The fastest, lightest way to integrate Google Analytics in WordPress.
Category Scores
Top Issues by Category
security87
i18n54
maintainability25
Issues Details
168 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$fonts_stylesheet'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
The $domain parameter must be a single text string literal. Found: $this->plugin_text_domain
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$name . '_setting_description'".
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['page']
$_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
print_r() found. Debug code should not normally be used in production.
Detected usage of a possibly undefined superglobal array index: $_GET['tab']. Check that the array index exists before using it.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Sanitization missing for register_setting().
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FFWP_Autoloader".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "after_$current_section".
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Scripts must be registered/enqueued via wp_enqueue_script()
Your plugin has a different license declared in the readme file and plugin header. Please update your readme with a valid GPL license identifier.
Plugin name "CAOS | Host Google Analytics Locally" is different from the name declared in plugin header "CAOS".
The "Plugin Name" header in the plugin file is not valid. It needs to contain at least 5 latin letters (a-Z) and/or numbers. This is necessary because the initial plugin slug is generated from the name.
Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins
Function "wp_doing_cron()" requires WordPress 4.8.0, but your plugin minimum supported version is WordPress 4.6.0.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$fonts_stylesheet'. | 57 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 39 |
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: $this->plugin_text_domain | 15 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$name . '_setting_description'". | 12 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['page'] | 7 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar | 7 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 3 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 2 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['tab']. Check that the array index exists before using it. | 2 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 2 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FFWP_Autoloader". | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "after_$current_section". | 1 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_rmdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir(). | 1 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 1 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 1 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 1 |
| license_mismatch | ERROR | Your plugin has a different license declared in the readme file and plugin header. Please update your readme with a valid GPL license identifier. | 1 |
| mismatched_plugin_name | WARNING | Plugin name "CAOS | Host Google Analytics Locally" is different from the name declared in plugin header "CAOS". | 1 |
| plugin_header_unsupported_plugin_name | ERROR | The "Plugin Name" header in the plugin file is not valid. It needs to contain at least 5 latin letters (a-Z) and/or numbers. This is necessary because the initial plugin slug is generated from the name. | 1 |
| plugin_updater_detected | ERROR | Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins | 1 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "wp_doing_cron()" requires WordPress 4.8.0, but your plugin minimum supported version is WordPress 4.6.0. | 1 |
Latest Snapshot
Findings
168
Errors
124
Warnings
44
Score History
First score snapshot
First scan completed Jun 20, 2026
v5.0.3 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v5.0.3
38
Latest
- Findings
- 168
- Errors
- 124
- Warnings
- 44
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 38 | 168 | 124 | 44 | v5.0.3 | 2.0.0 | 2026.06-mvp-static-v2 |
