Still maintained?

I think they stopped updating it because another plugin started using their data (which is entirely what is meant to happen in the WordPress ecosystem, by the way ?? ).

Anyway, here’s another alternative, although it’s only available in the Pro version of this plugin: https://www.icontrolwp.com/blog/scan-wordpress-security-vulnerabilities-automatically-every-day/

Yes, I know ?? I was one of those who tried to convince them that sharing data was a good idea… My review of this plugin explains other issues as well, and provides much better options — which are freely available through the WordPress plugin repository.

It isn’t clear why this thread is being replied to at this point, since the plugin is in fact being updated at this point and is otherwise maintained.

Seeing as both of you are suggesting using options that involve using data from the WPScan Vulnerability Database, you should be responsible and mention the limitations of that data source. While that data is a good option for something that is free, as the old adage goes, you get what you pay for.

It isn’t clear why this thread is being replied to at this point, since the plugin is in fact being updated at this point and is otherwise maintained.

I agree that it’s an outdated thread, but I felt that tdmalone’s comment was still worth replying to.

Seeing as both of you are suggesting using options that involve using data from the WPScan Vulnerability Database, you should be responsible and mention the limitations of that data source

It’s odd of you to suggest we’re the ones who need to be more responsible, considering you never bothered to reply to my original question in the first place. At the time, the plugin was clearly not being maintained. I stopped using it due to your lack of response. You could have been more responsible as plugin authors, and replied to my questions, avoiding this entire issue.

Before I stopped using this plugin, I compared its results to those of Plugin Security Scanner, which uses the WPScan Vulnerability Database. The PSS results were more accurate, and the information provided was more detailed. I don’t know what your plugin reports anymore, now that you’ve moved the vulnerabilities out of the plugin and into a database. However, my review and suggestions were made honestly, and were accurate at the time they were made.

Personally attacking people who aren’t satisfied with your product does not good business make. I’ve been nothing but fair and objective. The least you could do is the same. You could have worded your reply to be informative instead of belittling:

“In an effort to convince you of the higher quality of this plugin, we’d like to point out the limitations of that data source, including some serious accuracy issues.”

as the old adage goes, you get what you pay for

And since this plugin is free, I suppose that’s exactly why you think it’s okay to be rude.

@julie @Niackery

We didn’t respond to this thread at the time it was created because we didn’t even see it, since the plugin wasn’t maintained at the time, as you correctly noted (when it was being updated, it was being updated more than monthly though).

There was no attack or issue with anyone not liking our product, we just feel it is important when making security recommendations that people be responsible because we see so much bad information being put out when it comes to WordPress security and that is doing a lot of damage. In this case, the WPScan Vulnerability Database has some serious limitations, like those accuracy issues we documented before. Someone suggesting using a plugin or service that uses its data should be responsible and note those things.

There is some other fairly problematic security information in your review, but that is really outside of what is being discussed in this thread.

You know very well that the average WordPress plugin user won’t be aware of the security issues you allude to. Your expectations are unreasonable. It’s your job as security professionals to educate people, not estrange them, challenge them, or otherwise negatively engage with them. All you’ve managed to convince me of is to unsubscribe from your blog, and this thread.

@julie @Niackery

The review you linked to in this thread was giving out security recommendations. It isn’t unreasonable to expect that someone giving out recommendations on such a serious topic should be informed when they are doing that.

It makes it much harder to “educate people” when you have contend with a steady stream bad information, so if you are truly interested in having security professionals “educate people” then it would be a good idea to consider if what you are doing is helping or hurting that effort.