While our new Plugin Security Scorecard provides security grades for all types of WordPress plugins, there is an extra focus on security plugins. As security plugins often are as much of a problem for security as a solution. Some of that focus comes in the form of extra data about problems in security plugins, which we manually create. We have generated that data for a lot of popular security plugins, but as other security plugins get checked we then check those to provide more accurate grades for them in the future. While looking at one such plugin, we saw the value that tool can provide even without having that data in place. It also shows why that additional focus can be important.
A plugin named Magic Login was checked with the tool yesterday. That is a plugin for implementing passwordless login. So a plugin where security is critical, as poorly implemented security could allow attackers to gain access to any WordPress account. That plugin has 1,000+ active installations. When it was graded yesterday it received a C+, not a great grade. Here are the issues the tool identified with it yesterday, that lead to that grade: [Read more]