57% defender-security

Code Review | Defender Security - Malware Scanner, Login Security & Firewall

WordPress plugin Defender Security - Malware Scanner, Login Security & Firewall scored57%from 54 tests.

About plugin

  • Plugin page: defender-security
  • Plugin version: 4.2.1
  • PHP compatiblity: 7.4+
  • PHP version: 7.4.16
  • WordPress compatibility: 5.2-6.4
  • WordPress version: 6.3.1
  • First release: Jun 7, 2017
  • Latest release: Oct 23, 2023
  • Number of updates: 361
  • Update frequency: every 6.5 days
  • Top authors: BigTonny (59%)hoang1213 (26.59%)jdailey (6.37%)gvgvgvijayan (4.16%)paulkevini (3.32%)

Code review

54 tests

User reviews

269 reviews

Install metrics

90,000+ active /2,096,972 total downloads

Benchmarks

Plugin footprint 65% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | The install procedure must perform silently
The plugin installed successfully, without throwing any errors or notices

Server metrics [RAM: ▲2.06MB] [CPU: ▲18.52ms] Passed 4 tests

This is a short check of server-side resources used by Defender Security - Malware Scanner, Login Security & Firewall
Server-side resource usage in normal parameters
PageMemory (MB)CPU Time (ms)
Home /5.59 ▲2.1362.94 ▲17.60
Dashboard /wp-admin5.34 ▲1.9970.26 ▲11.32
Posts /wp-admin/edit.php5.49 ▲2.1369.88 ▲25.86
Add New Post /wp-admin/post-new.php7.94 ▲2.05108.04 ▲19.29
Media Library /wp-admin/upload.php5.28 ▲2.0572.86 ▲38.93
Settings /wp-admin/admin.php?page=wdf-setting5.0351.08
Malware Scanning /wp-admin/admin.php?page=wdf-scan5.0350.12
Defender /wp-admin/admin.php?page=wp-defender6.1770.68
Scheduled Actions /wp-admin/tools.php?page=action-scheduler5.43118.83
Tutorials /wp-admin/admin.php?page=wdf-tutorial5.0453.83
Audit Logging /wp-admin/admin.php?page=wdf-logging5.0347.63
Recommendations /wp-admin/admin.php?page=wdf-hardener5.0350.35
WAF /wp-admin/admin.php?page=wdf-waf5.0346.82
2FA /wp-admin/admin.php?page=wdf-2fa5.0350.49
Notifications /wp-admin/admin.php?page=wdf-notification5.0349.28

Server storage [IO: ▲16.95MB] [DB: ▲0.01MB] 67% from 3 tests

Input-output and database impact of this plugin
Just a few items left to fix
  • Illegal file modification detected: 1 file (0.32KB) outside of "wp-content/plugins/defender-security/" and "wp-content/uploads/"
    • (new file) wp-content/wp-defender-secrets.php
Filesystem: 1,695 new files
Database: 10 new tables, 10 new options
New tables
wp_defender_email_log
wp_defender_lockout_log
wp_defender_lockout
wp_defender_scan_item
wp_defender_scan
wp_actionscheduler_logs
wp_actionscheduler_claims
wp_actionscheduler_actions
wp_actionscheduler_groups
wp_defender_audit_log
New WordPress options
db_upgraded
theysaidso_admin_options
widget_recent-posts
schema-ActionScheduler_StoreSchema
schema-ActionScheduler_LoggerSchema
action_scheduler_lock_async-request-runner
action_scheduler_hybrid_store_demarkation
widget_theysaidso_widget
can_compress_scripts
widget_recent-comments

