A plugin audit is a structured review of every plugin installed on a WordPress site to assess whether each plugin is necessary, actively maintained, free of known security vulnerabilities, and not duplicating functionality already provided by another plugin or the theme. The audit evaluates: last update date (plugins with no update in 12–24 months carry increasing risk as PHP and WordPress APIs evolve), active install count and support forum responsiveness (a signal of how quickly security patches will be issued), whether the plugin's function could be replaced by a small amount of custom code, and whether any two installed plugins duplicate each other's purpose (two contact form plugins, two caching plugins). Outcomes typically result in removing 20–40% of plugins on poorly maintained sites — each removed plugin reduces the attack surface, eliminates a potential source of page weight, and simplifies future updates. A plugin audit is always a recommended step in a full WordPress audit.
Glossary entry
