Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.
Category Scores
Top Issues by Category
security64
maintainability53
i18n2
Issues Details
122 issues found in latest scan
$_COOKIE[$sg_2fa_user_cookie] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_COOKIE[$sg_2fa_user_cookie]
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of a possibly undefined superglobal array index: $_SERVER['HTTP_HOST']. Check that the array index exists before using it.
Detected usage of meta_query, possible slow query.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Stylesheets must be registered/enqueued via wp_enqueue_style()
debug_backtrace() found. Debug code should not normally be used in production.
error_reporting() can lead to full path disclosure.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fputs().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
rand() is discouraged. Use the far less predictable wp_rand() instead.
The $text parameter must be a single text string literal. Found: $entry['visitor_type']
Plugin name "Security Optimizer - The All-In-One Protection Plugin" is different from the name declared in plugin header "Security Optimizer".
The "/vendor" directory using composer exists, but "composer.json" file is missing.
The "Domain Path" header in the plugin file must point to an existing folder. Found: "languages"
The plugin name includes a restricted term. Your chosen plugin name - "Security Optimizer - The All-In-One Protection Plugin" - contains the restricted term "plugin" which cannot be used at all in your plugin name.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$sg_2fa_user_cookie] not unslashed before sanitization. Use wp_unslash() or similar | 22 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$sg_2fa_user_cookie] | 21 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 20 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['HTTP_HOST']. Check that the array index exists before using it. | 10 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 7 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 6 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 3 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 2 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 2 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 2 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace | WARNING | debug_backtrace() found. Debug code should not normally be used in production. | 1 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fputs | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fputs(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 1 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 1 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 1 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $entry['visitor_type'] | 1 |
| mismatched_plugin_name | WARNING | Plugin name "Security Optimizer - The All-In-One Protection Plugin" is different from the name declared in plugin header "Security Optimizer". | 1 |
| missing_composer_json_file | WARNING | The "/vendor" directory using composer exists, but "composer.json" file is missing. | 1 |
| plugin_header_nonexistent_domain_path | WARNING | The "Domain Path" header in the plugin file must point to an existing folder. Found: "languages" | 1 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "Security Optimizer - The All-In-One Protection Plugin" - contains the restricted term "plugin" which cannot be used at all in your plugin name. | 1 |
Latest Snapshot
Findings
122
Errors
40
Warnings
82
Score History
First score snapshot
First scan completed Jun 19, 2026
v1.6.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v1.6.2
35
Latest
- Findings
- 122
- Errors
- 40
- Warnings
- 82
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 35 | 122 | 40 | 82 | v1.6.2 | 2.0.0 | 2026.06-mvp-static-v2 |
