{"id":237,"slug":"rule-reduce-plugin-count-as-security-discipline","title":"RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.","kind":"rule","scope":"business","status":"current","audiences":["kevin","claude-code","dev","candid-team"],"topics":["wordpress","agency-methodology","security-vulnerabilities"],"reference_body":"**Rule:** For Candid WordPress client sites, **plugin count is the security surface**. Audit quarterly. New plugins require justification + a removed-plugin counterpart (one-in, one-out).\n\n**Why:**\n- Patchstack 2024: **96% of WordPress vulnerabilities are in plugins**; only 7 in core ([[patchstack-2024-vuln-disclosure-4166-96pct-plugins]])\n- Wordfence 2024: 8,223 vulns published, +68% YoY, **35% still unpatched** in 2025 ([[wordfence-2024-attack-volume-54b-requests]])\n- Patchstack 2024 cleanup: **1,614 plugins removed** from the repo for unpatched issues ([[patchstack-1614-plugins-removed-2024]]) — sites depending on them get no upgrade path, only removal\n- Sucuri 2023: **39.1% of compromised CMS sites** were running outdated software at infection ([[sucuri-2023-39pct-cms-outdated-at-infection]])\n\n**How to apply:**\n- Quarterly plugin audit: list every plugin, last-update date, active install count, alternative if vendor goes silent\n- Plugin acceptance gate: a new plugin must justify (a) why core/theme/code can't do it, (b) the vendor's update cadence, (c) the alternative if the vendor disappears\n- One-in-one-out: net plugin count never grows without explicit justification\n- Plugins that haven't shipped a release in 18 months go on a watchlist; 24 months = scheduled removal\n- Pair with [[rule-treat-no-export-as-hostage-situation]] from brief 4 — same discipline, narrower domain","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"patchstack-1614-plugins-removed-2024","title":"Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"sucuri-2023-39pct-cms-outdated-at-infection","title":"Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022)","kind":"reference","scope":"business","link_type":"depends-on"},{"slug":"rule-treat-no-export-as-hostage-situation","title":"RULE: A platform that cannot produce a clean export today is a hostage situation. Treat it as such.","kind":"rule","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"research-brief-built-to-last","title":"Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T19:58:12.899Z","updated_at":"2026-05-22T19:58:12.899Z"}