How to Do a WordPress Plugin and Theme Security Audit?

plugin and theme security audit

Plugin and Theme Security Audit — Why Do You Need It?

Ask any WordPress site owner or follow the statistics of the most common WordPress attacks, you’ll understand why it’s crucial to address the plugin and theme vulnerabilities. A shocking 70 million WordPress sites are running on vulnerable plugins and themes, causing more than 50% of WordPress attacks. The resulting damage and data loss also have long-term impacts on the site’s reputation, no matter how useful it was.

  • Initiate phishing attacks against your customers;
  • Malicious code injection from the MySQL database, SEO spam, and cross-site scripting (XSS) attacks that may lead to website blacklisting;
  • Loss of customer data such as payment information, personal details, etc;
  • Encrypt site data in an unrecognizable manner and ask for ransom for its solution.

Conducting a Plugin and Theme Security Audit

Now that we’ve covered the ‘why’, let’s move to the ‘how’. These are the steps you need to follow to ensure a comprehensive security audit for your themes and plugins.

Data validation, clean-up, and data escaping

Data validation involves checking the data input and comparing it with known patterns to recognize issues. The clean-up or sanitation process usually involves cleaning this data and filtering out problems.

Accounting for injection attacks

Using a simply modified SQL query, hackers can access your database and manipulate the data or insert malicious code. In 2020, SQL injection vulnerabilities remain the topmost concern for over a million WordPress websites. These kinds of attacks commonly occur through fields that accept user input with the hacker inserting SQL code and customizing the request sent to the database.

Check the ‘container’

Sometimes, a container-based technology is used for hosting multiple environments for development purposes. In this case, it’s important that appropriate scanning and analysis are done to ensure security. This should include the images in the container, compliance requirements, security keys, and any malware or vulnerabilities that may be present.

Conducting SAST, DAST, and IAST

The Static Application Security Testing (SAST) process allows you to test and go through your code and search it for vulnerabilities. Since it’s done from the inside, it’s also referred to as white-box testing. It helps you to find and resolve any issues in the software development life cycle (SDLC).

The nonce system in WordPress

Nonce or the ‘number only used once’ system, adds a unique number to the request to the WordPress install from your source code. The actual process involves regenerating the nonce term and not just a unique assignment. This helps you in identifying the legitimacy of the request and is implemented as a measure of security in most plugins.

Using the Software Composition Analysis (SCA) tool

If there are public vulnerabilities in the code imported/outsourced from outside the organization, this tool helps you test them. OWASP provides a dependency-check tool that goes through outdated code and other vulnerabilities when placed in your development environment. This stage is important because most of the time, the code isn’t usually checked beyond the static analysis phase.

Conduct background checks

It’s important to evaluate the developers before installing their plugins or themes. Always check the installation figures and other plugins released by the same entity to assess their quality in the market. How active the developer is can help you decide if they regularly release updates and security patches when vulnerabilities are discovered. Check out their terms of service and privacy policy to ensure legitimacy.


Perform WordPress update regularly is very important to deal with the hidden vulnerabilities, improve overall performance and adaptability. It also ensures that your plugins and themes are updated to their latest versions to avoid having backdoors for manipulation. The option for updates lies under the ‘Dashboard > Updates’.


Each organization has its unique security needs, so there may be some additions to the procedure of plugin and theme security audit, it is recommended that you scope the plugin and theme security audit according to the business goal.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Our Automated Shopping Cart Migration Service helps you move your online store to a better e-commerce platform with ease. Learn more at