Previously, we discussed why WordPress plugin developers should have a security review of their plugin done and when it would be a good idea to get another one. That raises another question; how should you pick out someone to do a review of your plugin?

That is an important consideration, as we have gone to contact plugin developers about security vulnerabilities in their plugins and found that they were offering to do security reviews. That they haven’t even secured their own plugins seems like a good indication they wouldn’t be the right ones to do security reviews of other plugins.

The problem in answering that is we are not aware of anyone other than ourselves that has ever done a review and publicly released the results. The closest we have seen is a WordPress security provider, known for lying constantly, putting forward vague testimonials for claimed reviews. So it is impossible to assess the quality of results you might find from someone other than us. That is critical since the security industry is full of scammers (intentional and unintentional), so you have to be very careful to avoid being taken advantage of.

Our recommendation would be to look for someone that can show results of previous reviews as a starting point. Beyond that, you should look for what they are going to check on during the review. With our reviews, we check for instances of serious vulnerabilities that hackers are known to exploit, instances of failures to do basic security (which often lead to serious vulnerabilities), and for security issues that are often incorrectly labeled as vulnerabilities. If you see someone claiming they are going to check for the OWASP Top 10, you should probably look elsewhere, since mentions of that are a red flag that someone is a scammer (as it is often referenced in situations it wouldn’t make sense).