WP-Safety

BulletProof Security Security & Risk Analysis

wordpress.org/plugins/bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K active installs v7.1 PHP 7.0+ WP 5.0+ Updated Dec 8, 2025
firewalllogin-securitymalware-scannersecuresecurity
89
A · Safe
CVEs total12
Unpatched0
Last CVEJan 6, 2026
Plugin page Download
Safety Verdict

Is BulletProof Security Safe to Use in 2026?

Generally Safe

Score 89/100

BulletProof Security has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Jan 6, 2026Updated 3mo ago
Risk Assessment

The Bulletproof Security plugin v7.1 presents a mixed security posture. While it demonstrates strengths in its implementation of nonce and capability checks, with a high percentage of these present, and no critical taint flows, several areas warrant concern. The significant number of file operations and external HTTP requests, combined with a low percentage of properly escaped output, create potential avenues for vulnerabilities like Cross-Site Scripting (XSS). The taint analysis, though not revealing critical issues, did identify a substantial number of flows with unsanitized paths, indicating potential for more subtle vulnerabilities. Its vulnerability history, with a considerable number of medium and high severity CVEs, including SQL Injection, XSS, and SSRF, despite having no currently unpatched vulnerabilities, suggests a pattern of historical issues that require ongoing vigilance and robust security practices to prevent recurrence. The plugin's historical pattern of vulnerabilities in common exploit types is a significant concern. Overall, while the plugin has implemented some good security practices, the areas of concern regarding output escaping, unsanitized paths, and historical vulnerability patterns necessitate careful monitoring and potential remediation to ensure a strong security posture.

Key Concerns

  • Low output escaping percentage
  • Significant unsanitized paths in taint analysis
  • High number of historical high severity CVEs
  • High number of historical medium severity CVEs
  • High number of file operations
  • Moderate number of SQL queries
Vulnerabilities
12

BulletProof Security Security Vulnerabilities

CVEs by Year

1 CVE in 2012
2012
5 CVEs in 2014
2014
2 CVEs in 2016
2016
1 CVE in 2021
2021
2 CVEs in 2022
2022
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
10

12 total CVEs

CVE-2025-67931medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure

Jan 6, 2026 Patched in 7.0 (9d)
CVE-2022-1265medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security <= 6.0 - Stored Cross-Site Scripting

Apr 19, 2022 Patched in 6.1 (644d)
CVE-2022-0590medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security <= 5.7 - Admin+ Stored Cross-Site Scripting

Feb 22, 2022 Patched in 5.8 (700d)
CVE-2021-39327medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

BulletProof Security <= 5.1 - Sensitive Information Disclosure

Sep 16, 2021 Patched in 5.2 (858d)
WF-f232f550-f964-4a69-9a80-aa9768149094-bulletproof-securitymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security <= .53.3 - Authenticated Cross-Site Scripting

May 11, 2016 Patched in .53.4 (2813d)
WF-eab98c41-f0f2-4953-b9b3-c08e1e92c03a-bulletproof-securityhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security <= .53.2 - Cross-Site Scripting

Mar 17, 2016 Patched in .53.3 (2868d)
CVE-2014-7958medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security < .51.1 - Cross-Site Scripting

Nov 5, 2014 Patched in .51.1 (3366d)
CVE-2014-8749medium · 4.3Server-Side Request Forgery (SSRF)

BulletProof Security < .51.1 - Server-Side Request Forgery

Nov 5, 2014 Patched in .51.1 (3366d)
CVE-2014-7959high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BulletProof Security < .51.1 - SQL Injection

Oct 7, 2014 Patched in .51.1 (3395d)
CVE-2015-9230medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security < .52.5 - Cross-Site Scripting

Sep 30, 2014 Patched in .52.5 (3402d)
CVE-2013-3487medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security <= .48.9 - Cross-Site Scripting

Aug 1, 2014 Patched in .49 (3462d)
CVE-2012-4268medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BulletProof Security < .47.1 - Reflected Cross-Site Scripting

