When it comes to trying to determine if WordPress plugins are secure, there is a lot of bad advice out there. Much of it coming from security providers who either don’t care about the truthfulness of what they are saying or are outright dishonest. That makes it all the more important for us to ensure that our Plugin Security Scorecard does the best job possible counteracting that, by providing useful security grades for plugins. To help us accomplish that, we are doing research to make sure that criteria we use in grades make sense and to find new criteria to further improve the grading. We are publishing details of our findings on our blog. You can read about our finding through following posts:
- WordPress Plugins With at Least 150,000+ Installs Using Versions of Third-Party Library With Recently Disclosed Security Vulnerabilities
- It’s Very Common For Libraries Used in WordPress Plugins to Not Have a Security Policy on GitHub on How to Report Security Issues
- 600,000+ Install WordPress Plugin MetaSlider Still Using Vulnerable Version of Library 17 Months Later
- WordPress Documentation Doesn’t Warn About Security Risk of maybe_unserialize()
- Unaddressed WordPress Security Issue Behind Recent “Critical” Vulnerability in 100,000+ Install Plugin
- WordPress Coding Standards is Failing to Warn About Missing Sanitization and Requiring Unnecessary Sanitization
- Freemius Still Hasn’t Resolved All the Security Issues in Their SDK Library
- Developer of Limit Login Attempts Reloaded Admits Brute Force Attacks Are Not Happening
- CleanTalk Isn’t Doing Real Security Reviews of WordPress Plugins and Their Plugin Contains Vulnerabilities
- WordPress is Telling People to Report Security Issues Through a Bug Bounty Program That Doesn’t Accept Many of Them
- 11 Month Wait for Security Fix for WordPress Plugin Highlights Value of Checking if Developers Are Supporting Plugins
- Do Low OpenSSF Scorecard Scores for Libraries Shipped With WordPress Plugins Matter?
- Popular WordPress Plugins Get Low OpenSSF Scorecard Security Scores, But Does it Matter?
- WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy
- WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them