. Nobody has time for that. So you guess.
This post is about handing the reading job to an AI chat instead. The verdict still belongs to you. The forty pages of homework do not.
Why does plugin selection still feel like a coin flip?
A small-business owner I worked with last year had a contact form that stopped sending email. She had bought the plugin from a "best plugins" listicle. The listicle was three years old.
She tried to debug it for a weekend and gave up. When she sent me the wp-admin login, I checked one thing first. The plugin’s last update on the WordPress directory was forty-two months ago.
That was the entire diagnosis. Forty-two months without an update means forty-two months of WordPress core releases the plugin was never tested against. The plugin did not break. WordPress moved.
She replaced it with a maintained alternative in twenty minutes. The lesson cost her a weekend and a few embarrassing customer emails. The pre-install check would have cost her six minutes.
What was missing? Not technical knowledge. She is smart, runs her own business, taught herself half the wp-admin she uses every day. She just did not know which signals matter and which are noise.
The number of stars looked like a signal. The date of the last update did not. A pre-install check that flags abandoned plugins is the cheapest insurance you can buy. The AI chat just makes that check fast enough that you actually do it.
What is AI actually checking for you?
Think of the workflow as a reference check. When you hire someone for a job, you do not interview their friends. You call the previous employer. You read the public record.
A WordPress plugin has its own public record. The readme.txt file sits inside the plugin’s source code and lists the supported WordPress versions, the changelog, the developer’s contact, and the upgrade notes. The Reviews tab on the WordPress directory shows what is breaking for users right now. The support forum shows whether questions get answered, and how fast. The Changelog tab shows what the developer has shipped, in their own words.
Read those four sources for any plugin and you can tell, in a few minutes, whether it is alive. The hard part is not the reading. It is doing the reading for every candidate before you commit.
Every one of those four sources is plain text. AI chats read text quickly. So the trick is to hand the chat those four sources and ask for one specific verdict.
This is not a code review. The plugin’s PHP source still belongs to a human reviewer if the plugin is critical to your site. WP-01 lives at the front door. The engine room comes later, in a different post. The AI plugin code review walkthrough covers that engine-room layer when a plugin is critical enough to read line by line.
How do you actually run the check?
The workflow is four steps. None of them require a developer.
Step 1. Open the plugin’s page on wordpress.org/plugins/<slug>. Click the Development tab and copy the readme.txt content. Click the Changelog tab and copy the last twelve months of entries. The xtnd.net security guide tightens that window. Their bar for a maintained plugin is a shipped change inside the past 90 days. The 12-month view tells you whether the developer ships at all.
Step 2. Click the Reviews tab. Sort by recent. Copy a handful of recent 1-star and 2-star reviews. Skip the 5-star wall. The 1- and 2-star pile is where the active failure modes show up.
Step 3. Open an AI chat. Paste a single prompt with the readme, the changelog, and the reviews attached:
You are evaluating a WordPress plugin before I install it.
Below is the plugin's readme.txt, its last 12-month changelog,
and a sample of its recent 1- and 2-star reviews.
Return a verdict in three lines:
1. Active maintenance: yes / no / unclear, with the date of the
most recent shipped change.
2. Top three risk patterns from reviews, named as a phrase
the reviewer used.
3. Verdict: install, avoid, or staging-only, with one reason.
Plugin: <name>
Readme: <paste>
Changelog: <paste>
Reviews: <paste>
The constraint of three lines is the point. A long answer hides the verdict.
Step 4. Read the three lines. If the verdict is "install," you can install. If the verdict is "staging-only," you set up a staging copy of your site first. If the verdict is "avoid," you go back to the directory and pick another candidate.
WordPress VIP, which hosts WordPress for Fortune 500 sites, does not pre-approve any third-party plugin. Their docs are explicit on it. Even enterprise hosts will not vouch for what you choose to install. A four-step AI check is the closest thing a small business will get to that vetting.
What can go wrong with this approach?
Three traps catch people the first time they try this.
Trap 1: trusting the star average. A 4.6-star average across a thousand reviews can hide thirty unresolved 1-star reports from the last quarter. The average is the lifetime story. The recent 1- and 2-star pile is the live one. The AI chat will read both if you ask. Do not stop at the average.