Browser metrics Passed 4 tests

This is an overview of browser requirements for Defender Security - Malware Scanner, Login Security & Firewall
This plugin has a minimal impact on browser resources
PageNodesMemory (MB)Script (ms)Layout (ms)
Home /2,877 ▲10614.09 ▼0.261.66 ▼0.3943.02 ▼0.59
Dashboard /wp-admin2,280 ▲1095.56 ▲0.0182.01 ▼5.7340.69 ▲4.55
Posts /wp-admin/edit.php2,188 ▲881.98 ▼0.0336.14 ▼4.8234.72 ▼4.31
Add New Post /wp-admin/post-new.php1,582 ▲5422.56 ▼0.58669.77 ▲41.6257.68 ▲5.56
Media Library /wp-admin/upload.php1,488 ▲914.22 ▲0.05113.55 ▲11.0250.48 ▲8.07
Settings /wp-admin/admin.php?page=wdf-setting9483.9267.4679.92
Malware Scanning /wp-admin/admin.php?page=wdf-scan9483.9161.8230.09
Defender /wp-admin/admin.php?page=wp-defender9483.4344.9730.21
Scheduled Actions /wp-admin/tools.php?page=action-scheduler1,3331.9624.4831.97
Tutorials /wp-admin/admin.php?page=wdf-tutorial9483.4145.8833.21
Audit Logging /wp-admin/admin.php?page=wdf-logging9483.4244.3932.31
Recommendations /wp-admin/admin.php?page=wdf-hardener9483.3945.6631.34
WAF /wp-admin/admin.php?page=wdf-waf9483.3544.7630.58
2FA /wp-admin/admin.php?page=wdf-2fa9483.3945.8029.84
Notifications /wp-admin/admin.php?page=wdf-notification9483.3945.0330.58

Uninstaller [IO: ▲0.00MB] [DB: ▲0.01MB] 50% from 4 tests

🔸 Tests weight: 35 | Verifying that this plugin uninstalls completely without leaving any traces
Please fix the following items
  • The uninstall procedure failed, leaving 10 tables in the database
    • wp_defender_lockout
    • wp_defender_scan_item
    • wp_actionscheduler_claims
    • wp_defender_email_log
    • wp_defender_audit_log
    • wp_defender_lockout_log
    • wp_actionscheduler_actions
    • wp_actionscheduler_logs
    • wp_defender_scan
    • wp_actionscheduler_groups
  • Zombie WordPress options were found after uninstall: 11 options
    • schema-ActionScheduler_StoreSchema
    • action_scheduler_migration_status
    • action_scheduler_hybrid_store_demarkation
    • theysaidso_admin_options
    • can_compress_scripts
    • widget_recent-comments
    • schema-ActionScheduler_LoggerSchema
    • widget_theysaidso_widget
    • action_scheduler_lock_async-request-runner
    • db_upgraded
    • ...

Smoke tests 50% from 4 tests

Server-side errors Passed 1 test

🔹 Test weight: 20 | This is a short smoke test looking for server-side errors
The smoke test was a success, however most plugin functionality was not tested

SRP 0% from 2 tests

🔹 Tests weight: 20 | The single-responsibility principle: PHP files have to remain inert when accessed directly, throwing no errors and performing no actions
Almost there! Just fix the following items
  • 5× PHP files output text when accessed directly:
    • > /wp-content/plugins/defender-security/src/view/two-fa/providers/biometric.php
    • > /wp-content/plugins/defender-security/src/view/main.php
    • > /wp-content/plugins/defender-security/vendor/mixpanel/mixpanel-php/examples/error_handling.php
    • > /wp-content/plugins/defender-security/src/view/two-fa/providers/totp-enabled.php
    • > /wp-content/plugins/defender-security/vendor/mixpanel/mixpanel-php/examples/custom_consumer.php
  • 868× GET requests to PHP files trigger server-side errors or Error 500 responses (only 10 are shown):
    • > [ Base_MixpanelBase - line 113 ]
      Flush called - queue size: 2
    • > PHP Fatal error
      Uncaught Error: Interface 'Safe\\Exceptions\\SafeExceptionInterface' not found in wp-content/plugins/defender-security/vendor/thecodingmachine/safe/generated/Exceptions/RpminfoException.php:4
    • > PHP Fatal error
      Trait 'WP_Defender\\Traits\\User' not found in wp-content/plugins/defender-security/src/upgrader.php on line 32
    • > PHP Fatal error
      Uncaught Error: Interface 'Ramsey\\Uuid\\Exception\\UuidExceptionInterface' not found in wp-content/plugins/defender-security/vendor/ramsey/uuid/src/Exception/NodeException.php:22
    • > PHP Fatal error
      Uncaught Error: Class 'Calotes\\Model\\Setting' not found in wp-content/plugins/defender-security/src/model/setting/blacklist-lockout.php:14
    • > PHP Fatal error
      Uncaught Error: Class 'CronExpression_AbstractField' not found in wp-content/plugins/defender-security/vendor/woocommerce/action-scheduler/lib/cron-expression/CronExpression_MonthField.php:8
    • > PHP Fatal error
      Uncaught Error: Call to undefined function is_admin() in wp-content/plugins/defender-security/extra/recommended-plugins-notice/notice.php:266
    • > PHP Fatal error
      Uncaught Error: Interface 'League\\Uri\\Contracts\\UriComponentInterface' not found in wp-content/plugins/defender-security/vendor/league/uri-interfaces/src/Contracts/UserInfoInterface.php:16
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_AdminView_Deprecated' not found in wp-content/plugins/defender-security/vendor/woocommerce/action-scheduler/classes/ActionScheduler_AdminView.php:7
    • > PHP Fatal error
      Uncaught Error: Class 'Cose\\Algorithm\\Signature\\RSA\\PSSRSA' not found in wp-content/plugins/defender-security/vendor/web-auth/cose-lib/src/Algorithm/Signature/RSA/PS256.php:18

