When we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October, one of the future enhancements we mentioned we were looking into was making the results available through our service’s companion plugin. After thinking it over we decided it would be better to create a separate plugin for that, so that way websites that use that the existing plugin that don’t have an interest in that functionally are not increasing the amount of code on their website and alongside that, the increased security risked that creates (that is something that makers of a lot security plugins look to have not considered in throwing in lots of different functionality in a single plugin, maybe not surprisingly there have been plenty of security vulnerabilities found in security plugins).
As of this morning our new Plugin Security Checker plugin has been included in the Plugin Directory, and can be directly installed in WordPress or downloaded from the plugin Directory.
Once the plugin has been activated you can access the results in one of two locations. On the Add Plugins page when the More Details link is clicked there will be a new tab which shows the results:
On the Installed Plugins page there is a new link added to check the results:
What seems like it is the most useful feature of the plugin is that when checking plugins that are not in the Plugin Directory (which is something available to those using our service), the plugin automates zipping up that plugin and sending it to the tool. That functionality may have issue in some hosting setups, as despite WordPress providing numerous functions for making connections to other websites, none of them seem to have a native capability for handling sending files with them. After looking at a number of approaches we went with one that seems like it should we widely compatible, as opposed to some others that are limited to certain PHP versions, but if you run into any issues with that please let us know so that we can improve that.
While making it easier to access the results, especially for plugins that need to be uploaded, there is some downside in that as based on some of the submissions to the tool some people couldn’t grasp entering the address of a plugin in the Plugin Directory and it would seem more likely that those people would misuse the results of the tool.
Additional Functionality Coming
At the end of last week we announced a new Developer Mode for the tool, which provides of the details of issue identified by the tool and does some additional checks that are more likely to identify harmless code. That functionality isn’t currently accessible through the plugin as we are still firming up the presentation of that information, but we plan on adding it shortly. We also have a major additional feature that we plan on introducing to the tool shortly that also will be delayed in coming to the plugin so that we have time to firm that up before putting in a plugin that we can’t instantly update like we can the tool.
If you have interest in something else being added to the plugin or the tool, please leave a comment below or contact us.