In doing the work for our Plugin Vulnerabilities service we have seen that the security of WordPress plugins can be quite poor. We have also seen that many of the suggestions for determining if a plugin is secure or not, are not effective. For example, just because a plugin is popular or has a lot of reviews doesn’t mean it is secure. The only way to have a good idea as to the security of a plugin is to have review of its security done.
As part of our service we already do security reviews of plugins selected by our customers, but for those needing to guarantee that a plugin is reviewed right away or have a plugin not included the Plugin Directory that they want review we now offer the same type of review for a fee.
Having the security review of a plugin you use probably make the most sense for those with websites that are high profile and likely targeted by hackers, those that handle sensitive data, and those that allow the public to create WordPress accounts since many vulnerabilities exist in plugins that are only exploitable by those logged in to WordPress.
After completing the review we will provide you the results and attempt to work with the developer to fix any security vulnerabilities or other security issues identified. After the developer has had sufficient time to resolve those we will publicly disclose the results.
What is Included in the Review?
We describe the review as basic, because we are not reviewing every single line of code in the plugin or guaranteeing that it is free of any vulnerabilities. Instead we focus on checking for some high risks issues, that are likely to be exploited if they are discovered, as well as making sure that the plugins are performing proper security hardening and security checks, which in addition detecting vulnerabilities that exist now would limit other types of vulnerabilities from being exploited if they existed even if they are added to the plugin after the review is done.
The following items are checked for:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
- Security issues with functions accessible through any of the plugin’s shortcodes
- Security issues with functions accessible through the admin_action action
- Security issues with import/export functionality
- Security issues with usage of is_admin()
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites
You can see what kinds of things we have found in real plugins by looking at our previous reviews:
- SSL Insecure Content Fixer
- Crayon Syntax Highlighter
- Democracy Poll
- Easy Digital Downloads
- Google Analytics for WordPress by MonsterInsights
- Really Simple SSL
- Contact Form by BestWebSoft
- Google XML Sitemaps
- Archive Control
- wpDataTables Lite
Pricing is based on the number of lines of code in the plugin’s .php files (which excludes commented lines, blank lines, and lines that only contain brackets):
- 1-5,000 lines: $250
- 5,001-25,000 lines: $500
- 25,001-50,000 lines: $750
- 50,001+ line: $1000
For plugins in the plugin in the Plugin Directory please the URL of the plugin’s page on the Plugin Directory (e.g. https://wordpress.org/plugins/plugin-vulnerabilities/):
For other plugins, if you provide us with a copy of the plugin we can get calculate the number of lines of for you.
If you order two reviews we will give you a free lifetime subscription to our service.
To order a review or if have any questions about the service please contact us and we will promptly get back to you.