People often ask me whether it is safe to run plugins that are not tested with the latest version of WordPress. And it’s a good question, because software in general is something that you want to keep current and updated with all the latest. For WordPress plugins however, there are many plugins that simply don’t need to be updated with each new version of WordPress.
The answer? It depends..
A safe answer for the general case would be that, unless there are known security or other outstanding issues, it may be fine but really depends on the complexity of the plugin and the functionality it provides. For example, the original Subscribe to Comments plugin once went like 10 years without an update and kept working great. So even though it was many versions behind (“not tested”), the plugin had many happy users with no issues for years.
Ultimately you will need to do a little research to determine whether or not a particular plugin is safe for your site.
Why? Because many plugins are simple and use only well-established core WordPress functionality. For example, my plugin Disable WordPress Responsive Images contains fewer than 10 lines of code and uses two core hooks and some basic PHP logic. The code itself has not changed in over two years, and is safe to run on any version of WordPress 5.0 or better.
The difference is that some plugins (such as my own) are tested and updated with each WordPress update. So the changelog is kept current with everything even though none of the code may change from one version to the next.
That is why having a current readme.txt/changelog is so critical to plugin success. It eliminates the guesswork and saves the user time. Otherwise the infamous “hasn’t been tested” warning is displayed on the plugin homepage at WordPress.org:
This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
You’ve seen that right? It is displayed for any plugin which has a readme.txt file that has not been updated for at least three major versions of WordPress.
The warning is helpful but does not tell the user whether or not the plugin is safe to use. There “may” be issues or there may not be issues. The plugin may be abandoned or may not be abandoned. It’s just a “heads up” letting you know, essentially, that the plugin developer has not checked in with the plugin for at least three major versions of WordPress. Which is around a year or so.
The warning message essentially says, hey the developer of this plugin has not checked in for a while.
The warning message is NOT saying that there is any particular problem with the plugin, or that you should not use it. It is only telling you that the developer may be lazy or busy or whatever, and has not taken the time to check in and update the plugin or at least bump the version number in the readme.txt.
So the plugin may or may not work perfectly on the latest version of WordPress, even if its homepage displays the “not been tested” warning. This is why there is no one-size-fits-all answer to the question, “Is it okay to use plugins that are not current with latest version of WordPress?” Because it depends on the plugin.
As WordPress.org forum moderator Jan Dembowski clearly explains:
Because it’s unnecessary to update the majority of plugins. The time of the last update does not mean anything to users nor does it mean that that plugin does not work or has any issues with the code.
Jan goes on to say that “it is nice when authors update the ‘Tested up to’ field to let users know that it works with newer versions but aside from that, this suggestion would generate a lot of work, punish authors and most importantly deprive users of plugins for a bad idea.”
Determining if a plugin is safe to use
If you’re a plugin developer, the easiest way to verify plugin functionality is to test it locally and examine the code.
For everyone else, and maybe developers too, you’re gonna need to do some research. Here are some things that may help determine whether or not a plugin that is not current with latest WordPress is safe to use:
- Look at the plugin’s changelog (under the “Development” tab)
- Post a question on the plugin’s support forum
- Read thru some posts in the plugin support forum
- Contact the developer directly and ask if the plugin is safe to use
- Search around online for other opinions and information
- Examine the plugin source code, or hire a developer to do it
- Test the plugin on a default installation of WordPress
- Check the site error/debug logs for any signs of errors, warning, etc.
With a bit of effort, you can put the pieces together and get a clear picture of whether or not some “not current” plugin is safe to use.
If there is any doubt after a bit of research, do not use the plugin. Find another.
Also worth mentioning, if you notice any issue with the plugin, you can help the WP community by posting about the problem in the plugin’s support forum at WordPress.org. Clearly explain the issue and any relevant information. Even if the plugin developer does not respond, maybe someone else in the community will. And if nothing else, your post may help others save some time with research and testing.
About the readme.txt file
The WordPress Plugin Directory uses the
readme.txt file to determine whether or not to display the ominous “not been tested” warning on the plugin homepage. Each plugin includes a
readme.txt file that includes information that looks like this:
Plugin Name: Disable Responsive Images Complete Plugin URI: https://perishablepress.com/disable-wordpress-responsive-images/ Description: Completely disables WP responsive images Tags: responsive, images, responsive images, disable, srcset Author: Jeff Starr Contributors: specialk Requires at least: 4.4 Tested up to: 5.4 Stable tag: 1.8 Version: 1.8 Requires PHP: 5.6.20 License: GPL v2 or later
Notice the “Stable tag”, “Tested up to”, and “Version”? That all translates into the helpful information that is displayed on the plugin homepage. For example, the above readme header is converted to the following sidebar information on the plugin homepage at the WordPress Plugin Directory:
The information displayed in the sidebar is super useful when determining whether or not the plugin is safe and healthy. If anything looks out of place or otherwise lacking, feel free to pass on the plugin and find something else.
For plugin developers
From one plugin dev to another, take a few moments for each major WordPress release and test/update your plugins. If the plugin does not require any changes, then at least bump the minimum-required and stable tags. It only takes a moment and definitely helps people in the community decide whether or not your plugin is safe to use on their site.