Privacy friendly, GDPR compliant and self-hosted. Matomo is the #1 Google Analytics alternative that gives you control of your data. Free and secure.
Category Scores
Top Issues by Category
security1,735
maintainability705
Issues Details
2,787 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" (Plugin '{$plugin}' is not activated.)"'.
Detected usage of a non-sanitized input variable: $_COOKIE[$this->name]
Processing form data without nonce verification.
$_COOKIE[$this->name] not unslashed before sanitization. Use wp_unslash() or similar
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "HTML_Common2".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Processing form data without nonce verification.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Error table {$id} is not instance of datatable<br />"'.
Detected usage of a possibly undefined superglobal array index: $_COOKIE[$this->name]. Check that the array index exists before using it.
var_export() found. Debug code should not normally be used in production.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DEBUG_FORCE_SCHEDULED_TASKS".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$CONFIG_INI_PATH_RESOLVER".
unlink() is discouraged. Use wp_delete_file() to delete a file.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO.
Function "register_block_type()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.8.0.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" (Plugin '{$plugin}' is not activated.)"'. | 1,155 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$this->name] | 147 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 140 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$this->name] not unslashed before sanitization. Use wp_unslash() or similar | 121 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "HTML_Common2". | 111 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 99 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 94 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 80 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 60 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 52 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Error table {$id} is not instance of datatable<br />"'. | 51 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_COOKIE[$this->name]. Check that the array index exists before using it. | 45 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 44 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DEBUG_FORCE_SCHEDULED_TASKS". | 40 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$CONFIG_INI_PATH_RESOLVER". | 38 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 37 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 33 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 28 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 26 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 23 |
| WordPress.DB.RestrictedClasses.mysql__PDO | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO. | 22 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "register_block_type()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.8.0. | 21 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 19 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 18 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $prepare | 16 |
Latest Snapshot
Findings
2,787
Errors
1,909
Warnings
878
Score History
First score snapshot
First scan completed Jun 20, 2026
v5.11.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v5.11.0
19
Latest
- Findings
- 2,787
- Errors
- 1,909
- Warnings
- 878
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 19 | 2,787 | 1,909 | 878 | v5.11.0 | 2.0.0 | 2026.06-mvp-static-v2 |
