Using SteadyScore
This guide walks through the free flow end to end: what shows up after activation, how to read the dashboard and scores, and how background refresh keeps everything current.
The dashboard
Open SteadyScore from the WordPress admin menu. The default view is the Dashboard tab, which shows a table of every plugin installed on your site.
Columns
| Column | Meaning |
|---|---|
| Plugin | Display name and filesystem slug. Always shown. |
| Version | The version currently installed on this site. |
| Active | Whether WordPress reports the plugin as activated. |
| Score | A 0–100 number rolling up six weighted factors. Higher is healthier. Always shown. |
| Risk | The tier (Trusted, Acceptable, Caution, Warning, Critical, or N/A) derived from the score. |
| In use | A best-effort signal that the plugin is actually doing work — registers hooks, adds menus, runs queries — rather than sitting dormant. |
| Recommendation | Pro only. A short tag (keep, review, update, remove, replace) generated by AI analysis. |
You can show or hide most columns under Settings → Display Preferences → Visible Columns. Plugin and Score are always shown. Columns can be reordered by dragging the column headers in the table.
Sorting and filtering
- Click any column header to sort ascending; click again to sort descending.
- Filter chips above the table let you limit by risk tier (Trusted through Critical), by activation state, or by in-use state.
- Inactive plugins are hidden by default. Toggle the Show inactive chip to include them.
- Set a default sort under Settings → Display Preferences → Default Sort (alphabetical, score ascending, score descending, or risk).
CSV export
The Export button in the toolbar above the table downloads the currently filtered set as steadyscore-export-{date}.csv. The CSV includes the same columns you see in the dashboard, plus the score confidence and the data-source label.
Reading a score
Every WordPress.org plugin gets a 0–100 score and a tier. The tier is the headline; the score is the detail. The thresholds are:
| Score range | Tier | What it means |
|---|---|---|
| 90–100 | Trusted | Actively maintained, well supported, broadly compatible, no known vulnerabilities. Keep. |
| 75–89 | Acceptable | Healthy on the major signals. Review during normal maintenance. |
| 60–74 | Caution | Some signals are weakening — older update, slower support, lower install base. Worth a closer look. |
| 40–59 | Warning | Multiple signals are degraded. Investigate; consider a replacement. |
| 1–39 | Critical | Strongly unhealthy or carrying an unpatched critical CVE. Replace or remove. |
| (no score) | N/A | The plugin cannot be scored from public data — typically a paid plugin or a custom internal plugin. Pro extends coverage to most of these. |
A single unpatched critical vulnerability forces the total score down to 5 regardless of the other factors. That is intentional: a known exploitable CVE outweighs anything else the plugin is doing well.
The six scoring factors
Every WordPress.org plugin is scored on the same six factors, with the same weights:
| # | Factor | Weight | What it measures |
|---|---|---|---|
| 1 | Maintenance (update frequency) | 25% | How recently and how consistently the author publishes updates. Long gaps drag the score down. |
| 2 | Security history (vulnerabilities) | 25% | Known CVEs against the installed version, drawn from Wordfence Intelligence if you have provided a key. Unpatched critical CVEs trigger the override above. |
| 3 | Support responsiveness | 20% | The share of WordPress.org support threads marked resolved. |
| 4 | Compatibility | 15% | Whether the author has tested against your installed WordPress and PHP versions. |
| 5 | Install base (popularity) | 10% | Active install count, used as a sanity-check signal — small install base does not mean bad, but combined with weak maintenance it is a yellow flag. |
| 6 | Author reputation | 5% | Aggregate score across the rest of the author's plugins. |
The factor weights sum to 1.0 and are validated at runtime. Each factor produces its own 0–100 score and contributes to the total according to its weight. Click any row in the dashboard to open the detail slide-over and see the factor-by-factor breakdown.
The detail slide-over
Clicking a plugin row opens a panel on the right with the full picture for that one plugin:
- Header. Display name, version, activation state, and an "update available" alert if applicable.
- Score card. The 0–100 number, the tier, the confidence level (High, Limited, or Unrated), and the data source ("WordPress.org · High confidence", "Premium proxy · High confidence", and so on).
- Factor cards. One card per factor with its score, its weight, and a short description.
- Vulnerability summary. CVE IDs, severity, and patched/unpatched status for any vulnerabilities recorded for this version.
