Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
Category Scores
Top Issues by Category
maintainability312
security302
i18n157
supply_chain11
Issues Details
926 issues found in latest scan
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$checked_attribute'.
Processing form data without nonce verification.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
$_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['_wpnonce']
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoloader".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d", but got "%s, %d" in 'Reached %s, but received an error response code: %d. HTTPS is not properly configured.'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "login_body_class".
unlink() is discouraged. Use wp_delete_file() to delete a file.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Email address \"$email\" not valid in "'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Short PHP opening tag used with echo; expected "<?php echo $this ..." but found "<?= $this ..."
error_log() found. Debug code should not normally be used in production.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_query, possible slow query.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
The $text text string should have translatable content. Found: ''
Detected usage of a possibly undefined superglobal array index: $_SERVER['HTTP_HOST']. Check that the array index exists before using it.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 96 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$checked_attribute'. | 70 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 69 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 68 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar | 64 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['_wpnonce'] | 58 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoloader". | 42 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 35 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d", but got "%s, %d" in 'Reached %s, but received an error response code: %d. HTTPS is not properly configured.'. | 33 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 30 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "login_body_class". | 25 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 18 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 17 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 16 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Email address \"$email\" not valid in "'. | 16 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 16 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 15 |
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo $this ..." but found "<?= $this ..." | 14 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 14 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 13 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 13 |
| hidden_files | ERROR | Hidden files are not permitted. | 11 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 10 |
| WordPress.WP.I18n.NoEmptyStrings | ERROR | The $text text string should have translatable content. Found: '' | 10 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['HTTP_HOST']. Check that the array index exists before using it. | 9 |
Latest Snapshot
Findings
926
Errors
541
Warnings
385
Score History
First score snapshot
First scan completed Jun 19, 2026
v9.6.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v9.6.0
19
Latest
- Findings
- 926
- Errors
- 541
- Warnings
- 385
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 19 | 926 | 541 | 385 | v9.6.0 | 2.0.0 | 2026.06-mvp-static-v2 |
