The average WordPress client probably does not know how many plugins their website uses, what those plugins are used for, and how often they are updated and therefore need to be checked at least nominally.
We rarely see WordPress sites with less than a dozen software plugins. Depending on functionality, twenty can be pretty common. Plugins do everything from provide security to the site, to allowing an easy to maintain events calendar, to allowing form contacts, to allowing online transactions, to maintaining content for users and members, etc., etc., etc. It’s how functionality is usually added to websites within WordPress.
Plugins have to be updated, some more often than others, to deal with the changing aspects of the core WordPress software, security issues that arise, changing functionality in relation to other plugins and themes, and many other reasons. Each time they need to be reviewed for user commentary, for the listed reasons for the software update, and upon implementation, whether it works properly with the other pieces of your site. If it’s fairly straightforward, it does not take long – but it does have to be done.
Needless to say, if not straightforward, it can take more review and testing.
Below are a few of the more popular plugins and how many updates they had in 2023 (by our count). These are just a few…
The Events Calendar and all components – 130 updates
Gravity Forms – 20 updates
ACF Pro – 16 updates
Yoast – 24 updates
WooCommerce (core) – 26 updates
Wordfence Security – 13 updates
A WordPress core update can generate a plugin update across many of your installed software plugins. You can count on a core update anywhere from two to four a year, at least the major core updates. Sometimes security only updates sneak in there as well, but they often have less impact on plugins.
Updates create work. Lack of updates do also. If a plugin goes a few years without an update, security software can notify the site owner that it’s probably been abandoned. That isn’t necessarily true – not all plugins need regular updates. But such a notification does require review and investigation. A web site owner doesn’t want to be relying on an old plugin that isn’t keeping up with today’s security needs because it can create a vulnerability.
And there are plenty of bots out there looking for vulnerabilities.
Bottom line: somebody should be doing this work for your website. It could be someone at your organization, if you know your WordPress fairly well. It could be your web site maintenance provider if you have one. But somebody should be doing it – regularly.