Does Authenticator have any unpatched vulnerabilities?

No. All known vulnerabilities in Authenticator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Authenticator compatible with WordPress 6.9.4?

According to WordPress.org data, Authenticator 1.3.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Authenticator compatible with PHP 5.6+?

Authenticator requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Authenticator updated?

Authenticator was last updated on Jan 21, 2026. Frequent updates are generally a positive security signal.

What is Authenticator's security score?

Authenticator has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Authenticator Security & Risk Analysis

wordpress.org/plugins/authenticator

This plugin allows you to make your WordPress site accessible to logged in users only.

1K active installs v1.3.1 PHP 5.6+ WP 5.0+ Updated Jan 21, 2026

accessaccessibleauthentificationloginmembers

A · Safe

CVEs total1

Unpatched0

Last CVENov 26, 2022

Plugin page Download

Safety Verdict

Is Authenticator Safe to Use in 2026?

Generally Safe

Score 99/100

Authenticator has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 26, 2022Updated 2mo ago

Risk Assessment

The Authenticator plugin v1.3.1 exhibits a mixed security posture. While it has a small attack surface and implements a reasonable number of capability checks and a nonce check, there are significant concerns stemming from its code analysis and vulnerability history. The static analysis reveals that 100% of its SQL queries are not using prepared statements, which is a critical vulnerability vector for SQL injection. Furthermore, a concerning 71% of analyzed taint flows have unsanitized paths, indicating potential for insecure data handling and path traversal issues, although no critical or high severity taint flows were specifically identified in this scan. The vulnerability history highlights a past high-severity vulnerability related to missing authorization, which is a common and dangerous class of flaws. The fact that this high-severity vulnerability is now patched is positive, but the historical pattern of such issues warrants caution. Overall, the plugin has strengths in limiting its direct attack surface, but the lack of prepared statements for SQL and the past authorization issues suggest that careful review and potential remediation are necessary to improve its security.

Key Concerns

100% of SQL queries are not prepared
5 out of 7 taint flows have unsanitized paths
Past high severity vulnerability (missing authorization)
Only 20% of outputs are properly escaped

Vulnerabilities

Authenticator Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2022-3994high · 8.1Missing Authorization

Authenticator <= 1.3.0 - Missing Authorization

Nov 26, 2022 Patched in 1.3.1 (423d)

Code Analysis

Analyzed Mar 16, 2026

Authenticator Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

20% escaped20 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths

_exit_403 (authenticator.php:442)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Authenticator Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_regenerate_tokeninc\class-Authenticator_Settings_UI.php:29

WordPress Hooks 16

actionplugins_loadedauthenticator.php:23

actiontemplate_redirectauthenticator.php:153

actionadmin_initauthenticator.php:155

filterauth_cookie_expirationauthenticator.php:159

actionadmin_initauthenticator.php:161

filterauthenticator_get_optionsauthenticator.php:162

actioninitauthenticator.php:165

actioninitauthenticator.php:166

actioninitauthenticator.php:167

actionlogin_footerauthenticator.php:169

filterxmlrpc_enabledauthenticator.php:385

actionrest_authentication_errorsauthenticator.php:399

actioninitinc\class-Authenticator_Protect_Upload.php:16

actionadmin_enqueue_scriptsinc\class-Authenticator_Settings_UI.php:28

actionshow_user_profileinc\class-Authenticator_User_Profile.php:21

actionedit_user_profileinc\class-Authenticator_User_Profile.php:22

Maintenance & Trust

Authenticator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 21, 2026

PHP min version5.6

Downloads98K

Community Trust

Rating100/100

Number of ratings8

Active installs1K

Alternatives

Authenticator Alternatives

SN Extend Authentication

sn-extend-authentication

100

This plugin allows admin to disable anonymous (non authenticated users) browsing of selective posts, pages, feeds or complete WordPress site.

10 No CVEs

Private Website – Login Required

private-website

100

This plugin requires users to be logged in to view the website. Activate the plugin to enforce login, and deactivate it to remove the restriction.

200 No CVEs

MyASP MemberShip

myasp-membership

100

Membership plugin for MyASP Users.

100 No CVEs

Disable Dashboard Access

admin-only-dashboard

100

Disable Dashboard Access: Only admins can access the dashboard by default. Whitelist trusted users easily, quick setup, and secure.

10 No CVEs

LCK cloud Connector

lck-cloud-connector

100

Easily restrict access to your existing WordPress pages and posts. Official connector to build secure membership sites with LCK cloud.

0 No CVEs

Developer Profile

Authenticator Developer Profile

Syde GmbH (formerly Inpsyde)

3 plugins · 2K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

423 days

View full developer profile

Detection Fingerprints

How We Detect Authenticator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/authenticator/css/admin.css/wp-content/plugins/authenticator/css/admin-layout.css/wp-content/plugins/authenticator/css/settings.css/wp-content/plugins/authenticator/js/admin.js

Script Paths

/wp-content/plugins/authenticator/js/admin.js

Version Parameters

authenticator/css/admin.css?ver=authenticator/css/admin-layout.css?ver=authenticator/css/settings.css?ver=authenticator/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

authenticator-settings-wrap

HTML Comments

BEGIN: Authenticator PluginEND: Authenticator Plugin

Data Attributes

data-authenticator-nonce

JS Globals

authenticator_admin_params

REST Endpoints

/wp-json/authenticator/v1/settings

FAQ