One of the contributing factors to the use of old, outdated and broken plugins are the website owners. A lot of websites get abandoned, owners are not informed enough or interested enough to spend some time researching alternative plugin, or just keep the WordPress (or any other CMS) updated and secured. So, many websites are stuck in the loop: they use old WordPress because some plugin that is not updated for 5 or 6 years will not work with new WordPress. Using old WordPress and these unmaintained plugins are open doors to all sorts of attacks.
I know that replacing one plugin with another is not easy, but leaving the website vulnerable for 5 or 6 years (or 9, like with the Ultimate Google Analytics plugin) is a plainly irresponsible behaviour of the website owner, and in all that time I am sure there was enough time to do a bit of research to replace one plugin with another, and keep WordPress up to date, and secured.
-
WordPress.org should remove all plugins and themes that were not updated in over 5 years (or 3 or 6, whatever is agreed), and that are not tested with the last 7 or 8 major WordPress versions. There is no consensus currently on what to do with this problem, and we always hear how WordPress.org has 20.000 plugins (or whatever the number is right now), and no one is telling the truth, that only 10% of that is active plugins.
-
WordPress.org needs a dedicated area where the list of all plugin vulnerabilities is available so that website owners can search a single location to determine if the plugins he uses are vulnerable. It is not easy to maintain such list, but it has to be done to inform the users about the security problems from using old and outdated plugins.
-
Website owners need to be active in maintaining the websites. Every website requires a proactive approach to keep the website up to date, fast, and secure. A lot of website owners take all that for granted, and they later complain that they got hacked, and forgetting that they did nothing to prevent that.
-
Research is the key when picking the plugins, and for any task, there are hundreds of plugins, both free or commercial. In many cases, commercial plugins are a safer bet, because the plugin authors get paid, they have monetary incentive to keep updating plugins and keep them secure. I am not saying to always use commercial plugins, and that they are always better, they are not, but that is where the research comes into place. Make the list of features you need, and find free and commercial plugins, and compare the release cycles, features, support from authors. Do not use free or commercial plugins that are not supported by the authors, that are not regularly updated.
I can go on, but the gist of it is: do your research before using any plugin, prepare for the eventuality that you will need to switch from one plugin to another, and set aside time for that.