August was the first full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 144 plugins were checked last month. With 35 of those plugins being security plugins.
As can be seen below, the results for security plugins were not good. With 24 of the 35 plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues, including vulnerabilities. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security, even when they are running into the problems those cause. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]