How We Verify Every Plugin and Theme at GPL Vault

At GPL Vault, your website’s security is at the centre of everything we do. This page explains exactly how we verify every plugin and theme, which tools we use, and what our Security Verified badge actually means in practice.

Security Verified
🛡️ Malware & Virus Scanned
🔍 Manual Code Checks
📦 Original Developer Source
📜 100% GPL Compliant

Why We Verify Every File Ourselves

GPL licensing allows redistribution of software, which is great for affordability – but it also means files can be tampered with before they reach you. Many GPL sites simply upload whatever they can find. We don’t.

Our business is built on trust, so every download goes through:

  • Multiple malware and virus scans
  • Code integrity and checksum checks
  • Manual inspection for suspicious patterns
  • Version-to-version comparisons
  • Sandbox installation for higher-risk plugins

Our goal is simple

You should be able to use GPL software with confidence: clean files, no hidden surprises, and the same code you’d get from the original developer.

Our Verification Process (Step by Step)

We Only Use Official Developer Sources

We never download from random GPL dumps or mirrors. Every file comes from:

  • Official developer dashboards and customer portals
  • Trusted marketplaces such as Envato / WooCommerce.com
  • Direct developer update feeds, where available

This dramatically reduces the chance of tampering before we even start scanning.

We Run Multiple Malware and Vulnerability Scans

No single scanner is perfect, so we use several layers:

Wordfence Scanner

We use the same engine trusted by millions of WordPress sites: wordfence.com

  • Detects known malware signatures
  • Flags obfuscated or suspicious code
  • Spots unexpected PHP files or modified core files

WPScan Vulnerability Database

We compare plugin and theme versions against the WPScan database: wpscan.com

  • Checks for known vulnerabilities and CVEs
  • Highlights version-specific security issues
  • Gives us early warning of newly disclosed exploits

VirusTotal Cloud Scan

For an extra layer of confidence, we upload plugin and theme archives to VirusTotal: virustotal.com

  • Scans each file with 70+ antivirus engines
  • Identifies suspicious behaviour patterns
  • Any flag – even a suspected one – triggers manual review
We Install in an Isolated Test Environment

For high-impact or historically abused plugin types (SEO tools, redirection plugins, page builders, security plugins, major WooCommerce extensions), we also install the plugin in an isolated WordPress environment.

Here we look for:

  • Unexpected external connections or callbacks
  • Unknown domains or tracking endpoints
  • Surprise file creation in unusual directories
  • Injected admin notices or hidden adverts
  • New cron jobs or background tasks that don’t belong
Manual Review Where Human Eyes Are Needed

Automated tools are powerful, but some threats need human judgement. For certain plugin families and any file that looks unusual, we perform manual checks:

  • Scanning for base64-encoded payloads and heavy obfuscation
  • Looking for suspicious eval() or dynamic code execution
  • Checking for hidden iframes and injected scripts
  • Reviewing callback URLs pointing to unknown servers

If something doesn’t feel right, we don’t ship it.

Continuous Re-Verification on Every Update

Security is not a one-time event. Whenever a developer releases a new version, we:

  • Re-download from the original source
  • Re-run our malware and vulnerability scans
  • Perform version-to-version file diffs
  • Re-test in a sandbox if needed

Nothing is ever published automatically without checks.

Advanced Verification Methods

Beyond standard scanners, we also use additional techniques to keep our library clean:

🧩 Static Code Analysis

Automated checks help flag dangerous patterns, insecure functions and unusual file operations before anything reaches production.

🔐 Hash & Checksum Validation

Where possible we compare file hashes with previous known-clean releases or developer-provided checksums, catching silent modifications.

📘 Version Diff Analysis

File-by-file diffs between versions highlight new files, removed files and unexpected obfuscation, especially in large frameworks.

🏗️ Sandbox Behaviour Monitoring

We watch how plugins behave when installed, looking for odd network traffic, file writes or database activity that scanners might miss.

⚙️ Dependency Checks

If a plugin uses Composer or third-party libraries, we verify those dependencies are legitimate and unmodified.

🗂️ File & Permission Review

We check for executable files in the wrong places and unexpected write permissions that could be abused by an attacker.

What Our “Security Verified” Badge Means

When you see the badge on a GPL Vault product page, it means:

  • Files are malware and virus free at the time of release
  • No intentional backdoors, hidden code or nulled-theme injections
  • Files are sourced from the original developer or official marketplace
  • Code is 100% GPL compliant and unencrypted
  • Multiple scanners and manual checks have been applied
  • Updates go through the same verification process

Security without the scare tactics

You don’t need to be paranoid – just sensible. Strong passwords, regular updates and a trusted GPL provider like GPL Vault go a very long way.