<b>Plugin Vetting SOP</b>

<b>Plugin Vetting SOP</b>
Run before installing any new plugin or theme.

— Step 1: Check last-updated date. Untouched in 12+ months = abandoned, treat as a liability.
— Step 2: Cross-reference the slug against a CVE database. Known unpatched vulnerability is an automatic no.
— Step 3: Verify install count vs. review quality. High installs hide that it's still a single-maintainer project.
— Step 4: Read what capabilities it requests. A contact form asking for <code>install_plugins</code> is a red flag.
— Step 5: Never install nulled or pirated plugins — they're the single most common malware vector.
— Step 6: Stage it first. Install on a clone, diff the filesystem, then promote to production.

Run this every time.