Are you concerned a WordPress plugin you use is insecure? Maybe there is a claim that it contains a vulnerability? Let’s walk through some important elements of understanding what you need to know about the possible insecurity and how it can be addressed.

If you have additional questions that haven’t been answered below or want to add something, leave a comment below.

Is there even a vulnerability?

A significant portion of the claims of vulnerabilities in WordPress plugins these days are false. This is an area where things have gotten worse in recent years. Not only have the quantity of false claims increased greatly, but they now have a more professional look to them and are being spread by many in the WordPress security industry that are widely, but wrongly, trusted.

What this calls for is vetting the claims carefully. If you can’t do that yourself, then finding someone who can do that for you is important.

This is an area where we can help. We carefully vet any claim before adding it to our data set. That means we have less data than other providers, but much more accurate data.

Has the vulnerability been fixed?

A big, big problem that we see is that often vulnerabilities haven’t actually been fixed. The developer thinks they have been fixed and says so. Data providers other than us often simply assume if the developer says that a vulnerability has been fixed, that it has been fixed. Then other data providers simply copy other providers’ incorrect claims. So you have a bunch of groups saying it has been fixed, and it hasn’t. In the worst case scenario, that can lead to a lot of websites being hacked, as happened last year.

Again, this calls for vetting claims carefully. If you can’t do that yourself, then finding someone who can do that for you is important.

And again, this is an area where we can help. We actually vet the fixes to make sure that not only has the vulnerability been fixed, but that there are not any similar issues in the plugin that still haven’t been resolved (that often is an issue as well).

Can you ignore an unfixed vulnerability?

While it is obviously better to not use plugins with known vulnerabilities, depending on the particulars of a vulnerability, it can be safe to ignore the vulnerability. If, say, the vulnerability only allows someone logged in to WordPress as an Editor to do something they shouldn’t and you don’t have any users with that role, you are not at risk. The problem with ignoring vulnerabilities is what can hapeen if there is inaccurate information about the risk. You might not be at risk if the claims made about it are true, but if they are not, you can be at risk. So ignoring vulnerabilities should only be done if you are sure that you know what the real risk of it is.

Fixing an unfixed vulnerability

The best option is for the developer of a plugin to fix a vulnerability. But what if they are not doing that or at least not doing that in a timely manner? While some vulnerabilities are complicated and hard to fix, most are easy to fix if you know what you are doing. Someone familiar with proper handling of the security of plugins shouldn’t have a hard time doing that for you, if don’t know how.

With our service, we are always available to provide fixes for unfixed vulnerabilities in WordPress plugins.

Getting a security review to check for insecurity

The best way to determine if a plugin is insecure is to have a comprehensive security review done. Good options for getting that done seem limited.

We do that type of review. We are the only ones that we are aware that have done reviews and released results that can be vetted. We only have run across one other provider who claimed to have done reviews. They didn’t provide any evidence of that, beyond vague testimonials. We also have yet to find anyone offering reviews that provide any details as to what the review would check for. We have run across some offering reviews when we went to contact them about security issues in their own plugins.

We would recommend only hiring someone if they have results they publicly show of previous reviews and they provide detailed information on what they check for. If you find another provider that has those things, we would love to know about that.

You might be better off with a different plugin

One of the unfortunate realities of the WordPress plugin space is that there are developers, including some high profile ones, who don’t really care about security, or for some other reason, are incapable of securing their plugins. WordPress itself isn’t taking action to address that. So the problem continues. With those developers, the best solution is to avoid their plugins. Even if you get a security review done and all the issues are addressed, the developer can start making changes to the plugin that makes it insecure again. That can happen with any plugin, but if the developer has a track record of doing that, then you should have a much greater expectation of it happening.

We release advisories for plugin developers that we have run across repeatedly having problems that show an incapability to secure their plugins.