We recently introduced a Plugin Security Scorecard tool to promote better handling of security by the developers of WordPress plugins. A direct inspiration for this is the Open Source Security Foundation’s (OpenSSF) Scorecard. That is marketed as allowing you to “quickly assess open source projects for risky practices” and is supposed to have information on “over 1 million of the most used OSS projects.” While the marketing makes their solution sound impressive, there is a decided lack of evidence put forward that it provides useful results. That seems important, considering that the broad scope of the project raises questions about how reliable the results can be across such divergent software. As we look to improve our own tool, we wanted to better understand what that delivers for WordPress plugins. The results were not great.
Limited Breadth of WordPress Plugins Covered
While it is claimed that over 1 million of the most used OSS projects are covered, the website doesn’t provide further details on what is covered. So there is no breakdown of how many WordPress plugins are covered and what those are. As best we can tell, the project checks software hosted on GitHub and GitLab, so WordPress plugins hosted on the WordPress Plugin Directory could only be checked if they are also hosted on one of those. [Read more]