Skip to main content

Why plugins are removed from the WordPress Plugin repository

By July 4, 2019February 18th, 2020Austin, Security, WordPress

, Why plugins are removed from the WordPress Plugin repositoryIf you’re like us and you obsess about the security of your WordPress website. You have likely run into the scenario where one of your plugins has been removed from the WordPress repository.

Should you be concerned and what exactly does it mean when WordPress removes a plugin?

There are a number of reasons why a plugin might be removed from the repository, plugins can become old and outdated, plugins are longer being maintained, the author has asked for the plugin to be removed or WordPress has detected a security vulnerability in the plugin’s code. Whenever a security vulnerability is discovered, WordPress will remove the plugin until the vulnerability has been fixed. Unfortunately, WordPress does not provide notifications or explanations when a plugin has been removed. If you have a security plugin such as WordFence installed,  you should receive a security alert letting you know that the plugin is no longer available in the repository.

So now what? The first step is usually to determine why your plugin was removed.  A quick search on the WordPress support forum is usually all it takes.  If the plugin was removed at the author’s request, or if it hasn’t been updated in quite some time, it is likely been abandoned by the developer and you will need to find an alternate solution.  If the plugin was removed for a security vulnerability then, we recommend immediately deleting the plugin from your site and finding a replacement.  

Here is an example:  Yesterday, we received an email from a client who manages their own WordPress site.  They received a notification that a plugin they have been using, Postman SMTP,  was removed from the WordPress repository and they were not sure what to do.  A quick check on the WordPress support forum showed that Postman SMTP Mailer/Email Log is prone to a cross-site scripting vulnerability. The vulnerability was reported to WordPress over a month ago and the plugin has not been updated in over two years. It was removed from the WordPress repository yesterday and likely will not be put back anytime soon.  Our recommendation here was to find a replacement. We settled on the WP Mail SMTP Plugin by Mail Bank plugin which has all the features of Postman SMTP but with regular updates and good reviews.