Easily block visitors by country, state or ISP provider. Also, protects your site from spam, login attempts, malicious access & more.
Category Scores
Top Issues by Category
security618
maintainability346
Issues Details
1,145 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_error'.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Net_DNS2".
$_COOKIE[$cookie_name] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Detected usage of a non-sanitized input variable: $_COOKIE[$cookie_name]
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$RandomCompatCOMtest".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found interpolated variable $table at "ALTER TABLE $table ADD `city` VARCHAR(100) DEFAULT NULL AFTER `code`"
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "google-charts".
Translatable string should not be wrapped in HTML. Found: '<dfn title="IP address cache and local databases are scanned at the top priority.">API selection and key settings</dfn>'
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_POST['length']. Check that the array index exists before using it.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1037.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DONOTCACHEPAGE".
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d", but got "%s, %d" in 'The user %s (user ID: %d) is in use.'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action'. | 132 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_error'. | 92 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Net_DNS2". | 84 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$cookie_name] not unslashed before sanitization. Use wp_unslash() or similar | 70 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 69 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$cookie_name] | 60 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 53 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$RandomCompatCOMtest". | 52 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 46 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 46 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 42 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table at "ALTER TABLE $table ADD `city` VARCHAR(100) DEFAULT NULL AFTER `code`" | 39 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "google-charts". | 39 |
| WordPress.WP.I18n.NoHtmlWrappedStrings | WARNING | Translatable string should not be wrapped in HTML. Found: '<dfn title="IP address cache and local databases are scanned at the top priority.">API selection and key settings</dfn>' | 36 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 33 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['length']. Check that the array index exists before using it. | 33 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $key | 27 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 26 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1037. | 21 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DONOTCACHEPAGE". | 21 |
| WordPress.DB.RestrictedClasses.mysql__PDO | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO. | 20 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d", but got "%s, %d" in 'The user %s (user ID: %d) is in use.'. | 16 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 11 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 6 |
Latest Snapshot
Findings
1,145
Errors
521
Warnings
624
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.3.8 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.3.8
25
Latest
- Findings
- 1,145
- Errors
- 521
- Warnings
- 624
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 25 | 1,145 | 521 | 624 | v1.3.8 | 2.0.0 | 2026.06-mvp-static-v2 |
