August was the first full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 144 plugins were checked last month. With 35 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With 24 of the 35 plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues, including vulnerabilities. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security, even when they are running into the problems those cause. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true).

The overall results were better than those for just security plugins, but not great. No plugins got an A+ or an A this month. Those grades require the developer is taking proactive measures with security. 55 of the plugins did get a B+ or B, which requires that they are avoiding unnecessary security issues.

The ability to get an A+ or an A gets harder this month, as we now are grading on if the developer is providing a software bill of materials (SBOM) to their plugin. The importance of providing the information included in a SBOM is highlighted with by a plugin with 600,000+ installs failing to update a known vulnerable library included in the plugins for 17 months. Widespread usage of SBOMs would make it easier to catch usage of known vulnerable libraries.

During August we made quite a few improvements to the tool and expanded what it checked. The biggest addition was checking if the results of security review of the plugin are being listed in a security file in the plugin. A good security is the best way to assess the security of a plugin. Before adding that check, we did review of all our own plugins that are actively being developed, which led to security improvements being made to one of them. We also added a warning if results of a security review from a provider that is pretending to do reviews is linked to.

Until SBOMs become widespread, tools checking for known vulnerable libraries can fill some of the gap. So last month we also added a check for security vulnerabilities in a couple of libraries used in WordPress plugins. One of them that hasn’t been fixed. That one is in multiple fairly popular security plugins, where the developers appear to not be vetting third-party software they are incorporating. And we added a check for usage of WordPress function that is known to be insecure and apparently isn’t intended to be used directly in plugins.

August Security Scorecard Grades for  Security Plugins

• Blackhole for Bad Bots     B
• Two-Factor     B
• Headers Security Advanced & HSTS WP     C+
• Limit Login Attempts Reloaded     C+
• Magic Login     C+
• Mythic Cerberus     C+
• Sucuri Security     C+
• BBQ Firewall     C
• Limit Login Attempts     C
• Patchstack     C
• Really Simple SSL     C
• Titan Anti-spam & Security     D+
• Solid Security     D+
• Anti-Malware Security and Brute-Force Firewall     D+
• Hide My WP Ghost     D+
• Login Lockdown     D+
• Loginizer     D+
• NinjaFirewall (WP Edition)     D+
• Security Optimizer     D+
• WP Hide & Security Enhancer     D+
• WPScan     D+
• Bad Bot Blocker     D
• BulletProof Security     D
• Jetpack Protect     D
• MalCare WordPress Security Plugin     D
• SecuPress Free     D
• Defender Security     F
• Jetpack     F
• Security Ninja     F
• StopBadBots     F
• Wordfence Security     F
• WP fail2ban     F
• WP Encryption     F
• Shield Security     F
• WpBom     F

August Security Scorecard Grades for Other Plugins

• Advanced Custom Fields (ACF)     B+
• Affilia     B+
• BetterDocs     B+
• WP Booking Calendar     B+
• Breeze     B+
• Calendar     B+
• Kognetiks Chatbot     B+
• Contact Form 7 – PayPal Add-on     B+
• Fluent Forms     B+
• Font Awesome     B+
• Site Kit by Google     B+
• WP Guidant     B+
• Head, Footer and Post Injections     B+
• Loco Translate     B+
• MetForm     B+
• NextGEN Gallery     B+
• Permalink Manager Lite     B+
• Speed Optimizer     B+
• Simple Custom Post Order     B+
• Sina Extension for Elementor     B+
• WooCommerce Checkout Manager     B+
• WP Email Capture     B+
• WPGet API     B+
• 404 to 301     B
• AdRoll for WooCommerce Stores     B
• Akismet Anti-spam     B
• All in One SEO     B
• CartFlows     B
• CoBlocks     B
• WP Rocket LoadCSS     B
• Extra Styling for MemberPress     B
• Flo Forms     B
• FormCraft     B
• Genesis Blocks     B
• Gutenberg     B
• Social Slider Feed     B
• Lazy Blocks: Select Dynamic Control     B
• Maintenance     B
• Ninja Charts     B
• PrettyLinks     B
• Protect uploads     B
• Sassy Social Share     B
• Search & Replace     B
• Simply Static     B
• Smart Forms     B
• Poll, Survey & Quiz Maker Plugin by Opinion Stage     B
• Stock Ticker     B
• WP Simple Pay Lite     B
• User Verification     B
• WP Child Theme Generator     B
• WP Crontrol     B
• WP-PageNavi     B
• wpDataTables     B
• Background Image Cropper     C+
• Bellows Accordion Menu     C+
• Better WordPress Minify     C+
• Civic Cookie Control     C+
• 301 Redirects     C+
• Essential Blocks     C+
• AI Power     C+
• InPost Gallery     C+
• Lazy Blocks     C+
• Meteor Slides     C+
• MetaSlider     C+
• My Favorites     C+
• Ocean Extra     C+
• Social Share Buttons     C+
• Simple File List     C+
• Simple Video Directory     C+
• Accept Stripe Payments     C+
• User Insight WordPress Plugin     C+
• Visualizer     C+
• Web Directory Free     C+
• Fraud Prevention For WooCommerce     C+
• WP Sheet Editor     C+
• WP Super Cache     C+
• wpDiscuz     C+
• WPForms     C+
• YASR     C+
• YITH WooCommerce Ajax Search     C+
• Advanced DB Cleaner MK     C
• Jetpack Boost     C
• LearnPress     C
• User Profile Builder     C
• WCFM     C
• Product Addons & Fields for WooCommerce     C
• GiveWP     D+
• Ivory Search     F
• Backup Migration     F
• Brave     F
• Anti-Spam by CleanTalk     F
• Clearfy Cache     F
• Download Monitor     F
• Elementor Website Builder     F
• Everest Backup     F
• XML Sitemap Generator for Google     F
• Kadence Blocks     F
• Link Whisper Free     F
• Load More Products for WooCommerce     F
• Password Protected     F
• Photo Gallery     F
• Post SMTP     F
• Shortcodes Ultimate     F
• TablePress     F
• 10Web Booster     F
• uListing     F
• UpdraftPlus     F
• Advanced AJAX Product Filters     F
• File Manager     F