Link checking plugins are highly valuable for SEO and user experience, but they also introduce a security-relevant surface because they crawl and request URLs, store scan results, and expose an administrative dashboard to review and bulk-fix findings. If access control, request integrity, or output handling is weak, attackers may abuse scanning logic to trigger excessive outbound requests (resource exhaustion), attempt SSRF-style probing via crafted URLs, force configuration changes via CSRF, or inject malicious strings into reports that get rendered in wp-admin. Broken Link Checker version 2.4.7 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64618, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for link monitoring and remediation plugins.
| Name of | Broken Link Checker |
| Version | 2.4.7 |
| Active installations | 500,000+ |
| Description | Automatically monitor your WordPress site for broken links and missing images, so you can fix them proactively and protect your SEO. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Site owners can continuously monitor content quality with the assurance of the “Plugin Security Certification” (PSC). As a best practice, restrict who can manage scans and bulk actions, and review scan scope/settings to avoid unnecessary load on production sites. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
Broken Link Checker provides automated monitoring to detect broken or redirected URLs and missing images across a wide range of WordPress content, including posts, pages, comments, and custom fields, and then centralizes findings into a single dashboard for review. It supports operationally important workflows such as searching and filtering detected issues, taking quick remediation actions (edit, unlink, ignore) without hunting through old content, and receiving email and dashboard notifications when something breaks. The plugin also supports different scanning approaches (including a cloud-based engine and local scanning modes) and can fit agency/multisite workflows where link hygiene needs to be maintained across multiple sites. From a security standpoint, these features matter because they involve background processing, outbound HTTP requests, and admin-side rendering of untrusted strings such as URLs, anchor texts, and error messages, all of which require careful validation, safe output encoding, and strict capability controls.
Security Assurance
The CleanTalk Plugin Security Certification evaluation for link monitoring plugins focuses on realistic attacker models that target both availability and administrative integrity. Common abuse patterns include attempts to make scanning features generate excessive load (DoS vectors via large scan scopes or repeated scheduling), abuse link-checking logic to probe internal resources through crafted URLs (SSRF-style risk), and exploit weak access control around dashboards, bulk actions, or settings to view or modify scan results they should not touch. The review validates that administrative pages and actions are restricted to appropriate roles via consistent capability checks, that state-changing requests are protected with nonce/CSRF defenses, and that data displayed in reports (URLs, anchor text, status messages) is output-encoded to reduce stored/reflected XSS risk in wp-admin. It also considers leakage vectors such as misconfigured endpoints, overly verbose diagnostics, and unsafe parameter handling in any helper actions related to scanning, reporting, or exporting results.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64618, Broken Link Checker version 2.4.7 demonstrates strong baseline security for the workflows that matter most in link-checking plugins: controlled administration of scan settings, safe reporting and remediation actions in wp-admin, and consistent protections against common web vulnerability classes that target dashboards, handlers, and rendered output. This certification helps site owners maintain SEO and user trust while reducing risk that monitoring functionality becomes an unintended attack surface. As a best practice, limit scan management to trusted administrators, keep scan frequency and scope appropriate for your hosting capacity, and treat all report content (URLs and texts) as untrusted data that must remain safely handled end-to-end.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.