Trap 2: skipping the developer. A consistent release cadence across multiple plugins — that is the signal the xtnd.net security guide names. The plugin you are evaluating is one product. The developer is the company shipping it. Search the developer’s name on the WordPress directory. If they have one plugin, no other releases, and no clear online presence, treat that as a signal.
Trap 3: confusing popular with maintained. A plugin with 200,000 active installs and no update in two years is not safe. It is widely deployed and abandoned. The install count tells you the historical adoption story. The last-updated date tells you the current state. Both numbers matter. The chat tends to weight recency correctly when the prompt asks for the most recent shipped change.
The honest disconfirming voice belongs to the manual reviewers. A 2026 plugin-evaluation guide by Tomas Quinonero reminds you that some signals are subjective. The tone of a developer’s support replies. The patterns across review wording. Reading the room. AI is fast. Humans still catch the things that need a person.
So the AI does the reading. You do the judging. That division is the whole point.
How do you turn the four-step check into a six-minute habit?
A pre-install check is two artifacts. The first is the prompt template above. Save it once and reuse it every time. The second is the habit of running the check before you click Install.
Pick one plugin on your stack you already suspect is risky. Open its readme, its changelog, its recent reviews. Run the four-step check. See what surfaces.
You will probably find one of three outcomes. The plugin clears, and you stop worrying about it. The plugin is borderline, and you set up a staging-mode test. Or the plugin is abandoned, and you swap it before it breaks something on a Friday afternoon. The plugin compatibility check workflow is what picks the swap candidate against your current stack.
Six minutes of pre-install reading beats six hours of post-install firefighting. The math is not subtle.
Why does six minutes of pre-install reading beat six hours of post-install firefighting?
Most plugin disasters are not surprises. The signals were sitting in the public record the whole time. Nobody had time to read forty pages of public record before clicking Install.
Now you do. The check is six minutes. The repair is six hours. Pick the one you would rather spend.
You do not need to be a developer to run this check. You just need an AI chat and the patience to read three lines of verdict before you commit.
Other questions worth answering
How does evaluation differ for a paid WordPress extension sold outside the official directory?
Premium extensions sold from a developer’s own site or from a marketplace like CodeCanyon skip the wordpress.org directory entirely. Open the developer’s documentation page, the changelog or release notes, and any reputable WordPress publication’s review of the plugin. Pressable’s 12-month no-update window applies regardless of the marketplace — anything past that threshold is a stand-alone warning.
What signals matter for a directory listing with fewer than ten reviews?
Three signals carry more weight when the review pile is thin:
- the last-update date on the directory page,
- whether the developer maintains a public GitHub repo with recent commits,
- the developer’s track record across their other releases on wordpress.org.
Pressable’s 100,000-install reliability marker does not apply at this scale, so you lean harder on those maintenance signals.
When should you consult WPScan in addition to the readme and reviews?
Consult WPScan whenever the readme or the reviews mention a past security incident, or whenever the plugin touches user data, payments, or the wp-admin login. The xtnd.net 2026 security guide recommends searching the plugin name on WPScan to surface CVEs the developer may not have advertised on the changelog.
How often should the evaluation routine repeat for extensions already on your stack?
Two triggers, not a calendar.
The first trigger: WordPress’s three annual major core releases. WordPress ships these in roughly March, July, and November. Confirm the plugin was tested against the new core release.
The second trigger: the plugin pushes more than a patch-digit update. The xtnd.net 2026 guide treats a 90-day no-update window as the security threshold for any plugin on your stack.
What changes when you evaluate a paid add-on compared to a free directory listing?
The number of sources you visit. Free directory plugins give you four in one place — readme, changelog, support forum, recent reviews. Paid extensions split those across the developer’s site and any marketplace listing.
The 2026 Pressable guide and the xtnd.net 2026 security guide assume directory pages. For paid extensions you replicate the four-step check across two or three URLs.
How should you read a plugin’s public record before installing?
Staring at a plugin search and feeling the freeze coming on? You can contact me here. Tell me which plugin you are looking at and what your stack looks like. I will walk through the public-record check with you, name what looks safe and what does not, and you decide. There is no pitch, no upsell, and the conversation is free.