March was the eighth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 140 plugins were checked last month. With 8 of those plugins being security plugins.

The overall results were not great. No plugins got an A+, A or B+. Those three grades require the developer is taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 36 of the plugins did get a B, which requires that they are avoiding unnecessary security issues.

20 plugins got an F grade. Among them is a plugin with 700,000+ installs that has been publicly known to be vulnerable since June 2022. Another F grade was for a plugin from WP Engine, which heavily promotes itself as being good at security, where WP Engine has known that it is vulnerable since at least October, but still hasn’t addressed the vulnerability.

Latest Security Scorecard Grades for WordPress Security Plugins

• WP SSL Redirect     C+
• Limit Login Attempts Reloaded     C
• BBQ Firewall     D+
• Magic Login     D
• NinjaFirewall (WP Edition)     D
• Patchstack     D
• Wordfence Security     F
• WPScan     F

Latest WordPress Plugin Security Scorecard Grades

• a3 Lazy Load     B
• Accessibility New Window Warnings     B
• Ads.txt Manager     B
• All in One Accessibility     B
• Accessibility by AllAccessible     B
• Cachify     B
• Cookies and Content Security Policy     B
• Current Year Shortcode VICT     B
• Custom Sitemap Generator     B
• Disable WP REST API     B
• Drag and Drop Multiple File Upload for Contact Form 7     B
• Firelight Lightbox     B
• Fast Velocity Minify     B
• FileBird     B
• GA Google Analytics     B
• Gmap     B
• Gravity Forms CLI Add-On     B
• GTranslate     B
• Hostinger Tools     B
• HT Easy GA4     B
• 3D FlipBook     B
• Mailchimp for WooCommerce     B
• MC4WP: Mailchimp for WordPress     B
• MapPress Google Maps and Leaflet Maps     B
• MouseWheel Smooth Scroll     B
• Meta pixel for WordPress     B
• Page Restrict for WooCommerce     B
• Plugin Notes Plus     B
• Payment Plugins for PayPal WooCommerce     B
• Rate My Post     B
• Structured Content     B
• Termageddon + Usercentrics     B
• WP Accessibility     B
• WP Meteor Website Speed Optimization Addon     B
• WP Performance Pack     B
• Perfect Images     B
• Equalize Digital Accessibility Checker     C+
• Accessibility Lite     C+
• Advanced Custom Fields (ACF)     C+
• Beautiful Cookie Consent Banner     C+
• Best Youtube Video LazyLoad     C+
• BetterLinks     C+
• Blocks Export Import     C+
• WP Booking Calendar     C+
• Breeze     C+
• Calendar     C+
• Classic Editor     C+
• Contact Form 7: Accessible Defaults     C+
• Simple Custom CSS and JS     C+
• Date Time Picker for Contact Form 7     C+
• ReachShip WooCommerce Multi-Carrier & Conditional Shipping     C+
• Equalweb Accessibility     C+
• GN Publisher     C+
• Site Kit by Google     C+
• Header Footer Code Manager     C+
• ThumbPress     C+
• Lazy Embed     C+
• Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)     C+
• Menu Image, Icons made easy     C+
• Merge + Minify + Refresh     C+
• MetForm     C+
• Push Notifications by LaraPush     C+
• Speed Optimizer     C+
• Stackable     C+
• Accessibility by UserWay     C+
• Web Push Notifications     C+
• Widget Options     C+
• WP Media File Type Manager     C+
• wpDataTables     C+
• Xagio SEO     C+
• Accessibility     C
• Accessibility by AudioEye     C
• AccessibleWP     C
• Timely All-in-One Events Calendar     C
• All-in-One Video Gallery     C
• Bold Page Builder     C
• Bulk Post Update Date     C
• Sliding Cart for WooCommerce by FunnelKit     C
• Constant Contact Forms     C
• Depict     C
• DJ-Accessibility     C
• Easy Media Replace     C
• Enable Media Replace     C
• WCAG 2.0 form fields for Gravity Forms     C
• Independent Analytics     C
• Make Connector     C
• Kraken.io Image Optimizer     C
• Marquee image crawler     C
• Menu Icons by ThemeIsle     C
• Powered Cache     C
• Redis Object Cache     C
• Search & Replace     C
• Simplistic page navi     C
• SupportCandy     C
• Themify – WooCommerce Product Filter     C
• W3 Total Cache     C
• WP Accessibility Helper (WAH)     C
• WP ADA Compliance Check Basic     C
• WP Cloud Edit     C
• Spam Protect for Contact Form 7     C
• WP Go Maps (formerly WP Google Maps)     C
• Logo Slider and Showcase     C
• WP Media folders     C
• YouTube Embed     C
• Accessibility Widget     D+
• LiteSpeed Cache     D+
• Neptune Real Estate     D+
• ShareASale WooCommerce Tracker     D+
• Top 10     D+
• Visualizer     D+
• FunnelKit Automations     D+
• WP YouTube Lyte     D+
• Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades     D+
• iZooto     D
• Advanced Coupons     F
• All in One SEO     F
• Cross Domain Tracker for AffiliateWP     F
• Duplicator     F
• Campaign Monitor for WordPress     F
• ExactMetrics     F
• WPCode     F
• Ninja Forms     F
• NitroPack     F
• Ally     F
• Security & Malware scan by CleanTalk     F
• SureTriggers     F
• TablePress     F
• Spectra Gutenberg Blocks     F
• WooCommerce     F
• WP-Optimize     F
• WP Time Capsule     F
• WPForms Lite     F