Imagine this... You’re planning your new website. You’re excited at first—but then reality hits. The design takes months. You wait for the developer t …
Category Scores
Top Issues by Category
maintainability1,529
security656
Issues Details
2,292 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$AFMLS_Companion".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <a href='{$skip_url}' class='button button-small button-secondary'>{$use_plugin_anonymously_text}</a>"'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_fs_text".
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_API__ADDRESS".
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FS_Admin_Menu_Manager".
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Function "get_network()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.0.0.
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'customize_save_' . $key".
$_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Comment %d was imported with author %d, but could not be found'.
Detected usage of a non-sanitized input variable: $_FILES['file']
Detected usage of a possibly undefined superglobal array index: $_FILES['content_file']. Check that the array index exists before using it.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
error_log() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$AFMLS_Companion". | 1,123 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <a href='{$skip_url}' class='button button-small button-secondary'>{$use_plugin_anonymously_text}</a>"'. | 529 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_fs_text". | 104 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_API__ADDRESS". | 94 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FS_Admin_Menu_Manager". | 58 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 49 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_network()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.0.0. | 47 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 43 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'customize_save_' . $key". | 38 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar | 29 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Comment %d was imported with author %d, but could not be found'. | 29 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['file'] | 19 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['content_file']. Check that the array index exists before using it. | 18 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 16 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 12 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 10 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 8 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 8 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 8 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'. | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 3 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 3 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function move_uploaded_file() is forbidden | 2 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 2 |
Latest Snapshot
Findings
2,292
Errors
705
Warnings
1,587
Score History
First score snapshot
First scan completed Jun 20, 2026
v4.2.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v4.2.2
25
Latest
- Findings
- 2,292
- Errors
- 705
- Warnings
- 1,587
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 25 | 2,292 | 705 | 1,587 | v4.2.2 | 2.0.0 | 2026.06-mvp-static-v2 |
