WordPress login security with brute force protection, Two-factor authentication (2FA/MFA), firewall, IP/country blocking, and login monitoring
Category Scores
Top Issues by Category
security731
maintainability371
i18n101
Issues Details
1,223 issues found in latest scan
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_app".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action['label']'.
$_GET['tab'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_POST['custom_error_message']
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "LLA_DIGEST_DEFINITIONS".
Detected usage of a possibly undefined superglobal array index: $_POST['active_app']. Check that the array index exists before using it.
The $text parameter must be a single text string literal. Found: $admin_email
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Missing $domain parameter in function call to esc_attr_e().
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
The $domain parameter must be a single text string literal. Found: $text_domain
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "authenticate".
error_log() found. Debug code should not normally be used in production.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'By signing up you agree to our <a href="%s" class="llar_turquoise">terms of service</a> and <a href="%s" class="llar_turquoise">privacy policy.</a>'.
Detected usage of meta_key, possible slow query.
SQL wildcards for a LIKE query should be passed in through a replacement parameter. Found: LIKE '%administrator%'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 290 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_app". | 253 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action['label']'. | 195 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['tab'] not unslashed before sanitization. Use wp_unslash() or similar | 76 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 60 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['custom_error_message'] | 50 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 46 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "LLA_DIGEST_DEFINITIONS". | 45 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['active_app']. Check that the array index exists before using it. | 33 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $admin_email | 28 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 25 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 17 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 17 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to esc_attr_e(). | 16 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 8 |
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: $text_domain | 7 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "authenticate". | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 5 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 4 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 4 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 4 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'By signing up you agree to our <a href="%s" class="llar_turquoise">terms of service</a> and <a href="%s" class="llar_turquoise">privacy policy.</a>'. | 4 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 3 |
| WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery | ERROR | SQL wildcards for a LIKE query should be passed in through a replacement parameter. Found: LIKE '%administrator%'. | 2 |
Latest Snapshot
Findings
1,223
Errors
621
Warnings
602
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.3.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.3.1
25
Latest
- Findings
- 1,223
- Errors
- 621
- Warnings
- 602
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 25 | 1,223 | 621 | 602 | v3.3.1 | 2.0.0 | 2026.06-mvp-static-v2 |
