RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.

Rule: For Candid WordPress client sites, plugin count is the security surface. Audit quarterly. New plugins require justification + a removed-plugin counterpart (one-in, one-out).

Why:

• Patchstack 2024: 96% of WordPress vulnerabilities are in plugins; only 7 in core (Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core)
• Wordfence 2024: 8,223 vulns published, +68% YoY, 35% still unpatched in 2025 (Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day)
• Patchstack 2024 cleanup: 1,614 plugins removed from the repo for unpatched issues (Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues) — sites depending on them get no upgrade path, only removal
• Sucuri 2023: 39.1% of compromised CMS sites were running outdated software at infection (Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022))

How to apply:

• Quarterly plugin audit: list every plugin, last-update date, active install count, alternative if vendor goes silent
• Plugin acceptance gate: a new plugin must justify (a) why core/theme/code can't do it, (b) the vendor's update cadence, (c) the alternative if the vendor disappears
• One-in-one-out: net plugin count never grows without explicit justification
• Plugins that haven't shipped a release in 18 months go on a watchlist; 24 months = scheduled removal
• Pair with RULE: A platform that cannot produce a clean export today is a hostage situation. Treat it as such. from brief 4 — same discipline, narrower domain