May 11, 2012 Patched in .47.1 (4274d)
Code Analysis
Analyzed Mar 16, 2026

BulletProof Security Code Analysis

Dangerous Functions
0
Raw SQL Queries
20
160 prepared
Unescaped Output
2349
675 escaped
Nonce Checks
89
Capability Checks
178
File Operations
884
External Requests
6
Bundled Libraries
0

SQL Query Safety

89% prepared180 total queries

Output Escaping

22% escaped3024 total outputs
Data Flows
19 unsanitized

Data Flow Analysis

25 flows19 with unsanitized paths
<400> (400.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

BulletProof Security Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_bps_mscan_scan_processingincludes\mscan-ajax-functions.php:61
authwp_ajax_bps_mscan_scan_estimateincludes\mscan-ajax-functions.php:110
WordPress Hooks 102
filterplugin_action_linksadmin\htaccess\bps-mu-tools.php:463
filternetwork_admin_plugin_action_linksadmin\htaccess\bps-mu-tools.php:464
filterautomatic_updater_disabledadmin\htaccess\bps-mu-tools.php:471
filterauto_update_coreadmin\htaccess\bps-mu-tools.php:475
filterauto_update_coreadmin\htaccess\bps-mu-tools.php:479
filterallow_dev_auto_core_updatesadmin\htaccess\bps-mu-tools.php:483
filterallow_minor_auto_core_updatesadmin\htaccess\bps-mu-tools.php:487
filterallow_major_auto_core_updatesadmin\htaccess\bps-mu-tools.php:491
filterplugin_row_metaadmin\htaccess\bps-mu-tools.php:508
filteradmin_body_classadmin\includes\admin.php:492
filterstyle_loader_tagadmin\includes\admin.php:511
filterscript_loader_tagadmin\includes\admin.php:512
actionadmin_enqueue_scriptsadmin\includes\admin.php:583
actionwp_before_admin_bar_renderadmin\includes\admin.php:702
actioninitbulletproof-security.php:85
actioninitbulletproof-security.php:93
actionadmin_initbulletproof-security.php:157
actionadmin_menubulletproof-security.php:158
actionnetwork_admin_menubulletproof-security.php:163
filterplugin_action_linksbulletproof-security.php:184
filternetwork_admin_plugin_action_linksbulletproof-security.php:185
filterplugin_row_metabulletproof-security.php:203
actionbpsPro_DBB_checkincludes\db-security.php:15
filtercron_schedulesincludes\db-security.php:22
actioninitincludes\db-security.php:37
actionvalidate_password_resetincludes\force-strong-passwords.php:54
actionuser_profile_update_errorsincludes\force-strong-passwords.php:100
actionbp_before_account_details_fieldsincludes\force-strong-passwords.php:115
actionbp_signup_pre_validateincludes\force-strong-passwords.php:159
actionbp_template_contentincludes\force-strong-passwords.php:176
actionbp_core_general_settings_after_saveincludes\force-strong-passwords.php:227
actionadmin_noticesincludes\functions.php:206
actionadmin_initincludes\functions.php:588
filtersite_status_testsincludes\functions.php:1642
filterrank_math/settings/generalincludes\functions.php:1645
actionadmin_noticesincludes\general-functions.php:434
actionadmin_noticesincludes\general-functions.php:455
actionnetwork_admin_noticesincludes\general-functions.php:456
actionadmin_noticesincludes\general-functions.php:521
actionadmin_noticesincludes\general-functions.php:708
actionbpsPro_HPF_checkincludes\hidden-plugin-folders-cron.php:13
filtercron_schedulesincludes\hidden-plugin-folders-cron.php:71
actioninitincludes\hidden-plugin-folders-cron.php:162
actionadmin_noticesincludes\hidden-plugin-folders-cron.php:184
actionnetwork_admin_noticesincludes\hidden-plugin-folders-cron.php:185
actionadmin_noticesincludes\hud-autofix-setup.php:32
actionadmin_noticesincludes\hud-autofix-whitelist.php:17
actionadmin_noticesincludes\hud-dismiss-functions.php:45
actionadmin_initincludes\hud-dismiss-functions.php:83
actionadmin_initincludes\hud-dismiss-functions.php:117
actionadmin_initincludes\hud-dismiss-functions.php:151
actionadmin_initincludes\hud-dismiss-functions.php:280
actionadmin_initincludes\hud-dismiss-functions.php:422
actionadmin_initincludes\hud-dismiss-functions.php:464
