Could Be Better

There are some issues with this plugin:

1) Since the plugin must be updated in order for it to detect vulnerabilities, and there haven’t been any new vulnerabilities added in nearly 4 months, this isn’t currently very useful as a security plugin.

2) Since users must update the plugin for it to be able to detect new vulnerabilities, chances are that they’ve already installed the security fix to the vulnerable plugin by the time this plugin informs them of the issue. Essentially, this plugin is redundant.

3) The plugin includes the list of vulnerabilities directly in the plugin files, which causes some hosting providers falsely to flag the plugin itself as malicious.

For now, I’m finding a combination of Wordfence and Plugin Security Scanner to be more effective, since they both run scans automatically on a daily basis and send email notifications if issues are found.

Among many other security features, Wordfence scans plugin files and compares them to the original versions from the official WordPress repository. It generates alerts if any plugins are out of date, and it shows the changes to the files so site admins can easily see whether they were manually done, or whether they are indeed malicious. It also checks for signatures of known malicious files, and scans file contents as well as the database for backdoors, trojans, and suspicious code.

As for Plugin Security Scanner, it determines whether any plugins have security vulnerabilities by looking up details in the WPScan Vulnerability Database. I think this is more effective than including the list of vulnerabilities directly in the plugin files, as this plugin does, since the onus isn’t on site admins to update the plugin each time new vulnerabilities are added, and since issues can be found faster thanks to daily automatic scans.