We highly recommend that all Matomo (Piwik) administrators enable the SecurityInfo plugin, and then view the Settings. The plugin is a tool in a multilayered security approach.
Performed checks include for instance usage of latest PHP version, usage of latest Matomo version, usage of PHP ini settings like magic_quotes_gpc and more.
Does the plugin replace secure development practices or audit the code/application?
No, it doesn't. It just gives you some information based on PhpSecInfo from the PHP Security Consortium.