September was the second full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 135 plugins were checked last month. With 13 of those plugins being security plugins.

As can be seen below, the results for security plugins were not good. With all but one of those plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true).

The overall results were better than those for just security plugins, but not great. No plugins got an A+ A, B+ this month. Those grades require the developer is taking proactive measures with security. 37 of the plugins did get a B, which requires that they are avoiding unnecessary security issues.

During September, we made improvements to the tool related to libraries included in plugins. We have continued to expand the libraries cataloged and information shown about them when plugins include them. We now indicate when libraries with GitHub repositories are lacking a security policy. We have also are adding more data on vulnerabilities in those libraries. That could be help plugin developers to update or remove known vulnerable versions of libraries. We say it could, because none of the plugins we found contained versions of a library recently disclosed to be vulnerable have fixed their plugin in the nearly month since we contacted them about that.

Last month we also had interactions with a couple of plugin developers that went very differently.

One of the developers had plugin that got a failing grade because of an advisory warning about the developer. It wasn’t that developer that we warning about. They had forgotten to update the contributors for one of two plugins when they took them over. Once we notified them of that, they corrected the situation, which is benefit beyond a higher score.

Another developer was claiming that we providing misinformation about their plugin. But oddly, in both cases the information they provided us to show our information was wrong actually confirmed that our information was correct. In one case, upon explaining why a situation was problematic, their response was not to dispute that, but say they wanted to continue doing it. That situation is something that the CEO of another party to the problem has said is not ethical, but they are doing anyway.

September Security Scorecard Grades for  Security Plugins

• HTTP Headers     B
• BBQ Firewall     D+
• Two-Factor     D+
• NinjaFirewall (WP Edition)     D
• All-In-One Security (AIOS)     F
• Solid Security     F
• Defender Security     F
• MalCare WordPress Security Plugin     F
• SecuPress Free     F
• Security Optimizer     F
• Two Factor Authentication     F
• Wordfence Security     F
• Shield Security     F

September Security Scorecard Grades for Other Plugins

• ACF: Better Search     B
• AddToAny Share Buttons     B
• Advanced Custom Fields (ACF)     B
• PublishPress Blocks     B
• AI Engine     B
• AutoConvert Greeklish Permalinks     B
• The SEO Framework     B
• CiviCRM Admin Utilities     B
• Contact Form CFDB7     B
• CookieYes     B
• Country & Phone Field Contact Form 7     B
• Cozy Essential Addons     B
• Image Hotspot by DevVN     B
• Disable Media Pages     B
• Embed Google Photos     B
• Embed Privacy     B
• Favicon by RealFaviconGenerator     B
• Flodesk for Elementor Pro     B
• GenerateBlocks     B
• OMGF     B
• WPCode     B
• Insert Pages     B
• MetaSlider Lightbox     B
• Open Graph     B
• Panorom     B
• PublishPress Authors     B
• Share on Bluesky     B
• Simple History     B
• Simple Lightbox     B
• Social Sharing Plugin     B
• Sticky Header Effects for Elementor     B
• W3 Total Cache     B
• WP Content Copy Protection & No Right Click     B
• Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)     B
• WPC Composite Products for WooCommerce     B
• Xpro Elementor Addons     B
• Visual CSS Style Editor     B
• Advanced Product Fields (Product Addons) for WooCommerce     C+
• BERTHA AI     C+
• BuddyPress Docs     C+
• Buttonizer     C+
• Checkout Files Upload for WooCommerce     C+
• CMS Tree Page View     C+
• Contact Form 7     C+
• FluentSnippets     C+
• Edwiser Bridge     C+
• Express Add On     C+
• Happy Addons for Elementor     C+
• HurryTimer     C+
• ICS Calendar     C+
• Neznam Atproto Share     C+
• PublishPress Series     C+
• PlanetPlanet     C+
• Popup Builder     C+
• Premium Addons for Elementor     C+
• Protect My Content     C+
• PublishPress Planner     C+
• PublishPress Checklists     C+
• PublishPress Statuses     C+
• Regenerate Thumbnails     C+
• reSmush.it Image Optimizer     C+
• PublishPress Revisions     C+
• SliceWP     C+
• Smart Slider 3     C+
• Open Graph and Twitter Card Tags     C+
• Stock Manager for WooCommerce     C+
• Yoast SEO     C+
• Asset CleanUp     C+
• Force Login     C+
• WP Reset     C+
• WP Activity Log     C+
• SEOPress     C+
• All in One SEO     C
• Animate It!     C
• bbPress     C
• BuddyPress     C
• Essential Addons for Elementor     C
• Magic Login Link     C
• Mailster WordPress Newsletter Plugin     C
• MasterStudy LMS WordPress Plugin     C
• Popup Builder by OptinMonster     C
• Page Links To     C
• Pattern Manager     C
• Popup Maker     C
• PublishPress Future     C
• Posts in Page     C
• PublishPress Permissions     C
• PushAlert     C
• TaxoPress     C
• Tag Groups     C
• Temporary Login Without Password     C
• The Events Calendar     C
• WS Form LITE     C
• ARPrice Lite     D+
• PublishPress Capabilities     D+
• Contextual Related Posts     D+
• Filter Everything      D+
• Folders     D+
• FunnelKit Funnel Builder     D+
• My WP Translate     D+
• One User Avatar     D+
• Rank Math SEO     D+
• Tablesome     D+
• The Plus Addons for Elementor     D+
• Unlimited Elements for Elementor     D+
• WP Popups     D+
• Columns renaming for WP Sheet Editor     D+
• Advanced Contact form 7 DB     D
• Newsletters     D
• Shoutcast Icecast HTML5 Radio Player     D
• Pixel Manager for WooCommerce     D
• Hustle     D
• Clik stats     F
• Cozy Blocks     F
• XML Sitemap Generator for Google     F
• Elementor Header & Footer Builder     F
• NextScripts: Social Networks Auto-Poster     F
• Use Any Font     F
• WP Import Export Lite     F
• WP Sheet Editor     F
• WP Ultimate Exporter     F
• WPGet API     F