September was the second full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 135 plugins were checked last month. With 13 of those plugins being security plugins.
As can be seen below, the results for security plugins were not good. With all but one of those plugins getting a D+ or below. That comes from a combination of different issues. Some of those plugins have security issues. Some come from developers that have had repeated issues with vulnerabilities and are not addressing the underlying problems. Most security plugins are failing to implement best practices for security. Then there is the issue of the plugin developers making security claims that are at least not supported with evidence (and often couldn’t be supported with evidence, since they are not true). [Read more]