QCK QCK Ops Platform WordPress governance, SOPs, project control, and infrastructure visibility
Operationally Active
Open Dashboard
Home SOP Library Plugin Risk Classification SOP

Plugin Risk Classification SOP

QCK SOP

Plugin Risk Classification SOP

QCK WordPress Infrastructure & Dev Governance Framework

Version
Version 1.0
Owner
Dev Team
Required For
All template builds, CRO work, structural updates, plugin modifications

1️⃣ Purpose

The Plugin Risk Classification SOP ensures that WordPress plugins are evaluated for stability, compatibility, and maintenance risk before development begins.

Plugins can directly affect:

  • Template rendering
  • WooCommerce behavior
  • Permalink structure
  • Caching
  • SEO signals
  • Performance
  • Deployment stability

This SOP prevents:

  • Breaking legacy systems
  • Inheriting unsupported code risk
  • Unintended plugin conflicts
  • Developer liability for pre-existing instability
Every critical plugin must be classified before structural or template changes are implemented.

2️⃣ Classification Levels

Each plugin involved in layout, rendering, WooCommerce, SEO, performance, or core functionality must be assigned one of the following classifications.

🟢 Green — Stable & Supported

Criteria:
Actively maintained, updated within the last 6–12 months, compatible with current WordPress and PHP versions, no critical vulnerability warnings, clear documentation available, and no heavy custom overrides.

Examples:
WooCommerce (core), ACF Pro (current version), Yoast SEO, WP Rocket (current version)

Action:
Safe to build around. Proceed normally.

🟡 Yellow — Aging or Conditional Risk

Criteria:
Infrequent updates, minor compatibility warnings, custom integration dependency, limited documentation, moderate known conflicts, or heavy customization.

Action:
Proceed cautiously. Test in staging. Avoid structural refactors without full QA. Document dependency in summary.

🔴 Red — High Risk / Unsupported

Criteria:
No updates in 12+ months, incompatible with current WordPress, abandoned by developer, custom plugin without documentation, hardcoded theme dependency, obfuscated code, critical legacy dependency, or known performance/security issues.

Action:
Escalation required before structural changes. Client acknowledgment required. Strongly recommend replacement or controlled refactor.

3️⃣ Plugin Audit Checklist

For each critical plugin:

Plugin Name

_________________________

Version

_________________________

Last Updated

_________________________

  • Compatible with current WordPress version
  • Compatible with current PHP version
  • No known security vulnerabilities
  • No custom undocumented modifications
  • No template overrides conflicting with theme
  • No AJAX behavior interfering with rendering
  • No caching conflicts
  • No WooCommerce override conflicts
  • Documentation available

Classification

🟢 Green
🟡 Yellow
🔴 Red

Notes

_________________________
_________________________
_________________________

4️⃣ Red Escalation Process

If a plugin is classified as Red:

  • Document the risk in the Technical Discovery summary
  • Notify the AM before development proceeds
  • Determine impact scope across layout, WooCommerce, SEO, and performance
  • Present client options and align on next steps

Option A

Replace the plugin

Option B

Controlled refactor in staging

Option C

Proceed under Limited Infrastructure Scope

Dev must not modify unsupported plugin logic without staging and client acknowledgment.

5️⃣ Client Communication Template (For Red Classification)

Hi [Client Name],

During our technical review, we identified a plugin that is no longer actively maintained or presents compatibility risk.

Before proceeding with structural or template changes, we recommend evaluating one of the following paths:

  • Replace the plugin with a supported alternative
  • Refactor functionality in a staging environment
  • Proceed cautiously with limited-scope changes

Our goal is to protect performance and long-term stability.

We will proceed carefully and test thoroughly in staging.

Tone: Neutral. Professional. Protective. Not alarmist.

6️⃣ Special Attention Categories

These plugin types automatically require deeper scrutiny:

  • Caching plugins
  • Security plugins
  • SEO plugins with custom canonical logic
  • WooCommerce add-ons
  • Checkout modifications
  • Schema plugins
  • Performance “optimizer” bundles
  • Custom-built plugins without documentation
If multiple high-impact plugins exist, overall Plugin Risk Score increases.

7️⃣ Governance Rule

No structural template work should proceed without:

  • Classifying critical plugins
  • Identifying unsupported or high-risk dependencies
  • Documenting escalation if required

Plugin classification protects:

  • Dev
  • SEO integrity
  • CRO stability
  • Client outcomes

8️⃣ Integration With Master Risk Scoring

Plugin Risk Score contributes directly to:

Master Infrastructure Risk Score (TAB 8)

Green = 1
Yellow = 2
Red = 3

High plugin risk increases overall structural risk classification.

Library Navigation Back to SOP Archive

Return to the full SOP library and browse the rest of QCK’s governance, deployment, discovery, and escalation documents.