plugin-icon

Upgrade Pilot

By Luke W·
Know when a plugin changes hands, gets abandoned, or is closed. Freeze its updates. And check your site survives the next WordPress and PHP upgrade.
Ratings
5
Version
1.0.9
Last updated
Jul 17, 2026
Upgrade Pilot

WordPress tells you when a plugin has an update. It never tells you who is behind that update.

Plugins get sold. Authors walk away. Maintainers are quietly added to a project. Occasionally a plugin is closed on WordPress.org for a security problem, and the copy on your site keeps running as if nothing happened. In every one of those cases WordPress shows you exactly what it showed you yesterday: nothing.

Upgrade Pilot watches the things WordPress does not.

Update trust: know who is behind your next update

Every day, Upgrade Pilot takes a snapshot of the public WordPress.org record of every plugin you have installed, and compares it to yesterday’s. It tells you when:

  • The author changes. A plugin that just changed hands is the single clearest signal to look before you leap. Ownership transfers are how a trusted plugin becomes an untrusted one, without a single line of visible change.
  • New contributors appear. Someone new now has commit access to code running on your site.
  • A plugin is closed or removed from WordPress.org, along with the reason given. Closed plugins receive no further updates, and if the closure was for a security issue you are running known-vulnerable code.

Plugins and themes that have simply gone quiet – nobody has updated them in longer than a threshold you set – are reported in the readiness report rather than emailed to you as an alert, because abandonment is a slow fact, not an event that happened this morning.

You can then freeze automatic updates for that one plugin, so a bad release cannot install itself overnight while you decide. The freeze is per plugin, opt in, and never touches WordPress core. Manual updates always remain available. It will not help you hide from a security fix.

Upgrade readiness: know the upgrade will not break the site

Before you move to a new PHP or WordPress version, Upgrade Pilot answers whether it is safe:

  • Server checks. Your PHP version against WordPress’s actual minimum and against the version you plan to move to. Your database version against the requirement of the update WordPress is really being offered, read live from WordPress itself rather than from a number hardcoded by us. Memory limit, extensions, HTTPS.
  • PHP security support. How long the PHP branch you are running still receives security fixes.
  • Every plugin and theme, cross-referenced against WordPress.org. Which ones declare a PHP requirement higher than your target, which have not been tested against recent WordPress releases, which have not been updated in years, and which have been closed.
  • A local scan of your plugins’ PHP code, flagging what modern PHP removed or deprecated, down to the file and line. It runs in small time-sliced batches, so it does not time out, and a file that has not changed since the last scan is not analysed again.

Findings that are honest about their own certainty

Deterministic results are labelled fact. Static-analysis results are labelled advisory, and never drive the verdict on their own, because version-guarded code and unreachable branches legitimately trigger them. Anything you have inspected and cleared can be suppressed permanently, and the suppression survives future scans.

Read only, always

Upgrade Pilot never updates, deactivates, installs, or rewrites anything. The one thing it can change is a per-plugin automatic-update hold, and only when you click the button yourself.

Also included

  • Site Health integration
  • Dashboard summary widget
  • Email alerts: immediate for critical events, a daily digest for warnings (informational events stay in the UI)
  • A weekly scheduled re-scan
  • WP-CLI: wp upgrade-pilot scan, status and report
  • Machine-readable export, ungated: wp upgrade-pilot scan --format=json and wp upgrade-pilot report --format=json
  • A REST endpoint for dashboards and fleet tooling: GET /wp-json/upgrade-pilot/v1/report, available to administrators (the manage_options capability; super admins on a network)

Works on multisite

On a WordPress network, Upgrade Pilot runs at network level, because that is where the truth is: a network shares one copy of each plugin’s files, so who wrote a plugin, whether it was closed, and whether its updates are held are facts about the whole network, not about one subsite. The free version installs network-wide, stores its data once, and is managed by a super admin from the Network Admin screens. Freezing a plugin’s automatic updates holds it across the network, because there is only one copy of the file to hold.

