Database Backup for WordPress is your one-stop database backup solution for WordPress.
Category Scores
Top Issues by Category
security144
maintainability34
Issues Details
216 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$table:$segment:$filename"'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Detected usage of a possibly undefined superglobal array index: $_GET['recipient']. Check that the array index exists before using it.
$_GET['backup'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found interpolated variable $table at "DESCRIBE $table"
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $table used in $wpdb->get_results()
Detected usage of a non-sanitized input variable: $_POST[$post_key]
unlink() is discouraged. Use wp_delete_file() to delete a file.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
The plugin name includes a restricted term. Your chosen plugin name - "Database Backup for WordPress" - contains the restricted term "wordpress" which cannot be used at all in your plugin name.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Attempting a database schema change is discouraged.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: readfile().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$table:$segment:$filename"'. | 59 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 31 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 17 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['recipient']. Check that the array index exists before using it. | 16 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['backup'] not unslashed before sanitization. Use wp_unslash() or similar | 14 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 12 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 9 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table at "DESCRIBE $table" | 7 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 5 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table used in $wpdb->get_results() | 4 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST[$post_key] | 4 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 4 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "Database Backup for WordPress" - contains the restricted term "wordpress" which cannot be used at all in your plugin name. | 3 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_chmod | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_readfile | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: readfile(). | 1 |
Latest Snapshot
Findings
216
Errors
128
Warnings
88
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.5.3 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.5.3
35
Latest
- Findings
- 216
- Errors
- 128
- Warnings
- 88
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 35 | 216 | 128 | 88 | v2.5.3 | 2.0.0 | 2026.06-mvp-static-v2 |
