WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.
Category Scores
Top Issues by Category
maintainability538
security184
Issues Details
824 issues found in latest scan
Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "WP_Defender".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Circular dependency detected while trying to resolve entry '$entryName': Dependencies: "'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'wd_2fa_init_provider_' . $slug".
Mismatched text domain. Expected 'defender-security' but got 'plugin-cross-sell-textdomain'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_tests_dir".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
var_export() found. Debug code should not normally be used in production.
Use placeholders and $wpdb->prepare(); found interpolated variable $column at \t\t\t\tSET `$column` = '$option_key',\n
Unescaped parameter $placeholders used in $wpdb->query()\n$placeholders used without escaping.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DONOTCACHEPAGE".
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "get_public_suffix".
Attempting a database schema change is discouraged.
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using file_put_contents(). Detected usage of constant WPINC. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not find $_tests_dir/includes/functions.php, have you run bin/install-wp-tests.sh ?"'.
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Writing files using ABSPATH may be problematic. Consider using wp_upload_dir() instead if storing user data or generated files.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$filter_name".
Unescaped parameter $column used in $wpdb->query()\n$column assigned unsafely at line 154.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().
unlink() is discouraged. Use wp_delete_file() to delete a file.
Detected usage of a non-sanitized input variable: $_ENV[$variableName]
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedNamespaceFound | WARNING | Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "WP_Defender". | 227 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Circular dependency detected while trying to resolve entry '$entryName': Dependencies: "'. | 137 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'wd_2fa_init_provider_' . $slug". | 93 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'defender-security' but got 'plugin-cross-sell-textdomain'. | 82 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_tests_dir". | 58 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 38 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 23 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $column at \t\t\t\tSET `$column` = '$option_key',\n | 19 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $placeholders used in $wpdb->query()\n$placeholders used without escaping. | 17 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 16 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 16 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DONOTCACHEPAGE". | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "get_public_suffix". | 11 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 9 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 8 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using file_put_contents(). Detected usage of constant WPINC. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 6 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not find $_tests_dir/includes/functions.php, have you run bin/install-wp-tests.sh ?"'. | 6 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 5 |
| PluginCheck.CodeAnalysis.WriteFile.ABSPATHDetected | WARNING | Writing files using ABSPATH may be problematic. Consider using wp_upload_dir() instead if storing user data or generated files. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$filter_name". | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $column used in $wpdb->query()\n$column assigned unsafely at line 154. | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_chmod | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod(). | 3 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV[$variableName] | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 2 |
Latest Snapshot
Findings
824
Errors
306
Warnings
518
Score History
First score snapshot
First scan completed Jun 20, 2026
v5.11.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v5.11.0
24
Latest
- Findings
- 824
- Errors
- 306
- Warnings
- 518
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 24 | 824 | 306 | 518 | v5.11.0 | 2.0.0 | 2026.06-mvp-static-v2 |
