WordPress Plugin : WP Plugin Security Check

WP Plugin Security Check checks plugins for bad practices limiting the risk of a compromised WordPress installation to a ‘hate to say I told you so’.

An up-to-date WordPress installation is as safe as it can be, plugins however can often pose a security risk because they’re not maintained by hundreds of contributors. A plugin is as secure as the security knowledge of the developer allows it to be. In some cases this creates loopholes for exploits. WP Plugin Security Check checks plugins for bad practices and possible security holes limiting the risk of a compromised WordPress installation to a ‘hate to say I told you so’.

Installation

  1. Upload the folder `wp-plugin-security-check` to the `/wp-content/plugins/` directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. You’re all done.

Changelog

0.4

  • Added support for detecting javascript in the plugin headers.
  • Squashed a minor bug. Thanks to Julio Potier.

0.3

  • Added another way to check for image files to reduce the number of false positives.

0.2

  • Included checks for variable execution and the PHP function eval.

0.1

  • First version of the plugin.

Author: Luc De Brouwer

Mild-mannered software engineer, Nine Inch Nails lover, gin drinker, cat person, and somewhat of a geek. Ron Swanson is my spirit animal.

9 thoughts on “WordPress Plugin : WP Plugin Security Check”

  1. This is kind of alarming…I had many “green” plugins but also many “red”…and on plugins I trust. For example:

    Akismet

    * Variable execution detected in akismet/admin.php

    1. The plugin (WP Plugin Security Check) is a work in progress, but I decided not to exclude Akismet just because it’s made by the good people of Automattic. Variable execution is often used to disguise execution of malicious code, but other than that it’s a perfectly valid PHP practice.

      1. Luc, thank you for all your good work on our behalf.
        How do we plug the security hole that is: “Variable execution detected in akismet/admin.php”

  2. Any idea what may be causing this error? Seen on the bottom of the Security check screen:

    Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 419617072 bytes) in /home/courages/www/tarot/wp-content/plugins/wp-plugin-security-check/wp-plugin-security-check.php on line 82

    1. Ah, you may need to increase your webhosts PHP memory limit. You can do this by adding the following to your .htaccess file:

      php_value memory_limit 256M

Comments are closed.