Migrate, staging, backup WordPress, all in one.
Category Scores
Top Issues by Category
maintainability1,343
security685
Issues Details
2,360 issues found in latest scan
Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "Aws\Common".
$_GET['auth_error'] not unslashed before sanitization. Use wp_unslash() or similar
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
error_log() found. Debug code should not normally be used in production.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of a non-sanitized input variable: $_ENV['MAGIC']
Use placeholders and $wpdb->prepare(); found interpolated variable $and at "SELECT DISTINCT post_author FROM $wpdb->posts WHERE post_status != 'auto-draft' $and"
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found $exclude_states
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
Unescaped parameter $and used in $wpdb->get_results()\n$and assigned unsafely at line 1892.
Detected usage of a possibly undefined superglobal array index: $_FILES['async-upload']. Check that the array index exists before using it.
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bloginfo_rss".
Unescaped parameter $columns used in $wpdb->get_results()\n$columns assigned unsafely at line 38.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$default_remote_storage".
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using file_put_contents(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedNamespaceFound | WARNING | Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "Aws\Common". | 248 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['auth_error'] not unslashed before sanitization. Use wp_unslash() or similar | 190 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 161 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 160 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 132 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 112 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 98 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 83 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV['MAGIC'] | 81 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $and at "SELECT DISTINCT post_author FROM $wpdb->posts WHERE post_status != 'auto-draft' $and" | 74 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 72 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $exclude_states | 70 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 63 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 62 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $and used in $wpdb->get_results()\n$and assigned unsafely at line 1892. | 60 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['async-upload']. Check that the array index exists before using it. | 58 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 43 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 43 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bloginfo_rss". | 41 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $columns used in $wpdb->get_results()\n$columns assigned unsafely at line 38. | 37 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 36 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 33 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$default_remote_storage". | 27 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using file_put_contents(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 22 |
| WordPress.DB.RestrictedClasses.mysql__PDO | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO. | 22 |
Latest Snapshot
Findings
2,360
Errors
899
Warnings
1,461
Score History
First score snapshot
First scan completed Jun 19, 2026
v0.9.129 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v0.9.129
25
Latest
- Findings
- 2,360
- Errors
- 899
- Warnings
- 1,461
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 25 | 2,360 | 899 | 1,461 | v0.9.129 | 2.0.0 | 2026.06-mvp-static-v2 |
