Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.
Category Scores
Top Issues by Category
security441
maintainability204
supply_chain2
Issues Details
666 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$blocks'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a".
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
$_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['action']
Use placeholders and $wpdb->prepare(); found interpolated variable {$blogIdsQuery} at "SELECT * FROM {$wpdb->blogs} WHERE blog_id IN ({$blogIdsQuery}) AND archived = 0 AND spam = 0 AND deleted = 0"
Processing form data without nonce verification.
Unescaped parameter $table used in $wpdb->get_col()\n$table assigned unsafely at line 593.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of a possibly undefined superglobal array index: $_GET['action']. Check that the array index exists before using it.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Failed to acquire lock {$this->key}"'.
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Detected usage of meta_key, possible slow query.
Unescaped parameter $c used in $wpdb->get_results()\n$c used without escaping.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "js_escape".
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Attempting a database schema change is discouraged.
Detected usage of meta_value, possible slow query.
Function "get_user_count()" requires WordPress 4.8.0, but your plugin minimum supported version is WordPress 4.7.0.
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$blocks'. | 160 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a". | 74 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 72 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 40 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 40 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar | 40 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['action'] | 39 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable {$blogIdsQuery} at "SELECT * FROM {$wpdb->blogs} WHERE blog_id IN ({$blogIdsQuery}) AND archived = 0 AND spam = 0 AND deleted = 0" | 27 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 27 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $c | 26 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table used in $wpdb->get_col()\n$table assigned unsafely at line 593. | 21 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 19 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['action']. Check that the array index exists before using it. | 13 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Failed to acquire lock {$this->key}"'. | 11 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 8 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 6 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $c used in $wpdb->get_results()\n$c used without escaping. | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "js_escape". | 4 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 4 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 3 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 2 |
| hidden_files | ERROR | Hidden files are not permitted. | 2 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_user_count()" requires WordPress 4.8.0, but your plugin minimum supported version is WordPress 4.7.0. | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
Latest Snapshot
Findings
666
Errors
248
Warnings
418
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.1.16 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.1.16
25
Latest
- Findings
- 666
- Errors
- 248
- Warnings
- 418
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 25 | 666 | 248 | 418 | v1.1.16 | 2.0.0 | 2026.06-mvp-static-v2 |