User-side errors Passed 1 test

🔹 Test weight: 20 | Just a short smoke test targeting errors on the browser (console and network errors and warnings)
No browser issues were found

Optimizations

Plugin configuration 90% from 29 tests

readme.txt 94% from 16 tests

Don't ignore readme.txt as it is the file that instructs WordPress.org on how to present your plugin to the world
These attributes need to be fixed:
  • Tags: Please delete some tags, you are using 26 tag instead of maximum 10
You can take inspiration from this readme.txt

defender-security/wp-defender.php 85% from 13 tests

"Defender Security - Malware Scanner, Login Security & Firewall" version 4.2.1's main PHP file describes plugin functionality and also serves as the entry point to any WordPress functionality
Please make the necessary changes and fix the following:
  • Main file name: It is recommended to name the main PHP file as the plugin slug ("defender-security.php" instead of "wp-defender.php")
  • Description: If Twitter did it, so should we! Keep the description under 140 characters (currently 189 characters long)

Code Analysis 3% from 3 tests

File types 0% from 1 test

🔸 Test weight: 35 | Executable files are not allowed as they can serve as attack vectors
Almost there! Just fix the following issues
  • For security reasons, never distribute binary or executable files with your plugin
    • .bat - Batch File in Windows
      • wp-content/plugins/defender-security/vendor/gettext/languages/bin/export-plural-rules.bat
182,975 lines of code in 1,541 files:
LanguageFilesBlank linesComment linesLines of code
PHP1,29623,54577,491119,330
JavaScript734,8962,44237,008
HTML341,77116911,482
JSON41106,351
Markdown451,38604,022
CSS22208562,512
SVG234281,467
C111825668
XML37094
m418032
C/C++ Header14128
DOS Batch1001

PHP code 50% from 2 tests

This is a short overview of cyclomatic complexity and code structure for this plugin
It is recommended to fix the following
  • Method cyclomatic complexity has to be reduced to less than 100 (currently 313)
Cyclomatic complexity
Average complexity per logical line of code0.38
Average class complexity12.13
▷ Minimum class complexity1.00
▷ Maximum class complexity454.00
Average method complexity2.87
▷ Minimum method complexity1.00
▷ Maximum method complexity313.00
Code structure
Namespaces165
Interfaces119
Traits33
Classes962
▷ Abstract classes747.69%
▷ Concrete classes88892.31%
▷ Final classes16118.13%
Methods6,951
▷ Static methods1,04415.02%
▷ Public methods5,62680.94%
▷ Protected methods5547.97%
▷ Private methods77111.09%
Functions1,340
▷ Named functions1,22391.27%
▷ Anonymous functions1178.73%
Constants1,009
▷ Global constants11311.20%
▷ Class constants89688.80%
▷ Public constants76685.49%

Plugin size Passed 2 tests

Image compression Passed 2 tests

It is recommended to compress PNG files in your plugin to minimize bandwidth usage
56 PNG files occupy 0.32MB with 0.13MB in potential savings
Potential savings
Compression of 5 random PNG files using pngquant
FileSize - originalSize - compressedSavings
extra/recommended-plugins-notice/assets/images/plugins-forminator.png11.71KB4.57KB▼ 60.99%
assets/img/plugins-smush-icon.png2.12KB1.33KB▼ 37.37%
extra/free-dashboard/assets/images/giveaway/form/branda.png3.54KB2.16KB▼ 38.99%
vendor/mixpanel/mixpanel-php/docs/images/icon-trait-13x13.png0.33KB0.23KB▼ 30.59%
assets/email-images/logo.png0.96KB0.65KB▼ 32.08%