Below are the results of the most recent time the plugins Security Ninja and Security Ninja were graded through the Plugin Security Scorecard.
Checked on August 9, 2024Grade for Security Ninja:
Issues the Plugin's Developer Should Address:
- Version 5.200 of the plugin contains a known vulnerability, which is in Plugin Vulnerabilities' data set. (Sign up for free to get access more information on the vulnerability.)
- The plugin contains a version of the third-party library Freemius that the contains a privilege vulnerability. If the library is active in the plugin, then the plugin is also vulnerable.
- The plugin doesn't contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
- The plugin isn't listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.
- It is being claimed by a security provider that the plugin's developer is redirecting attempts to report security issues to a third-party. That third-party is known to not properly handle vulnerabilities and mislead others, including developers, into believeing they have been fixed when they haven't. And that third-party also doesn't accept reporting all security issues, leading to nowhere to report many security issues. It is important for developers to have their own mechanism for reporting security issues to them. The European Union's Cyber Resilience Act will require developers to provide a direct contact.
- The plugin blocked less than half of the exploit attempts from the Plugin Vulnerabilities Firewall regression testing suite the last time the plugin was tested, so it missing a lot of the protection it could, and another plugin is, offering.
- The plugin is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.
- The plugin isn't providing a warning that its information on vulnerabilities in WordPress plugins is unreliable because it comes from a source known not to properly vet the information. That lack of vetting can lead to situations where a "fixed" vulnerabilty is subsequently widely exploited because there wasn't really a fix.
View the rest of the scorecard for Security Ninja.
Checked on November 12, 2024Grade for Sucuri Security:
Issues the Plugin's Developer Should Address:
- The plugin doesn't contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
- The plugin isn't listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.
- The plugin isn't listing in a security.txt file where a software bill of materials (SBOM), which provides information on what third-party software is included in the plugin, can be found. That limits the ability to access the security of that third-party software.
- The plugin is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.
- The plugin is spreading misleading information about brute force attacks against WordPress websites, which are not actually happening, and causing the WordPress community to not focus on real security threats.
View the rest of the scorecard for Sucuri Security.
Highest Graded Security Plugins
GD Security Headers B
HTTP Headers B
Malcure Malware Scanner B
Blackhole for Bad Bots C+
Limit Login Attempts Reloaded C+
Magic Login C+
Mythic Cerberus C+
Jetpack VaultPress C+
Headers Security Advanced & HSTS WP C
Limit Login Attempts C
About the Scorecard
The Plugin Security Scorecard grades plugins' handling of security based on data coming from the Plugin Vulnerabilities service, checking over the contents of the plugin, the WordPress.org API, and data generated specifically for the tool. It provides a useful, but incomplete, understanding of the security posture of the plugin and its developer. All the issues identified are ones that the developer of the plugin has the ability to address to get the grade of the plugin up to an A+.
Grades are calculated based on issues with any of the following:
- Plugins known to be vulnerable
- Plugin developers with track records of improperly handling security problems
- Security issues in the plugin that can be detected in an automated fashion
- Issues with the developer's developerment processes that suggest that their could be problems with security
- Plugins making unsupported, misleading, and false claims about their handling of security and the handling of security with WordPress
We are working to expand and refine the tools' ability to provide a good measure of plugins' security status. If you are aware of an additional security concern with this plugin that isn't represented here, please contact us. Other feedback on the tool is also welcome.
If you want a comprehensive understanding of the security of the plugin, a well-done security review is really needed to provide that.
Check Another Plugin
Check Plugin Not in WordPress Plugin Directory
Subscribers of our service can submit ZIP files of plugins that are not in the WordPress Plugin Directory to have them checked. (Not all issues can be checked for with uploaded plugins, as they require data not available with just the plugin's files.) You can sign up for the service for free here. For existing subscribers, once you are logged in to your account, return to this page to access that functionality.
The results of these gradings will not be stored.