We just soft launched a new option for searching for WordPress plugins. As part of making sure we produced the best tool we can, we revisited another option launched last year, Ploogins, which we mentioned back in September. As part of looking more into that, we ran across a post from the company behind that promoting it, while giving some really bad advice on assessing the security of WooCommerce extending plugins. Here that the most relevant portion:

Locking Down Security

Security is a big deal. A bad plugin can open the door to hackers, malware, and other nasty stuff. Here’s how to keep your site locked tight:

1. Check the Plugin’s Street Cred: Look up reviews, ratings, and feedback from other users. Make sure the plugin and its developer have a good reputation. If there have been security issues in the past, steer clear.
2. Regular Updates: Plugins need to be updated regularly to patch security holes and stay compatible with the latest WordPress version. Check how often the plugin gets updates and whether the developer is committed to keeping it secure.
3. Support Squad: Good support is a lifesaver when things go wrong. Look for plugins with a dedicated support team and an active community. You want to know help is there when you need it.
4. Clean Code: Well-written code is less likely to have security flaws. Check if the plugin follows WordPress coding standards and best practices. Clean code means fewer headaches.

By keeping these security tips in mind, you can protect your WooCommerce site and your customers’ data.

At one point it states that “[i[f there have been security issues in the past, steer clear.” That would mean not using WooCommerce itself, since it has had security issues in the past. That also makes another piece of advice nonsensical, as they state “updated regularly to patch security holes.” You wouldn’t need to update the software to patch security holes unless there was a security issue in the first place.

We can’t emphasize enough that the frequency of updating isn’t a way to measure the security of a plugin. Every update is a chance to introduce a security vulnerability. If a developer is very frequently releasing updates, it wouldn’t be surprise that those updates are not getting thorough reviews before going out.

Other advice there isn’t backed up with any evidence. For example, under the heading clean code, it states that “[w]ell-written code is less likely to have security flaws.” Is that true? We are not aware of any data that would back that up and we have seen clean code that is very insecure and code that is a mess that is secure.

The support item doesn’t make sense. As that would only come in to play if you already have been hacked, but this is supposed to be advice to stop it. It also doesn’t make sense as if you are hacked then the support from the developer a random plugin isn’t going to be all that helpful. You actual need help from a security provider.

We could go on.

The best way to assess the security of a WooCommerce extending plugin or another WordPress plugin would be to get a security review done. That way you know if it is actually secure or not. That will cost some money, but in many cases not much. Next up, a free option would be to look to options that could provide information on the handling of security in a plugin.

(The company behind Ploogins, Sirvelia, develops plugins, but doesn’t appear to have their security independently tested to assure they are secure. That might explain their reluctance to suggest things that would determine if plugins were really secure and might show problems with their own plugins.)

We had reached out to the Ploogins team about enriching their search results with additional information on plugin security in September. We never a received a response. To give some idea of what that leads to compare the results for a 6+ million install plugin in Ploogins and our tool. Ploogins information is months out of date, but if it was up to date, everything would look good:

By comparison, our search shows it has a poor security grade and a security advisory has been released warning about the plugin developers repeated security problems:

That undersells things a bit, as the grade is from August. If the plugin was re-graded now, it would have an F grade.

For those looking for WooCommerce extending plugins, they can check our search tool’s option for searching among plugins that extend WooCommerce. With that, they can get warnings for various known security issues in plugins, see existing security grades for plugins, and get grades for plugins that have yet to be graded.