{"id":219,"slug":"patchstack-1614-plugins-removed-2024","title":"Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues","kind":"reference","scope":"business","status":"current","audiences":["claude-code","candid-team"],"topics":["wordpress","security-vulnerabilities"],"reference_body":"**Quote (Patchstack State of WordPress Security 2025):**\n\n> \"1,614 plugins and themes were removed from the WordPress repository for unpatched security issues\" in 2024; \"1,450 had High and Medium priority vulnerabilities\" and \"33% of vulnerabilities were not fixed in time for public disclosure.\"\n\n**Source:** <https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/>\n\n**Confidence:** Verified.\n\n**Operational implication:** If a site depends on any plugin in the 1,614, the only \"upgrade path\" is removal. Patchstack's October 2024 cleanup event alone closed 977 plugins (~1.1% of the repo). **Site lifespan is bounded by the maintenance posture of the longest-tail plugin in the stack.**","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"rule-reduce-plugin-count-as-security-discipline","title":"RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-built-to-last","title":"Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T19:58:12.804Z","updated_at":"2026-05-22T19:58:12.804Z"}