WooThemes Security Audit Process & Development Partner WebDevStudios


WooThemes recently released a post talking to an audit that was performed on their various plugins and framework by our team. While true, it is important to note their level of commitment to providing secure products was second to none, it was actually quite refreshing.

The review was an exceptional process and we felt compelled to share some more information into the process.

First and foremost, we would also like to thank our development partner, WebDevStudios. They were, and are, an integral component to our security audit process. They lend us their in-depth knowledge of WordPress development experience which we then couple with our security and general development experience, together it makes for a highly effective solution. If you are a WordPress end-user, regardless of whether you are using a managed host or not, you should consider enlisting them to help maintain and sustain your environment. If you require a more in-depth, one-on-one security solution, leverage their security packages.

The Audit Process / Methodology

The process was developed in accordance with guidelines set forth in the The Open Web Application Security Project (OWASP) Testing Guide, version 3.0. It is customized to account for components that are more specific to the platform being reviewed, and includes specialized knowledge in today’s web security paradigm. All reviews that rate a Sucuri SafeTheme or SafePlugin seal consist of two components at a minimum:

  • Vulnerability Assessment
  • Code Audit


The vulnerability assessment is our own mix of processes that looks something like this: penetration testing + code review + threat modeling. It’s also what we classify as the most important part of the audit process. Our specific process was modified based on our experience working with and securing servers, and remediating malware issues on websites and web servers. It focuses specifically on the top issues being used today to exploit web software. It’s the process we use to manually check potentially exploitable components of the plugin and theme.

It consists of 4 areas:

  • Remote Testing
  • Low Privileged Remote Testing
  • Local Attacks
  • Admin Attacks

For each of the core areas described above we focus on the following:

  • Remote or local file inclusion vulnerabilities
  • Cross-Site Scripting
  • SQL Injections
  • Cross-Site Request Forgery (CSRF)
  • Insecure File or Directory creations
  • Incorrect usage of permissions


As defined by OWASP, source code review is the process of manually checking a web application’s source code for security issues. The code review was divided into two phases.

First phase includes a review by our development partner, WebDevStudios. This phase consists of a thorough line-by-line review of the entire applciation. All results are passed to Sucuri Security for review and validation. The focus is to ensure that the plugin is integrated well with the WordPress platform and follows guidance set forth by the WordPress Coding Standards and includes a higher level of scrutiny and expectations.

Second phase is the final phase. It includes an additional line-by-line review by the Sucuri Security team, validation of all previous findings and compilation of all findings. This review serves as an input value to the vulnerability assessment. It then includes a final rating based on security findings.

This two-pronged approach to a code review has proven effective and provides a high level of thoroughness and effectiveness to the process. This approach ensures nothing falls through the cracks and provides for the comprehensive code audit any application can expect.

The audit is designed to look for any of the following:

  • Concurrency Problems
  • Flawed Business Logic
  • Access Control Problems
  • Cryptographic Weakness
  • Backdoors, Trojans
  • Easter Eggs
  • Time Bombs
  • Logic Bombs
  • Input Validation Issues
  • Check Error Handling
  • Cross-Site Scripting
  • SQL Injection
  • Cross Site Request Forgery
  • CSS Hacks
  • Dead Code

The Seal Of Approval

In either case, when issues are identified they are provided to the client via a Security Vulnerability Assessment Document (SVAD). Any High or Severe issues must be addressed before the seal can be applied. This ensures the highest level of assurances are being provided to every consumer.

If you have any questions or concerns and would like some feedback please don’t hesitate to contact us at info@sucuri.net.

  1. What tools did you guys use to do static and heuristic analysis? Curious if any of the common tools in php land were used, or if it’s all in house stuff.

  2. What tools did you guys use to do static and heuristic analysis? Curious if any of the common tools in php land were used, or if it’s all in house stuff.

    1. Hi Vid

      We don’t leverage many tools, if any. In some instances we might if we’re conducting some form of penetration test, but even at that its nothing more than a baseline. We have found, that for application vulnerability work hands-on is the biggest differentiator.

      So yes, mostly in-house stuff. The question is always, how would I crack it?


Comments are closed.

You May Also Like