Upgrade Pilot Pro

Pro adds the things you need when the site belongs to someone else:

  • A branded, white-label client report (PDF/print) – your name, your colour, no product footer.
  • The readiness summary emailed to your client, on a schedule you choose, to as many addresses as you like – and you are told if it fails to send.
  • Slack and webhook alerts for update-trust events.
  • Automatic update-hold policies: hold a plugin’s automatic updates for a cooling-off period the moment it changes owner or gains a contributor.
  • Daily and twice-daily re-scans.
  • On a network, the Network Overview: every subsite’s readiness and update-trust status on one screen, and – the question you actually have when a plugin changes hands – exactly which of your sites are running it.
  • A private email channel with the developer.

Four things are free that people usually assume are paid, so they are worth saying plainly.

The machine-readable export is free. WP-CLI --format=json and the REST endpoint are part of the free version and are not gated, metered or licence-checked.

The digest email is free. The free version already emails you, the site administrator, immediately when a plugin is closed or flagged, and a daily digest of everything else. What Pro adds is sending the readiness summary to other people – your client – on a schedule you pick, and telling you when a send fails.

The weekly re-scan is free, and on by default. What Pro adds is running it daily or twice daily.

Multisite is free, in full. Upgrade Pilot installs network-wide, stores its data once, is managed by a super admin from the Network Admin screens, and a freeze holds across the whole network. What Pro adds on a network is the Network Overview screen described above – not multisite itself.

Freezing a plugin by hand is free too. What Pro adds is doing it automatically, on a policy.

Every paid tier includes every feature; tiers differ only by how many sites your licence covers. On a network, each subsite counts as one of those sites, and you activate the licence once from Network Admin to cover them all.

Pro is a separate download, not an in-place upgrade. When you buy or start a trial you download the Pro build and upload it like any other plugin; it installs alongside this free copy, and activating it switches the free copy off for you. Your settings, scan history and freeze list carry over untouched.

External services

Upgrade Pilot uses WordPress.org, always. It uses Freemius – who sell and license the paid version – only when you go looking for the paid version, and only in the four situations listed below.

1. WordPress.org Plugin and Theme API (api.wordpress.org) This is the plugin’s data source and is always used. What is sent: the public slug of a plugin or theme installed on your site. Nothing else. No site URL, no user data, no configuration. The requests identify themselves only as “UpgradePilot/” followed by the plugin version. When: when you run a readiness scan, and once daily as part of the update-trust snapshot that detects author changes, new contributors, closures, and abandonment. Why: to read the public directory record for that plugin (author, contributors, last updated, tested-up-to, required PHP, and whether it has been closed). Note: WordPress core already contacts this same API for its own update checks. How much: plugin lookups are batched – every plugin on the site is asked for in a single request, so a 40-plugin site makes one plugin request, not forty. The theme API has no batch mode, so themes cost one request each. Answers are cached for 24 hours (72 hours for “not in the directory”), and 429 or 5xx responses trigger a backoff that later calls respect. A typical 40-plugin, 3-theme site therefore makes about four or five requests a day in total. Privacy: https://wordpress.org/about/privacy/ WordPress.org publishes a privacy policy but no separate terms-of-use document for this API. It is the same public API, on the same host, that WordPress core itself queries for update checks.

2. Freemius (freemius.com), who sell and license Upgrade Pilot Pro Freemius is contacted in four situations. Every one of them is something you click. It is never contacted in the background.

You opt in, start a trial, or activate a licence. Sent to api.freemius.com: your site URL, your WordPress and PHP versions, and the email address of the account you activate with. This only happens after you explicitly opt in on the activation screen, or when you start a trial or activate a licence.

You open the “Upgrade” page. The plugin adds an “Upgrade” item to its own menu, and the Reports & Automation screen links to it. Opening that page asks Freemius for the current plan prices so it can show them to you (api.freemius.com), and that request carries your site URL. Nothing else is sent. This happens whoever you are, including if you skipped the opt-in – but only when you open that page. If you never open it, it never runs. That request is made by your own server, not by your browser: the page talks to your site’s admin-ajax, and your site talks to Freemius. The page itself loads no third-party scripts at all. Everything it renders – the plan table, the icons, the payment-brand badges – is served from this plugin’s own folder. The payment SDK’s bundled pricing script used to inject Google Analytics and a remote checkout script into your dashboard on that page; this build removes both, along with the SDK’s remaining remote references (all four modifications are listed under “Source code” below).

You click “Contact Us”. That opens Freemius’s hosted support form (wp.freemius.com). The link carries your site URL and your WordPress login URL, so the form knows which site you are writing about.

