Context:

Third-party code is common to any open source CMS such as WordPress plugins and themes. I recently came across articles online about plugins / themes submitting information to authors.

My concern:

• I can't tell WHEN the plugin / theme is sending information to the author.
• I can't tell WHAT the information the plugin / theme is sending to the author (email, url, site visit tracking, restricted full database access, etc.).

Whether the author is referring to this information maliciously or not, the lack of visibility in this matter is disappointing. I just would like to know in principle.

What I have tried:

• I have disabled various features like CURL and fopen, but I understand that return functions may exist to achieve the same functionality.
• I've secured my site in a variety of ways, including changing directory / file permissions, malware scans, blacklisting, security audits, firewalls, etc.
• I am following the script-blocker for FireFox for third party detection.
• I regularly run various plugin / theme code reviews for known malicious codes and updates.
• I looked at Ghostery for FireFox, but this forces the plugin / theme to be active, which may be too late if the plugin / theme is malicious.

My question is:

How can I know which plugins / themes are calling home / sending information and exactly what information is being sent?

• Are there plugins or online solutions to detect this?
• Is there an easy way to disable some PHP functionality?
• If I need to manually search for the code (keeping in mind that the malicious code has already been tested), which features should I monitor?