Performance & Security Security & Risk Analysis

wordpress.org/plugins/wp-performance-security

This plugin provides settings to modify WordPress and improve performance and security.

40 active installs v0.9.2 PHP + WP 3.0.1+ Updated Jul 5, 2023
performancesecuritysettings
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Performance & Security Safe to Use in 2026?

Generally Safe

Score 85/100

Performance & Security has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The plugin 'wp-performance-security' v0.9.2 exhibits a generally strong security posture based on the provided static analysis. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events significantly limits its attack surface, and there are no identified entry points that lack authentication or permission checks. The code adheres to secure practices regarding SQL queries, exclusively using prepared statements, and there are no file operations or external HTTP requests, further reducing potential vulnerabilities. However, the presence of two instances of the `create_function` function is a concern, as this is a deprecated and potentially insecure PHP function that can lead to code injection if not handled with extreme care. Furthermore, only 10% of output escaping is properly implemented, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities in the remaining 90% of outputs. The lack of any recorded vulnerability history, CVEs, or taint flows with unsanitized paths is a positive indicator, suggesting a history of secure development. Despite these strengths, the identified issues with `create_function` and widespread unescaped output warrant attention.

Key Concerns

  • Use of dangerous function create_function
  • Low percentage of properly escaped output
Vulnerabilities
None known

Performance & Security Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Performance & Security Release Timeline

v0.9.2Current
v0.9.1
v0.9
v0.8
v0.7.3
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Code Analysis
Analyzed Apr 16, 2026

Performance & Security Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
9
1 escaped
Nonce Checks
2
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('wp', create_function('', '@ob_end_clean();@ini_set("zlib.output_compression", 1);'));wp-performance-security.php:288
create_functionadd_filter('login_errors', create_function('$a', "return 'Error';"));wp-performance-security.php:307

Output Escaping

10% escaped10 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
wpps_config (modules/settings.php:40)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Performance & Security Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 58
actionadmin_enqueue_scriptsmodules/scripts.php:9
actionplugins_loadedmodules/settings.php:4
actionadmin_menumodules/settings.php:23
filtershow_admin_barwp-performance-security.php:135
actionwp_enqueue_scriptswp-performance-security.php:143
filteradmin_footer_textwp-performance-security.php:152
filtertiny_mce_pluginswp-performance-security.php:168
filteremoji_svg_urlwp-performance-security.php:169
filterwp_default_scriptswp-performance-security.php:183
filterwp_print_styleswp-performance-security.php:188
filterembed_oembed_discoverwp-performance-security.php:213
filtertiny_mce_pluginswp-performance-security.php:229
filterrewrite_rules_arraywp-performance-security.php:234
filterexcerpt_lengthwp-performance-security.php:246
actioninitwp-performance-security.php:253
filterexcerpt_morewp-performance-security.php:261
actionwpwp-performance-security.php:288
filterxmlrpc_enabledwp-performance-security.php:295
filterlogin_errorswp-performance-security.php:307
filterthe_search_querywp-performance-security.php:320
filterrequestwp-performance-security.php:332
actioninitwp-performance-security.php:341
actionpre_get_postswp-performance-security.php:350
actionpre_pingwp-performance-security.php:364
filterpre_option_link_manager_enabledwp-performance-security.php:377
filterscript_loader_srcwp-performance-security.php:389
filterstyle_loader_srcwp-performance-security.php:390
filterthe_generatorwp-performance-security.php:400
actionadmin_menuwp-performance-security.php:409
filteradmin_bar_menuwp-performance-security.php:424
filtercomments_arraywp-performance-security.php:445
filtercomment_form_default_fieldswp-performance-security.php:460
filtercomments_openwp-performance-security.php:473
filtercomments_numberwp-performance-security.php:483
filtercomments_openwp-performance-security.php:484
filtercomments_openwp-performance-security.php:489
filterpings_openwp-performance-security.php:490
actionadmin_menuwp-performance-security.php:505
actionadmin_initwp-performance-security.php:515
actionadmin_initwp-performance-security.php:522
actionwp_before_admin_bar_renderwp-performance-security.php:530
filterpreprocess_commentwp-performance-security.php:544
filterexcerpt_morewp-performance-security.php:554
filterthe_content_more_linkwp-performance-security.php:555
actionlogin_headwp-performance-security.php:568
filterlogin_headerurlwp-performance-security.php:579
filterlogin_headertextwp-performance-security.php:590
actionwp_before_admin_bar_renderwp-performance-security.php:602
actionwp_before_admin_bar_renderwp-performance-security.php:611
actionwp_before_admin_bar_renderwp-performance-security.php:620
actionwp_before_admin_bar_renderwp-performance-security.php:629
actionwp_before_admin_bar_renderwp-performance-security.php:638
actionwp_before_admin_bar_renderwp-performance-security.php:647
actionwp_before_admin_bar_renderwp-performance-security.php:656
actionwp_network_dashboard_setupwp-performance-security.php:691
actionwp_user_dashboard_setupwp-performance-security.php:692
actionwp_dashboard_setupwp-performance-security.php:693
actionplugins_loadedwp-performance-security.php:697
Maintenance & Trust

Performance & Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedJul 5, 2023
PHP min version
Downloads8K

Community Trust

Rating100/100
Number of ratings2
Active installs40
Developer Profile

Performance & Security Developer Profile

James Robinson

3 plugins · 50 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Performance & Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-performance-security/assets/js/wpps-main.js/wp-content/plugins/wp-performance-security/assets/css/wpps-admin.css/wp-content/plugins/wp-performance-security/assets/js/wpps-admin.js
Script Paths
/wp-content/plugins/wp-performance-security/assets/js/wpps-main.js/wp-content/plugins/wp-performance-security/assets/js/wpps-admin.js
Version Parameters
wp-performance-security/assets/js/wpps-main.js?ver=wp-performance-security/assets/css/wpps-admin.css?ver=wp-performance-security/assets/js/wpps-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpps-admin-notice
HTML Comments
<!-- Performance & Security Plugin Settings --><!-- Performance & Security Plugin Admin Settings -->
Data Attributes
data-wpps-settingdata-wpps-value
JS Globals
wpps_vars
REST Endpoints
/wp-json/wp-performance-security/v1/settings
FAQ

Frequently Asked Questions about Performance & Security