How to check plugins for malicious code?

The question:

Our new hosting company ran a security check on our installation and I was very surprised to hear that a premium plugin we had purchased (Easy Media Gallery Pro) contained malicious code.

(It may just be coincidental, but our site was hacked around the time we upgraded to the Pro version of that plugin.)

Anyway, I would like to know if there are any reliable utilities out there than can perform an reliable, independent security check on a plugin before I install it on my site??

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

There are several options/plugins to do that but nothing can provide you with 100% security. Following good practices, daily/weekly backups and using themes/plugins that follow good code practices will usually help you to stay away of troubles. But again nothing will give you 100% security. As for plugins you can try several that will give you a little peace of mind:

I’ve worked mainly with Wordfence Security since most of the plugins I use come from the official WP repository and it has some neat settings that allow you to compare your theme’s/plugins’ code against changes directly with the theme’s/plugins’ repo and scan the code for potential issues.

But again this is not a 100% solution.

Method 2

Effectively at the moment, there are approximately 30,000+ plugins that are not empty in the WordPress.org repository. These plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository. Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.

Keep in mind the fact that even though some plugins may be secure at the moment the new plugin updates may bring the security issues.

One great resource to read is:
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

Because of the dynamic nature of the plugins (read: they are updated), keep in mind to check the plugins on daily bases.

In order to perform static plugin source code audit, the following tools can be used:

  • RIPS: A static source code analyzer for vulnerabilities in PHP scripts

  • PHP-sat: Static analysis for PHP

  • Yasca: It could best be described as a “glorified grep script” plus an aggregation of other open-source tools.

And other tools based on Linux grep command.

There are also tools that work dynamically (runtime) as you may read in the OWASP document, and this is also important.

Let’s just say some “bad” plugins may contain images with hidden data that can dynamically convert to bad PHP code instructions.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment