One of our clients pointed us in the direction of this plugin on WordPress.org: Plugin Vulnerabilities
They mentioned how they’d like to see the same reporting within our security plugin, the Simple Security Firewall.
We also thought this was a great idea and we’ve taken the steps necessary to achieve that.
- We exported the plugin vulnerability data and made it globally accessible without any PHP code requirements – it’s now available for download as a raw YAML file here.
- We use this publicly available data to now pull in a list of all available plugin vulnerabilities and display these vulnerabilities to administrators.
How does the plugin vulnerabilities system work?
There are no special settings that you need to turn on for this system to operate. With version 4.9 of the security plugin it’s enabled automatically.
To see if any of your plugins have a known vulnerability, simply load your Plugins listing page. Any plugins with vulnerable versions will be highlighted to you as shown in the screenshot below:
As you can see from the sample screenshot, when I have a plugin installed that means the particular criteria of a security vulnerability, a clear message is displayed to the admin.
There’s no mistaking it!
Some Question Questions
Here are some quick FAQs about this feature:
When is it available?
It is available with any version of the Simple Security Firewall plugin from v4.9.0 onwards.
How do I turn this feature on / off?
It’s enabled automatically with the plugin. There are no options associated with it.
Will this slow down my system?
No. The code associated only ever runs when you load the WordPress plugins page on your site.
Will this update my plugins to “safe” versions?
No. It never takes any action… you must perform any updates required.
Will the plugin protect me against vulnerable plugins it discovers?
No, not directly. Certain vulnerabilities may be blocked by native protection offered by the security plugin, but in the case where it’s not, the only way to remove the vulnerability is to update the plugin in question or remove it.
This feature is only available due to the work done on the part of the original developers on their “plugin vulnerabilities” plugin. The collation of all this data is down to them and if you like this feature, please do drop them a message on the forums to thank them for their work.
All we have done with our security plugin is extract their data and then re-use it within our plugin framework.
Ideas and Suggestions?
Let us know what you think in the comments below, and of course, if you like this feature or our security plugin in general, please do take a moment to donate us a review on WordPress.org. 🙂