In August of last year, we found that an update to a plugin coming directly from WordPress, Health Check & Troubleshooting, had introduced a couple of minor security issues. We reported those to the developers through the plugin’s GitHub project at the time. They finally responded and addressed those last week. That isn’t a good response time, but isn’t all that surprising considering the lack of much support for the plugin, despite having 300,000+ active installs. That lack of support ties into something we are now doing with our new Plugin Security Scorecard.

With our Plugin Security Scorecard, we are trying to provide an at a glance way to provide a reasonable idea of the handling of security with a WordPress plugin. As we noted last week, an inspiration for that is the OpenSSF Scorecard, which tries to do a similar thing across a much wider spectrum of software. What that other scorecard seems to lack is evidence that the components of the score (and therefore the overall score) are actually useful in assessing the security of software. With our own solution, we are interested in making sure its grading is based on useful information. That brings us back to Health Check & Troubleshooting.

One thing we check on with WordPress plugins is if that if the plugin has been marked as being compatible with new versions of WordPress by a month after a new major version of WordPress has been released. The thought there is that it provides some idea if the developer is supporting the plugin and if there was a security issue reported to them that they are likely to be able to respond in a timely manner. As it is very easy to mark the plugin as being compatible. With this plugin, we know the developers are not responding in a timely manner, as it took them 11 months to address the issue. So how have they done with marking the plugin as compatible with new versions of WordPress?

Alongside fixing the security issues we reported to them and other issues, they marked the plugin compatible with WordPress 6.6. That occurred nine days after it was released. The plugin was never marked as being compatible with WordPress 6.5, which was released on April 2. With WordPress 6.4, they marked it as compatible 42 days after the new version was released.

WordPress prominently features 10 plugins as Featured plugins (it’s unstated why plugins are featured or why there are two commercial plugins included from one developer). Health Check & Troubleshooting is one of those plugins. Four of the remaining plugins still haven’t been marked as being compatible with the new version of WordPress, two weeks on from its release.

---

Plugin Security Scorecard Grade for Health Check & Troubleshooting

Checked on July 31, 2024

See issues causing the plugin to get less than A+ grade