I recently installed the WP Plugin Security Check (http://wordpress.org/extend/plugins/wp-plugin-security-check/?topic_id=22126).
The author says the following about the plugin:
WP Plugin Security tries to detect the bad practices and most common mistakes made by plugin developers. Of course this is almost impossible to fully check and therefor I'd like to add that it's more like an early warning system.
Currently the plugin checks the following:
Usage of $_SERVER['REQUEST_URI'] ( which could open your site to CSRF attacks ). However some plugins require this, especially those who facilitate 301 redirects.
Usage of the eval() PHP function which allows users to interpret a string as PHP code
Variable execution. Although this is somewhat common it's also a trick often used to prevent easy detection of malicious code as pointed out in this excellent post by Samuel Wood.
On W3 Total Cache the plugin gives a red warning saying:
$_SERVER['REQUEST_URI'] detected in w3-total-cache/inc/define.php
Variable execution detected in w3-total-cache/inc/define.php
eval() detected in w3-total-cache/lib/JSON.php
W3 Total Cache is not the only famous plugin that got in the reds, but an article like this, http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache/, doesn't make me feel very comfi. I know too little about it to even have an opinion, so it'd be nice to get some opinions and wise words on the subject here. TY!