SteadyScore
SteadyScore scans every plugin installed on your WordPress site and gives each one a single reliability score from 0–100 — so you can see, at a glance, which plugins you can trust and which ones deserve a second look.
WordPress admins inherit risk from every plugin they install: abandoned code, unpatched vulnerabilities, low-quality authors. SteadyScore puts an honest number on each plugin’s risk profile so you can prioritize what to replace, audit, or remove. Agencies run it on client sites; developers run it on their own for routine plugin hygiene.
Every score is built from six transparent factors:
- Rating & reviews — the plugin’s WordPress.org star rating and review volume.
- Active installs — how widely the plugin is deployed and trusted.
- Update recency — how recently the author last shipped a release.
- Compatibility — tested-up-to against your version of WordPress.
- Security — known vulnerabilities, via Wordfence Intelligence.
- Author reputation — the author’s track record across their whole portfolio.
What’s in the free version
- A reliability score, 0–100, for every plugin listed on WordPress.org.
- The full six-factor breakdown for each plugin, with a plain-English recommendation.
- Known-vulnerability data from Wordfence Intelligence (add a free key of your own).
- Lifecycle flags — abandoned, removed from WordPress.org, or not updated in 2+ years.
- A sortable dashboard with risk / active / in-use filters and CSV export.
- Background scoring through Action Scheduler — no wp-cron load, nothing on your front end.
Available with the Pro addon
SteadyScore Pro extends the free plugin:
- Reliability scoring for commercial & closed-source plugins — LearnDash, WP Rocket, premium Gravity Forms add-ons, and the like — via the SteadyPress API.
- AI-powered upgrade & replacement recommendations for the plugins that need attention.
- Google Sheets export of the full audit.
- Scheduled monitoring with monthly email alerts on score drops and newly disclosed vulnerabilities.
Pro requires this free plugin. Commercial plugins the free tier can’t score still appear in your inventory — marked “needs Pro,” with honest “rating data unavailable” messaging rather than a fake number.
Built to stay out of the way
Scoring runs in the background through Action Scheduler — no wp-cron load, no slow admin screens. Results cache locally for 12 hours, so the dashboard stays instant. SteadyScore is strictly read-only: it never activates, deactivates, updates, or deletes any plugin. Acting on a score is always your call.
External services
The free tier makes anonymous, read-only requests to:
- wordpress.org plugin API (
https://api.wordpress.org/plugins/info/1.2/) — to fetch plugin metadata (rating, install count, last-update date, tested-up-to version). No personal data is sent; only plugin slugs. Used on first install to score the inventory, and on a daily refresh thereafter. Documented at https://codex.wordpress.org/WordPress.org_API. - Wordfence Intelligence API (
https://www.wordfence.com/api/intelligence/v3/) — to fetch vulnerability data for installed plugins. Requires a free API key from wordfence.com, which you configure in plugin settings. No personal data is sent; only plugin slugs. Wordfence Intelligence terms: https://www.wordfence.com/products/wordfence-intelligence/
If you upgrade to the Pro tier, the plugin also communicates with:
- SteadyPress API (
https://api.steadypress.ai) — to score commercial plugins, run AI analysis, and validate your license. Only the plugin slug, version, your site’s domain, and your license key are sent. SteadyPress terms: https://steadypress.ai/terms/ · SteadyPress privacy: https://steadypress.ai/privacy/.
The free tier never contacts the SteadyPress API.
SteadyScore is built and maintained by SteadyPress. Learn more at steadypress.ai.