- AI recommendation (Pro). A short tag and reasoning paragraph once analysis completes. While analysis is running you will see "Queued…" or "Analyzing…"; if it has not rendered, see Troubleshooting → AI recommendations did not populate.
- Plugin metadata. Author, install count, last updated date, tested-up-to WordPress version, support thread stats, and a link to the plugin's WordPress.org listing.
- Actions. "View on WordPress.org" opens the directory listing. "Manage Active License" appears when Pro is active.
Use Prev and Next at the bottom of the panel to walk through the filtered list without closing the panel.
The five scoring paths
SteadyScore picks one of five paths per plugin depending on what data is available.
| Path | When it applies | Coverage |
|---|---|---|
| Path 1 | The plugin is in the WordPress.org plugin directory. | Free and Pro. Scored from the wordpress.org API with full six-factor accuracy. |
| Path 2 | The plugin is a paid version of a plugin whose free counterpart is on wordpress.org (around 50 mapped pairs are bundled). | Free and Pro. Scored using the free proxy's data. Confidence is reported as High. |
| Path 3 | The plugin is a commercial plugin sold through CodeCanyon or Envato. | Pro only. Scored against CodeCanyon signals. Confidence is reported as Limited. |
| Path 4 | The plugin is enriched by the SteadyPress data service with BuiltWith and G2 signals. | Pro only. Confidence is reported as Limited. |
| Path 5 | The plugin is custom, internal, or otherwise has no public data. | Free shows N/A. Pro can read the plugin's source code and run it through your configured AI provider to generate a score and a recommendation. |
Plugins on Path 5 in free show up as N/A with a gray tier badge.
Refresh and background work
SteadyScore uses Action Scheduler to do all the heavy lifting in the background. Nothing scoring-related happens during a page render.
The jobs
| Job | What triggers it | What it does |
|---|---|---|
| Initial population | Plugin activation | Walks every installed plugin, resolves which path applies, fetches the data, and writes the first scoring run. Chunked, with a 1-second pause between WordPress.org requests so the public API is treated politely. |
| Background refresh | TTL on cached data approaches expiry | Re-fetches expiring data and re-scores plugins that need it. |
| Author reputation recalculation | After initial population, and on demand | Aggregates the author's other plugins so the reputation factor stays current. |
| Pruning | Weekly | Cleans up expired cache entries and old refresh metadata. |
| Scheduled monitoring (Pro) | On the cadence you choose (weekly, biweekly, monthly, or annual) | Runs a full refresh and fires alert emails based on your alert triggers. |
| AI analysis (Pro) | When new plugins appear or when you trigger analysis | Sends plugin context to the SteadyPress API for an AI-generated recommendation. |
Cache lifetimes (defaults)
| Source | Default TTL |
|---|---|
| WordPress.org plugin metadata | 7 days |
| Wordfence Intelligence vulnerability data | 3 days |
| SteadyPress enrichment data (Pro) | 1 day |
| CodeCanyon data (Pro) | 7 days |
These defaults are filterable for site owners who need to override them. See Developer / Hooks.
When new plugins appear
SteadyScore listens for the install, activate, deactivate, and delete hooks. When a new plugin shows up on the site, it is queued for scoring on the next background pass. When a plugin is deleted, its rows are cleaned up automatically.
Forcing a refresh
There is no manual "refresh now" button in v1.0.0 — refresh is driven by the cache TTL and by lifecycle events. If you need to force a re-run, deactivate and reactivate the plugin: the initial-population job runs again and re-scores everything against fresh data.
What runs locally vs. what calls out
The free plugin does its scoring entirely in your own database. The only outbound calls in free mode are:
- api.wordpress.org — the standard plugin-directory API that WordPress itself uses. SteadyScore sends plugin slugs and receives public metadata.
- api.wordfence.com — only after you save a Wordfence Intelligence API key. SteadyScore sends plugin slugs and your key as an Authorization header.
The free plugin never sends your plugin inventory, your site content, your user data, your database contents, or your credentials anywhere. See Settings reference → Data & Privacy for the full list.
Pro adds calls to api.steadypress.ai for license validation, commercial-plugin enrichment, AI analysis, and Google Sheets export. Those are detailed in Pro features and in the in-admin Data & Privacy panel.
Need more help? Contact support.