Skip to content
SteadyPress

March 1, 2026

Why We Built SteadyScore: The Tool We Needed for 20 Years

The origin story of SteadyScore. A 20-year agency, a Sunday-night plugin failure, and the measurement layer WordPress has always been missing.

Editorial illustration: concentric rings expanding outward, suggesting depth over time and steady iteration

The site went down at 11pm on a Sunday. The form plugin we’d recommended to that client six months earlier had silently fallen over after a WordPress core update. Three users had tried to submit a contact form that evening and gotten a white screen. We checked the plugin’s wordpress.org page after the fact: eight months since the last update, three open security threads, and a “tested with” version that was now two majors behind. None of this was hidden. All of it was visible, in retrospect, in the place we’d looked when we first picked the plugin. We could have caught it. We just had no system that would have made us look again.

The agency reality

Running a WordPress agency for twenty-plus years means managing dozens of client sites. Each one has somewhere between fifteen and sixty plugins. Together they form a portfolio of choices we’re responsible for: choices we made years ago when the maintainer was active, choices we inherited from previous developers, choices clients pasted in themselves after watching a YouTube tutorial. Every plugin is a small, ongoing bet that someone, somewhere, is still tending it.

The tools to evaluate plugin reliability either didn’t exist or were buried inside security plugins focused on active threats — vulnerabilities to fix today, malware to clean up now. None of them answered the slower, more useful question: which of these plugins are quietly degrading? Maintenance health, as distinct from acute threat, was nobody’s product.

What we tried first

We tried the obvious things. Manual audits, performed every quarter by whichever developer drew the short straw. Spreadsheets that aged the moment we closed them. A custom script one of us wrote that hit the wordpress.org API and flagged plugins that hadn’t been updated in eighteen months. Each of these was useful in isolation. None of them survived contact with the actual rhythm of agency work, where a thirty-minute window between client calls is not a thirty-minute window to run a manual audit.

What we needed was something built into WordPress itself, that ran continuously and quietly, and that surfaced its findings in the place a developer is already looking — the admin sidebar — not in a separate dashboard, separate login, separate spreadsheet.

The design constraints

Before we wrote a line of code we set ourselves a handful of constraints. They were as much about what we wouldn’t build as what we would.

  • Runs inside WordPress admin. Where agency developers already work. No separate console to bookmark, no second login, no SaaS-flavored “dashboard.”
  • Fast first scan. Initial scoring in roughly 60 seconds, not “we’ll email you when it’s ready.”
  • Free tier without an account. No email-gated wall to get to the wordpress.org plugin scores. You install, you activate, you see numbers.
  • Transparent methodology. The scoring inputs and weights are documented. No black-box score; if you disagree with a weighting, you can read the rationale.
  • Privacy respect. No telemetry of site contents. We don’t need to know what your client’s product catalog looks like to score their plugins.

What SteadyScore does

SteadyScore evaluates each plugin against a handful of signals — update frequency, vulnerability history, active install base, user ratings, “tested with” currency, and a few others — and rolls them into a single score between 0 and 100. Categories sit on top of the raw number: Trusted, Moderate, Caution, Avoid, Unknown. The categories exist because most of the time you don’t want to compare 87 to 91; you want to know which of these things needs your attention this week.

The free tier covers every plugin on wordpress.org. Pro adds scoring for premium plugins (the ones with no public marketplace data), AI-driven code analysis that catches subtler quality issues, and continuous monitoring so you know when a score drops without having to check. The split exists because the marginal cost of scoring a wordpress.org plugin is near zero, and the marginal cost of analyzing premium-plugin source code is not. SteadyScore is what we use across our own client portfolio.

What we learned building it

A few things surprised us. The first was how much signal sat in the simplest measurement. Even before we layered in AI or vulnerability databases, the basic “when was this plugin last updated and is anyone still talking about it on the support forum” check exposed patterns we’d been missing for years. A handful of plugins we considered staples turned out to be six months from abandonment. A few we’d assumed were dead were actually being actively, quietly maintained.

The second was how often a low score had a good answer. Plugins that scored poorly on update frequency frequently had a healthier, better-maintained alternative we hadn’t bothered to look for. The score didn’t tell us what to do; it told us where to spend the next half hour of research. That turned out to be exactly the leverage we needed.

The third — once AI analysis went into Pro — was how much code-level signal you can extract from a plugin nobody is reviewing. A human eye reading sixty thousand plugins can’t catch the patterns an AI scan catches in an afternoon. We’re cautious about overclaiming here. AI analysis isn’t a substitute for a security audit. But for flagging the obvious — code smells, suspicious external calls, license violations — it earns its keep.

What’s next

SiteReview is the second SteadyPress product, and the second measurement layer we’d been quietly needing for years. Where SteadyScore covers plugin reliability, SiteReview covers whole-site audits — performance, configuration, hosting fit, and the dozens of small things that compound into “this site feels slow” without anyone being able to point at a single cause. The line is the same: things agencies have always done by hand, given the tooling to do continuously.

Why we built it

We didn’t set out to start a product company. We set out to solve our own problem and then realized the problem wasn’t ours alone. SteadyPress exists because the gap was real — we hit it every week, on every client portfolio, for two decades. If you’ve had your own Sunday-night plugin failure, you already know the gap we’re talking about. The tool is just the thing we made so that next time, neither of us has to find out at 11pm.