How the Plugin Security Scorecard Grades a WordPress Plugin’s Security

With any security scoring system, how the score is calculated is important to understand. With a previous system for scoring the security of WordPress plugins, which had a black box scoring system, we found that a plugin known to be vulnerable was claimed to pose no risk. Our scoring is not a black box and is simple enough to easily understand. You might even call it a bit crude.

Every plugin starts with an A+ grade and the grade is lowered if there are issues the tool is aware of. Two issues will lead to an F grade automatically. If the latest version of the plugin is known to be vulnerable or there has been an advisory released warning that the developer has had a track record of either not being able to handle security properly or not bothering to do that. Many vulnerabilities in WordPress plugins are not likely to be exploited, but if the developer isn’t fixing known vulnerabilities, then that is a good reason to not use the plugin until that is addressed.

For all other issues that are identified, there is one demerit per issue. So if there was one issue, the grade would be lowered to an A and if there were two, it would be lowered to a B+. Not all issues identified are of the same concern and some identified issues could be caused by one instance of the issue or many, but we don’t feel at this time trying to weight issues is a great idea. As it creates the appearance of more nuance in the grading, but might produce results that are skewed in ways that don’t ultimately make a lot of sense.

That leads to a scoring system where it is possible that a plugin with a C grade might be more secure than a D grade, but with a wider range between two plugins it is less likely, though certainly possible, that the lower scored plugin is more secure.

Focusing on the grade alone is probably not a good idea. Instead, we would recommend considering the grade and what issue have been identified in determining whether to use or to continue using a plugin. If you don’t have a good understanding of the issue identified, someone with a background handling WordPress security would be able to assess the implication of the issues for your website. Of course, the best option for any plugins with less than an A+ grade is for developer to address the issues and get the grade up. So reach out to the developer and let them know there are identified issues with the security of their plugin that they should address.