Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.
Category Scores
Top Issues by Category
maintainability41
security40
Issues Details
89 issues found in latest scan
Processing form data without nonce verification.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$backup".
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES['upload_file']['error']
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
$_SERVER['PHP_AUTH_PW'] not unslashed before sanitization. Use wp_unslash() or similar
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
The plugin name includes a restricted term. Your chosen plugin name - "All-in-One WP Migration and Backup" - contains the restricted term "all-in-one-wp-migration" which cannot be used at all in your plugin name.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "BANDAR_TEMPLATES_PATH".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$file_buffer'.
Detected usage of a possibly undefined superglobal array index: $_SERVER['SERVER_NAME']. Check that the array index exists before using it.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
set_error_handler() found. Debug code should not normally be used in production.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: touch().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 19 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$backup". | 9 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['upload_file']['error'] | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 4 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 3 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_SERVER['PHP_AUTH_PW'] not unslashed before sanitization. Use wp_unslash() or similar | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 3 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "All-in-One WP Migration and Backup" - contains the restricted term "all-in-one-wp-migration" which cannot be used at all in your plugin name. | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "BANDAR_TEMPLATES_PATH". | 2 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$file_buffer'. | 2 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['SERVER_NAME']. Check that the array index exists before using it. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 2 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to esc_html_e(). | 2 |
| plugin_updater_detected | ERROR | Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins | 2 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins | 2 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 1 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler | WARNING | set_error_handler() found. Debug code should not normally be used in production. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_chmod | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_touch | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: touch(). | 1 |
Latest Snapshot
Findings
89
Errors
28
Warnings
61
Score History
First score snapshot
First scan completed Jun 19, 2026
v7.105 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v7.105
40
Latest
- Findings
- 89
- Errors
- 28
- Warnings
- 61
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 40 | 89 | 28 | 61 | v7.105 | 2.0.0 | 2026.06-mvp-static-v2 |
