While the WordPress fork ClassicPress has gotten renewed attention with what has been going on with WordPress recently, we have had efforts related to the security of its plugins for years. Back in 2021, we started doing proactive monitoring to try to catch serious vulnerabilities in plugins that were in the ClassicPress plugin directory. Alongside that, we ran the plugins through our Plugin Security Checker, which leads to us detecting a less serious vulnerability. The developer promptly fixed the issue, which isn’t something we can say that often with WordPress plugin.

Last year we introduced a new tool, the Plugin Security Scorecard, which seeks to provide a better understanding of the security of WordPress plugins, as well as promote developers implementing better security practices. The tool continues to highlight the poor state of even some of the most popular WordPress plugins. Last week, for example, a 1+ million install plugin was run through the tool and found to contain a version of a third-party library that had been know to be insecure for nearly three years.

Up until now, you couldn’t directly check ClassicPress plugins through the tool. Customers of our service do have the option to check an uploaded plugin, which could be used to check them. In addition to requiring additional steps, that option doesn’t include all the checks that are done when we are pulling information about a plugin from a directory. As part of our continued effort to support alternatives to the “drama” surrounding WordPress, we implemented support for ClassicPress. Now checking a plugin from that directory is as simple as starting to type in the name or slug of the plugin and selecting the relevant plugin.