plugin-vulnerabilities

Description

This plugin was closed on October 2, 2018 and is no longer available for download. Reason: Guideline Violation.

Reviews

Glad this plugin is closed

I downloaded this plugin for my site and it’s useless. I think a child wrote it. The concept is juvenile. Keep a list of bad plugins and warn if you install one? then they want a license for it? what a bunch of junk. What people will do to make a buck.

A total scam.

This package requires a subscription to work it’s just a crummy list of plugins that have security issues. Terrible. Then I go to the website and its full of blogs by some cranky guy. So sad. I went with wordfence. this guy also shut down his plugin here on wordpress because he doesn’twant any negitive comments. awful..this plugin shows as malware on my site when I had it installed.

Not Impressed

Installed and tested this plugin out. Wasn’t really impressed with what it does. I guess it may be ok for some people but I feel like it’s a waste of resources to install this on my wordpress site, it doesn’t actively provide any protection, just tells me that something is bad.

Maybe it’s just the authors continued bashing of every competitor in the security industry that turns me off. Why isn’t the author doing more to help with the security community instead of bashing everyone? I briefly visited the blog related to the plugin – Just not a very professional company to deal with if you ask me.

Not of much use

While other security-oriented plugins do some active protection against potential exploits (at least try to) this one actually does not add much value, but rather just checks the list of installed plugins against the list of vulnerable plugins.

Vulnerable plugins list is included inside of the plugin. And it has only about 160 plugins – given that plugin’s repository now has abt. 50.000 plugins – this is not much.

Plugin does not recommend any action to prevent the vulnerability from being exploited. Just alerts that it exists.

So in the end: 1) The database of vulnerabilities is poor, 2) Plugin assumes you need to update it regularly manually to have the list of vulnerabilities, 3) If plugin finds a vulnerability the only action you can take from there is to read an article about vulnerability on author’s website. And order a paid service from them to clean up.

So basically all actions will still be manual.

The vulnerabilities included are taken from public sources. Which are updated in realtime unlike this plugin. So in the end of the day if you’re checking this manually it makes more sense to check the public sources.

As is, it is just an interface to match your plugins against known vulnerabilities which is not that useful.

I stopped testing and uninstalled the plugin.

Could Be Better

There are some issues with this plugin:

1) Since the plugin must be updated in order for it to detect vulnerabilities, and there haven’t been any new vulnerabilities added in nearly 4 months, this isn’t currently very useful as a security plugin.

2) Since users must update the plugin for it to be able to detect new vulnerabilities, chances are that they’ve already installed the security fix to the vulnerable plugin by the time this plugin informs them of the issue. Essentially, this plugin is redundant.

3) The plugin includes the list of vulnerabilities directly in the plugin files, which causes some hosting providers falsely to flag the plugin itself as malicious.

For now, I’m finding a combination of Wordfence and Plugin Security Scanner to be more effective, since they both run scans automatically on a daily basis and send email notifications if issues are found.

Among many other security features, Wordfence scans plugin files and compares them to the original versions from the official WordPress repository. It generates alerts if any plugins are out of date, and it shows the changes to the files so site admins can easily see whether they were manually done, or whether they are indeed malicious. It also checks for signatures of known malicious files, and scans file contents as well as the database for backdoors, trojans, and suspicious code.

As for Plugin Security Scanner, it determines whether any plugins have security vulnerabilities by looking up details in the WPScan Vulnerability Database. I think this is more effective than including the list of vulnerabilities directly in the plugin files, as this plugin does, since the onus isn’t on site admins to update the plugin each time new vulnerabilities are added, and since issues can be found faster thanks to daily automatic scans.

Should be built in to WordPress

This is an absolutely essential plugin which should be built in to WordPress itself frankly to warn people that the plugins they are using contain exploits.

I own a hosting company and much of our work is helping customers recover from hacked installs of WordPress, Joomla, Magento or whatever software they’ve installed years previously but never updated. WordPress, being used by apparently 25% of the world’s websites is a particular target.

I’m giving it 4/5 only because the signatures of each vulnerable plugin this tracks in the plugin’s /vulnerabilities/ folder do themselves trigger false positive reports in server side exploit tools such as the very commonly used cxs by ConfigServer.com. If those were stored in such a way that cxs wouldn’t report them then this gets 5/5.

Read all 14 reviews

Contributors & Developers

“Plugin Vulnerabilities” is open source software. The following people have contributed to this plugin.

Contributors