WordPress.DB.RestrictedFunctions.mysql_mysqli_init
mysql mysqli init
The plugin uses a raw MySQL extension or class instead of WordPress database APIs.
Why It Shows Up
The scan found `mysql_*`, `mysqli_*`, PDO MySQL, or related database functions in plugin code.
Why It Matters
Bypassing `$wpdb` can ignore WordPress database configuration, escaping conventions, character sets, and compatibility layers.
How to Fix
- Replace raw MySQL calls with `$wpdb` methods or higher-level WordPress APIs.
- Use `$wpdb->prepare()` for dynamic values.
- If a third-party library requires a database connection, isolate it and document why WordPress APIs cannot be used.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | Exception output is not escaped | ||
| #2 | GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership | 20 | 1,832 | 720 | 800 | Non Singular String Literal Domain | ||
| #3 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | ||
| #4 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | Missing Arg Domain | ||
| #5 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | Non-prefixed global variable | ||
| #6 | WP Umbrella: Update Backup Restore & Monitoring | 22 | 918 | 916 | 70k+ | Exception output is not escaped | ||
| #7 | WP STAGING – WordPress Backup, Migration, Clone & Duplicate | 23 | 1,489 | 1,549 | 100k+ | Non-prefixed global variable | ||
| #8 | WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards | 25 | 1,431 | 1,270 | 10k+ | Output is not escaped | ||
| #9 | WPvivid — Backup, Migration & Staging | 25 | 899 | 1,461 | 900k+ | Non-prefixed namespace |
