Manage all your WordPress sites from one place. Automate updates, backups, uptime monitoring, security, maintenance reports, and more.
Category Scores
Top Issues by Category
maintainability138
security78
supply_chain7
Issues Details
242 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Backup directory was not created properly: {$destDirectory}"'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_autoload".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$e'.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
error_log() found. Debug code should not normally be used in production.
Detected usage of a non-sanitized input variable: $_SERVER['HTTP_CF_IPCOUNTRY']
$_SERVER['HTTP_CF_IPCOUNTRY'] not unslashed before sanitization. Use wp_unslash() or similar
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "pre_set_site_transient_update_{$type}s".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$action".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().
unlink() is discouraged. Use wp_delete_file() to delete a file.
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Backup directory was not created properly: {$destDirectory}"'. | 50 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 19 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 15 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 14 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_autoload". | 13 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 13 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$e'. | 12 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 12 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 10 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_SERVER['HTTP_CF_IPCOUNTRY'] | 8 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_SERVER['HTTP_CF_IPCOUNTRY'] not unslashed before sanitization. Use wp_unslash() or similar | 8 |
| hidden_files | ERROR | Hidden files are not permitted. | 7 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "pre_set_site_transient_update_{$type}s". | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 5 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 4 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 4 |
| WordPress.DB.RestrictedClasses.mysql__PDO | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$action". | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_rmdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir(). | 3 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 2 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 2 |
Latest Snapshot
Findings
242
Errors
161
Warnings
81
Score History
First score snapshot
First scan completed Jun 20, 2026
v3.0.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v3.0.1
21
Latest
- Findings
- 242
- Errors
- 161
- Warnings
- 81
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 21 | 242 | 161 | 81 | v3.0.1 | 2.0.0 | 2026.06-mvp-static-v2 |
