While the WordPress fork ClassicPress has gotten renewed attention with what has been going on with WordPress recently, we have had efforts related to the security of its plugins for years. Back in 2021, we started doing proactive monitoring to try to catch serious vulnerabilities in plugins that were in the ClassicPress plugin directory. Alongside that, we ran the plugins through our Plugin Security Checker, which leads to us detecting a less serious vulnerability. The developer promptly fixed the issue, which isn’t something we can say that often with WordPress plugin.

Last year we introduced a new tool, the Plugin Security Scorecard, which seeks to provide a better understanding of the security of WordPress plugins, as well as promote developers implementing better security practices. The tool continues to highlight the poor state of even some of the most popular WordPress plugins. Last week, for example, a 1+ million install plugin was run through the tool and found to contain a version of a third-party library that had been know to be insecure for nearly three years. [Read more]