You click a plan, to buy or to start a trial. That takes you to Freemius’s checkout page (checkout.freemius.com). It receives your site URL, your site name, your WordPress and PHP versions, and your WordPress administrator email address, which is filled in for you – you do not have to type it, and it is sent whether you complete the purchase or not. Freemius is the merchant of record for the sale. That checkout page is Freemius’s, not ours, and like any hosted checkout it loads its own third-party scripts. At the time of writing those are: Stripe (js.stripe.com) and PayPal (www.paypal.com, www.paypalobjects.com) to take payment, Google Tag Manager (www.googletagmanager.com) for their analytics, and Freemius’s own scripts and images (js.freemius.com, cdnjs.cloudflare.com, s3-us-west-2.amazonaws.com). We do not control that list and it can change. What happens on that page is governed by Freemius’s privacy policy, linked below. If you never click a plan, none of it loads. Terms: https://freemius.com/terms/ – Privacy: https://freemius.com/privacy/

What does not happen

The list above is not written from memory. Every outbound request the plugin causes was logged, and these are the results: installing and activating the plugin, the opt-in screen itself, skipping the opt-in, every one of the plugin’s own screens, deactivating the plugin (the payment SDK’s deactivation-feedback dialog is switched off in this build, so deactivation is one click and sends nothing), WordPress’s plugin-update cycle, and every scheduled background task – all of them complete without contacting Freemius at all. No telemetry, no scan data, no site data. Every Freemius contact listed above is the direct result of something you clicked.

The free plugin is fully functional whether you opt in or skip. If you would rather not use Freemius’s support form, the WordPress.org support forum for this plugin is linked from the same menu and sends nothing anywhere.

There is no security feed to call, and no server of ours for this plugin to contact. Anything Upgrade Pilot knows about a plugin’s security standing, it learned from that plugin’s public WordPress.org record – most importantly, whether the directory has closed it, and the reason the directory gave.

Source code

Every line Upgrade Pilot itself runs ships in this plugin, unminified and unobfuscated. Its own CSS and JavaScript (admin/css/upilot-admin.css, admin/js/upilot-admin.js) are the files you read, not build output; there is no build step and no compiled asset.

The one exception is the third-party payment SDK in vendor/freemius/, which ships pre-minified. Those files are the Freemius WordPress SDK, published under the GPL, and their unminified source and build tooling are public:

  • Freemius WordPress SDK: https://github.com/Freemius/wordpress-sdk
  • The pricing screen bundled at vendor/freemius/assets/js/pricing/freemius-pricing.js: https://github.com/Freemius/pricing-page

The minified files under vendor/freemius/ are: assets/js/pricing/freemius-pricing.js, assets/js/postmessage.js, assets/js/nojquery.ba-postmessage.js, assets/js/jquery.form.js, and thirteen stylesheets under assets/css/.

Upgrade Pilot ships four deliberate modifications to that SDK, all in assets/js/pricing/freemius-pricing.js, all removing remote references from wp-admin, each marked with an “Upgrade Pilot:” comment at the patch site:

  1. The appendScripts() method is emptied. Upstream it injects https://www.google-analytics.com/analytics.js and https://checkout.freemius.com/checkout.js into wp-admin when the pricing screen renders. Neither belongs in a WordPress dashboard, and the analytics script ran even for people who had declined the opt-in.
  2. The Google Analytics pageview tracker is stubbed out. Upstream it reports pricing-page views to Freemius’s Analytics property whenever a GA object is already present in wp-admin (for example, loaded there by an unrelated plugin), stamping them with the Freemius user id.
  3. A loading-spinner image served from Freemius’s CDN (img.freemius.com) is replaced with an inline image.
  4. Testimonial author photos, which upstream loads from Gravatar or a remote URL supplied by the Freemius API, always use the bundled placeholder instead.

The pricing screen and the checkout both work without all four.

Third-party libraries inside that SDK bundle, all GPL-compatible: React 17 (MIT), object-assign (MIT), is-buffer (MIT), and Font Awesome Free 5 (code MIT, icons CC BY 4.0). No library that WordPress itself ships is bundled anywhere in this plugin – jQuery and the other core scripts are used from WordPress’s own copies, by handle.

Freeon paid plans
Tested up to
WordPress 7.0.2
This plugin is available for download for your site.