This plugin is absolutely essential for any entrepreneur using WordPress for a business website (start-ups in particular).
While security experts may find limited use from this, since it only gives the general type of the possible vulnerability, an entrepreneur should not never go without it.
This plugin can help you to decide how to allocate your resources effectively when bootstrapping / running a pre-funded business on a small budget, or in larger organizations by General Managers who have to decide how to allocate budgets between functional teams.
Unfortunately, how pretty a plugin looks and how user-friendly it is, is not necessarily a good indication of its quality. I have found the most beautiful, easy-to-use plugins that do super silly things like saving tables (potentially with customer data!) as entries under the WordPress posts folder using meta tags, or another offering the creation of multiple custom tables, but then saving all the columns in the "individual" table into one master table on the database as an array (scale-ability nightmare!). These two things are not something this plugin can test for, I am simply stating it here to indicate why a plugin that looks good isn't always good.
And while users like me can evaluate ease of use and the efficiency by which the plugin achieves the desired business functionality, we are in the dark about how safe it is against common exploits.
This is particularly scary if you have an e-commerce site, or if you intend to collect any sensitive / personally identifiable user data as part of your ordinary course of business.
While this plugin is honest and upfront about the fact that it cannot pick up all vulnerabilities (it is an automated tool after-all) and recommends the use of a security expert, it is a really, really good place to start.
If you are using free plugins from the official WordPress repository, you can use this tool for free to check for possible vulnerabilities.
Having researched White Fir (at the time of writing this review I don't have any prior of current affiliation with them) I have come to the conclusion that their technical expertise on security matters is solid.
Having used their tool on a couple of dozen plugins I am comparing and evaluating for possible use, it appears to me that their chosen "red flags" are pretty darn accurate and that they don't just list things to make you scared and thus create a demand for their service.
So what should you be using this plugin for?
- Choosing the right free plugin for your site from the official WordPress repository;
- Checking out the free version of a plugin from the official WordPress repository before deciding to fork out cash to buy premium functionalities;
- Screening premium versions of plugins, or custom / uploaded plugins, if you are subscribed to White Fir's Service;
- If you have a security budget, to decide which plugins to have reviewed by experts.
What can an entrepreneur / business owner do if the tool shows possible vulnerabilities in a plugin that they are using?
- You can use the results as an indicator of the possible security risk and find an alternative plugin if the functionality is easily available in another plugin without obvious security risks;
- You can refer the results to your developer (if you have one) for them to check out before implementing the plugin, helping you to manage your development budget more efficiently;
- Paid subscribers to White Fir's service get to see what the likelihood of exploitation is which helps in making those decisions;
- You can have a comprehensive security review done by a security expert.
After reading a lot of information about security on White Fir's website, I was also able to make an informed decision about which WordPress firewall plugin I prefer to use, based on their research.
Personally, before even considering buying any premium plugin, I'll get a subscription so I can have some sort of comfort regarding the security of said plugin (which I never could before).
This plugin is an amazing find!