| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | | | Output is not escaped |
| #2 | Plugin Check (PCP) | 0 | 128 | 132 | 10k+ | | | Exception output is not escaped |
| #3 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | | Missing Translators Comment |
| #4 | Modular DS: Monitor, update, and backup multiple websites | 21 | 161 | 81 | 40k+ | | | Exception output is not escaped |
| #5 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | | Output is not escaped |
| #6 | WPScan – WordPress Security Scanner | 21 | 527 | 265 | 8k+ | | | Text Domain Mismatch |
| #7 | Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms | 22 | 493 | 295 | 10k+ | | | Text Domain Mismatch |
| #8 | Anti-Malware Security and Brute-Force Firewall | 22 | 544 | 965 | 100k+ | | | Output is not escaped |
| #9 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | | | Exception output is not escaped |
| #10 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | | | Non-prefixed global variable |
| #11 | NinjaScanner – Virus & Malware scan | 22 | 596 | 551 | 30k+ | | | Non-prefixed global variable |
| #12 | ManageWP Worker | 22 | 507 | 565 | 1m+ | | | Non-prefixed class |
| #13 | WP-WebAuthn | 22 | 957 | 396 | 2k+ | | | Exception output is not escaped |
| #14 | Kadence Security – Password, Two Factor Authentication, and Brute Force Protection | 23 | 1,053 | 967 | 700k+ | | | Missing Translators Comment |
| #15 | The GDPR Framework By Data443 | 23 | 1,287 | 517 | 10k+ | | | Short PHP open tag found |
| #16 | IP Geo Block | 23 | 399 | 589 | 9k+ | | | Output is not escaped |
| #17 | Jetpack – WP Security, Backup, Speed, & Growth | 23 | 2,821 | 1,303 | 3m+ | | | Text Domain Mismatch |
| #18 | Login With Ajax – Fast Logins, 2FA, Redirects | 23 | 623 | 520 | 10k+ | | | Output is not escaped |
| #19 | Patchstack – WordPress & Plugins Security | 23 | 107 | 489 | 40k+ | | | Missing nonce verification |
| #20 | SecuPress with Simple SSL – Simple and Performant Security | 23 | 1,696 | 1,590 | 40k+ | | | Non-prefixed global variable |
| #21 | Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning | 23 | 1,118 | 202 | 40k+ | | | Missing Translators Comment |
| #22 | All-In-One Security (AIOS) – Security and Firewall | 24 | 552 | 1,228 | 1m+ | | | Non-prefixed global variable |
| #23 | Defender Security – Malware Scanner, Login Security & Firewall | 24 | 306 | 518 | 80k+ | | | Non-prefixed namespace |
| #24 | Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms | 24 | 563 | 548 | 4k+ | | | Text Domain Mismatch |
| #25 | RSFirewall! | 24 | 563 | 521 | 4k+ | | | Output is not escaped |
| #26 | Security Plugin, Firewall & Malware Scanner with Auto Removal | 24 | 1,191 | 769 | 30k+ | | | Output is not escaped |
| #27 | SiteGuard WP Plugin | 24 | 362 | 345 | 500k+ | | | Output is not escaped |
| #28 | GD Security Headers | 25 | 407 | 521 | 1k+ | | | Output is not escaped |
| #29 | Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention | 25 | 621 | 602 | 1m+ | | | Unsafe printing function |
| #30 | Loginizer | 25 | 814 | 504 | 1m+ | | | Output is not escaped |
| #31 | Nexter Extension – Security, Performance, Code Snippets & Site Toolkit | 25 | 198 | 710 | 10k+ | | | Nonce verification recommended |
| #32 | Simply Static – The Static Site Generator | 25 | 163 | 446 | 30k+ | | | Non-prefixed hook name |
| #33 | Wordfence Login Security | 25 | 248 | 418 | 70k+ | | | Output is not escaped |
| #34 | Kadence Central – Site Management, Backups, Security, and Reporting | 26 | 462 | 213 | 30k+ | | | Text Domain Mismatch |
| #35 | SP Move Login | 26 | 881 | 215 | 6k+ | | | Text Domain Mismatch |
| #36 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 27 | 271 | 568 | 6k+ | | | Request data is not unslashed |
| #37 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | | | Input is not sanitized |
| #38 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | | | Missing nonce verification |
| #39 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | | | Request data is not unslashed |
| #40 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | | | Direct Query |
| #41 | Jetpack Protect | 30 | 657 | 217 | 100k+ | | | Text Domain Mismatch |
| #42 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | | | Unsafe printing function |
| #43 | WPS Cleaner | 30 | 430 | 491 | 20k+ | | | Output is not escaped |
| #44 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | | | Nonce verification recommended |
| #45 | My Private Site | 31 | 425 | 190 | 20k+ | | | Text Domain Mismatch |
| #46 | LWS Tools | 31 | 104 | 134 | 10k+ | | | Request data is not unslashed |
| #47 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | | | Interpolated SQL is not prepared |
| #48 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | | | SQL query is not prepared |
| #49 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | | | Non-prefixed global variable |
| #50 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | | | Output is not escaped |
