Protect WordPress from malware, hackers, brute-force attacks and suspicious traffic. Includes firewall, login security, 2FA, and vulnerability checks.
Category Scores
Top Issues by Category
security832
maintainability701
i18n270
Issues Details
1,979 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'\n'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Mismatched text domain. Expected 'security-malware-firewall' but got 'cleantalk-spam-protect'.
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Unescaped parameter $blog_id used in $wpdb->get_results()\n$blog_id assigned unsafely at line 2092.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$cloud_verdicts['error_message']'.
$_COOKIE[$name] not unslashed before sanitization. Use wp_unslash() or similar
The $text parameter must be a single text string literal. Found: $brand_name
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Sent: %d. Confirmed receiving of %d rows.'.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Attempting a database schema change is discouraged.
Detected usage of a non-sanitized input variable: $_COOKIE[$name]
Processing form data without nonce verification.
error_log() found. Debug code should not normally be used in production.
unlink() is discouraged. Use wp_delete_file() to delete a file.
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
rand() is discouraged. Use the far less predictable wp_rand() instead.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$affiliate_short_code".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'\n'. | 289 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $amount | 236 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 226 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 224 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'security-malware-firewall' but got 'cleantalk-spam-protect'. | 85 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 78 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 76 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 73 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $blog_id used in $wpdb->get_results()\n$blog_id assigned unsafely at line 2092. | 54 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$cloud_verdicts['error_message']'. | 48 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$name] not unslashed before sanitization. Use wp_unslash() or similar | 44 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $brand_name | 42 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Sent: %d. Confirmed receiving of %d rows.'. | 39 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 37 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 35 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$name] | 35 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 34 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 28 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 22 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 21 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 19 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 15 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 15 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$affiliate_short_code". | 14 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 14 |
Latest Snapshot
Findings
1,979
Errors
1,191
Warnings
788
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.181 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.181
24
Latest
- Findings
- 1,979
- Errors
- 1,191
- Warnings
- 788
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 24 | 1,979 | 1,191 | 788 | v2.181 | 2.0.0 | 2026.06-mvp-static-v2 |
