One of things we do to keep track of what vulnerabilities are being discovered in WordPress plugins is to monitor the WordPress support forums for threads related to plugin vulnerabilities. In addition to picking up the type of information we are looking for, we see an assortment of threads about security issues. One that we saw recently involved some one requesting that WordPress include the ability to log user activity, a “Support Representative” pointed them to a couple of plugins that do that. In response the original poster mentioned they were concerned about the additional security risk of the plugins:

I’ve been told by our web developer that keeping plugins to a minimum is the smartest route security-wise. Since these are not official WordPress plugins and don’t have very many ratings, would it increase or decrease the security of my websites to install one of them? [Read more]