Like everything else we do, we are always looking for ways that we can improve the security reviews of WordPress plugins that we do as part of our main service as well as a separate service. With our recent reviews we have been testing out doing the following two additional checks as part of the reviews:

• Security issues with functions accessible through the admin_post action
• Security issues with usage of the extract() function

Based on what we have seen with those, some of which relates to a widespread security issue we will be discussing soon in the context of one of the reviews we will be releasing the results of soon, we have now added those checks to our standard roster of items being checked.

That isn’t the only recent improvement made to our reviews. We have been making a number of refinements to our handling of existing checks, which have allowed us to produce better results for those checks. We have also been making a lot improvements to what can be detected by our Plugin Security Check tool recently and since possible issues flagged by that get checked during our reviews, the amount of possibly insecure code checked by our reviews is increasing due to that.

Improved Pricing

We have also recently improved the pricing of the review service. Previously we based the price on the number of lines of code in the plugin, which usually mapped closely to the amount of work needed to be done in the review, but some plugins had a lot of code, but little that would be reviewed. We have now changed to determining the price based on how many instances in the plugins’ code of many of the things we check over during the reviews. Alongside that, the pricing is now more variable, with the lowest price being significantly lower than it was before.

The practical impact of that can be seen with a plugin that we are in the process of reviewing based on our customer selecting it, where the price would now be only a fifth of the price under are old pricing structure.

For other plugins that will increase the price, sometimes significantly due to there previously being a ceiling for the price. With two paid reviews that we will be releasing the results once there has been a chance to resolve the issues found, the price paid was lower than it would be now.