Clean database by deleting orphaned data such as 'revisions', 'expired transients', optimize database and more...
Category Scores
Top Issues by Category
security318
maintainability277
Issues Details
603 issues found in latest scan
Use placeholders and $wpdb->prepare(); found interpolated variable $col at "SELECT $col FROM $tbl WHERE $idCol IN ($ids_placeholder)"
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $postmeta used in $wpdb->get_var()\n$postmeta assigned unsafely at line 582.
Unescaped parameter $quoted used in $wpdb->get_results()\n$quoted assigned unsafely at line 394.
Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2.
Replacement variables found, but no valid placeholders found in the query.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Detected usage of meta_key, possible slow query.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_CHMOD_DIR".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$phrase1'.
Attempting a database schema change is discouraged.
Function "wp_autoload_values_to_autoload()" requires WordPress 6.6.0, but your plugin minimum supported version is WordPress 5.0.0.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "plugin_locale".
Processing form data without nonce verification.
$_SERVER['REQUEST_URI'] not unslashed before sanitization. Use wp_unslash() or similar
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().
rename() is discouraged. Use WP_Filesystem::move() to rename a file.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_core
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $col at "SELECT $col FROM $tbl WHERE $idCol IN ($ids_placeholder)" | 134 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 117 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 115 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $check_sql | 90 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $postmeta used in $wpdb->get_var()\n$postmeta assigned unsafely at line 582. | 36 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $quoted used in $wpdb->get_results()\n$quoted assigned unsafely at line 394. | 35 |
| WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber | WARNING | Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2. | 8 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 7 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 6 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_CHMOD_DIR". | 4 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$phrase1'. | 4 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 3 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "wp_autoload_values_to_autoload()" requires WordPress 6.6.0, but your plugin minimum supported version is WordPress 5.0.0. | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "plugin_locale". | 2 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 2 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_SERVER['REQUEST_URI'] not unslashed before sanitization. Use wp_unslash() or similar | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_rmdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir(). | 2 |
| WordPress.WP.AlternativeFunctions.rename_rename | ERROR | rename() is discouraged. Use WP_Filesystem::move() to rename a file. | 2 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 2 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 2 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_core | 2 |
Latest Snapshot
Findings
603
Errors
164
Warnings
439
Score History
First score snapshot
First scan completed Jun 19, 2026
v4.1.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v4.1.1
30
Latest
- Findings
- 603
- Errors
- 164
- Warnings
- 439
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 30 | 603 | 164 | 439 | v4.1.1 | 2.0.0 | 2026.06-mvp-static-v2 |