actionadmin_initincludes\hud-dismiss-functions.php:562
actionadmin_initincludes\hud-dismiss-functions.php:599
actionadmin_initincludes\hud-dismiss-functions.php:643
actionadmin_initincludes\hud-dismiss-functions.php:680
actionadmin_initincludes\hud-dismiss-functions.php:717
actionadmin_initincludes\hud-dismiss-functions.php:772
actionadmin_initincludes\hud-dismiss-functions.php:817
actionadmin_initincludes\hud-dismiss-functions.php:918
actionadmin_initincludes\hud-dismiss-functions.php:1012
actionadmin_noticesincludes\idle-session-logout.php:244
actionnetwork_admin_noticesincludes\idle-session-logout.php:245
actionwp_footerincludes\idle-session-logout.php:246
filterauthenticateincludes\login-security.php:38
filterwp_authenticate_userincludes\login-security.php:40
filterauthenticateincludes\login-security.php:46
filterwp_authenticate_userincludes\login-security.php:48
filterauthenticateincludes\login-security.php:54
filterwp_authenticate_userincludes\login-security.php:56
filterauthenticateincludes\login-security.php:64
filterwp_authenticate_userincludes\login-security.php:68
filterauthenticateincludes\login-security.php:76
filterwp_authenticate_userincludes\login-security.php:80
filterallow_password_resetincludes\login-security.php:934
filtershow_password_fieldsincludes\login-security.php:939
filtergettextincludes\login-security.php:944
filterlogin_errorsincludes\login-security.php:950
filterlogin_errorsincludes\login-security.php:956
filtershake_error_codesincludes\login-security.php:962
filterallow_password_resetincludes\login-security.php:970
filtershow_password_fieldsincludes\login-security.php:975
filtergettextincludes\login-security.php:980
filterlogin_errorsincludes\login-security.php:986
filterlogin_errorsincludes\login-security.php:992
filtershake_error_codesincludes\login-security.php:998
actionlogin_enqueue_scriptsincludes\login-security.php:1061
actionlogin_formincludes\login-security.php:1062
actionwp_enqueue_scriptsincludes\login-security.php:1065
actionwoocommerce_login_formincludes\login-security.php:1066
filterauth_cookie_expirationincludes\login-security.php:1287
actionlogin_formincludes\login-security.php:1288
actionlogin_headincludes\login-security.php:1289
actionbpsPro_email_log_filesincludes\zip-email-cron-functions.php:19
actioninitincludes\zip-email-cron-functions.php:27
filtercron_schedulesincludes\zip-email-cron-functions.php:34
actionbpsPro_plugin_updates_cronincludes\zip-email-cron-functions.php:548
actioninitincludes\zip-email-cron-functions.php:596
actionbpsPro_theme_updates_cronincludes\zip-email-cron-functions.php:663
actioninitincludes\zip-email-cron-functions.php:711

Scheduled Events 15

bpsPro_DBB_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_HPF_check
bpsPro_email_log_files
bpsPro_plugin_updates_cron
bpsPro_plugin_updates_cron
bpsPro_plugin_updates_cron
bpsPro_theme_updates_cron
bpsPro_theme_updates_cron
bpsPro_theme_updates_cron
Maintenance & Trust

BulletProof Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 8, 2025
PHP min version7.0
Downloads4.5M

Community Trust

Rating96/100
Number of ratings674
Active installs30K
Alternatives

BulletProof Security Alternatives

Defender Security – Malware Scanner, Login Security & Firewall

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

A
96

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs
Bearmor Security

Bearmor Security

bearmor-security

A
100

Lightweight, powerful WordPress security for small businesses. Malware scanning, login protection, 2FA, hardening - most features FREE.

50 No CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
Developer Profile

BulletProof Security Developer Profile

AITpro

1 plugin · 30K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
2430 days
View full developer profile
Detection Fingerprints

How We Detect BulletProof Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about BulletProof Security