WordPress Plugin Security Review Service

In doing the work for our Plugin Vulnerabilities service we have seen that the security of WordPress plugins can be quite poor. We have also seen that many of the suggestions for determining if a plugin is secure or not, are not effective. For example, just because a plugin is popular or has a lot of reviews doesn’t mean it is secure, no matter how many security companies try to tell you otherwise. The only way to have a good understanding as to the security of a plugin is to have review of its security done.

As part of our service we already do security reviews of plugins selected by our customers, but for those not interested in our service, those needing to guarantee that a plugin is reviewed right away or have a plugin not included the Plugin Directory that they want reviewed, we also offer the same type of review for a fee.

Getting a security review of a plugin you use probably makes the most sense for those with websites that are high profile and likely targeted by hackers, websites that handle sensitive data, and websites that allow the public to create WordPress accounts since many vulnerabilities exist in plugins that are only exploitable by those logged in to WordPress.

You can get some idea if a plugin is at greater need for a security review with our Plugin Security Checker.

After completing the review we will provide you the results and attempt to work with the developer to fix any security vulnerabilities or other security issues identified. After the developer has had sufficient time to resolve those we will publicly disclose the results.

What is Included in the Review?

With our reviews we are not reviewing every single line of code in the plugin or guaranteeing that it is free of all possible security issues, as the first part of that likely would produce poor results and the latter is unlikely to be possible to really accomplish. Instead we focus on checking for known high risks issues, which are likely to be exploited if they are discovered based on everything we have seen over the years, as well as making sure that the plugins are performing properĀ security hardening and security checks, which in addition detecting vulnerabilities that exist now, would limit other types of vulnerabilities from being exploitable if they existed, even if the relevant code is added to the plugin after the review is done.

The following items are checked for:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with functions accessible through the admin_post action
  • Security issues with import/export functionality
  • Security issues with usage of the is_admin() function
  • Security issues with usage of the add_option(), delete_option(), and update_option() functions
  • Security issues with usage of the extract() function
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Previous Reviews of WordPress Plugins We Have Done

You can get a better idea of the quality of our reviews by looking the results of previous reviews:

(Ordered from most recent to the oldest)

Price

Pricing is based on the amount of instances code we need to check over and starts at US$100.

For plugins in the WordPress Plugin Directory you can find out our price by running the plugin through our Plugin Security Checker.

For other plugins, if you provide us with a copy of the plugin we can get back to you with the price.

We charge after the review has been completed.

Theme Reviews

We also offer security reviews of themes.

Contact Us

To order a review or if have any questions about the service please contact us and we will promptly get back to you.