Security WordPress Plugins That Need Review
193 indexed plugins
Plugins
193
Active Installs
27m+
Average Score
54
Audited
193
Needs Review
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | ||
| #52 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #53 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #54 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | ||
| #55 | Companion Auto Update | 33 | 159 | 298 | 40k+ | Direct Query | ||
| #56 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #57 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #58 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #59 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 10k+ | Request data is not unslashed | ||
| #60 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #61 | Expire User Passwords | 35 | 3 | 15 | 3k+ | Nonce verification recommended | ||
| #62 | Give – Cloudflare Turnstile | 35 | 3 | 2 | 600 | Hidden files included | ||
| #63 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #64 | Security.txt Manager | 35 | 1 | 0 | 600 | Hidden files included | ||
| #65 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 86 | 1m+ | Input is not sanitized | ||
| #66 | SMNTCS Disable REST API User Endpoints | 35 | 8 | 0 | 7k+ | Hidden files included | ||
| #67 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query | ||
| #68 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #69 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #70 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #71 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #72 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #73 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | ||
| #74 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | ||
| #75 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | ||
| #76 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | Input is not sanitized | ||
| #77 | Injection Guard | 37 | 86 | 45 | 1k+ | Unsafe printing function | ||
| #78 | ReCaptcha Integration for WordPress | 37 | 60 | 66 | 9k+ | Output is not escaped | ||
| #79 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #80 | MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites | 38 | 3 | 136 | 700k+ | Non-prefixed hook name | ||
| #81 | Blackhole for Bad Bots | 39 | 123 | 69 | 30k+ | Output is not escaped | ||
| #82 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #83 | Virusdie | One-click website security | 39 | 149 | 66 | 2k+ | Output is not escaped | ||
| #84 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped | ||
| #85 | htaccess protect | 39 | 28 | 33 | 800 | Input is not validated | ||
| #86 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #87 | Advanced IP Blocker | 40 | 94 | 49 | 2k+ | Exception output is not escaped | ||
| #88 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 700 | Non-prefixed global variable | ||
| #89 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #90 | Logbook | 40 | 33 | 59 | 1k+ | Nonce verification recommended | ||
| #91 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #92 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #93 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #94 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #95 | CloudGuard | 41 | 41 | 13 | 1k+ | Output is not escaped | ||
| #96 | Edit Lock | 41 | 47 | 22 | 500 | Non Singular String Literal Domain | ||
| #97 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output is not escaped | ||
| #98 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #99 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #100 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function |