PluginScore

Authenticator

This plugin allows you to make your WordPress site accessible to logged in users only.

v1.3.1Syde GmbH (formerly Inpsyde)Updated Added 1k+ installs100% rating
accessaccessibleauthentificationloginmembers
41
Score
59
Errors
44
Warnings
+0
Change

Category Scores

Security0
Repo94
Performance100
Maintainability86

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

103 findings

Security

69

8 issue groups

I18n

25

5 issue groups

Maintainability

8

6 issue groups

Repo Compliance

1

1 issue group

ERRORSecurityOutput is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$example_url'.22
Category
Security
Occurrences
22
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$example_url'.

WordPress.Security.EscapeOutput.OutputNotEscapedReference
ERRORI18nNon Singular String Literal DomainThe $domain parameter must be a single text string literal. Found: Authenticator::TEXTDOMAIN20
Category
I18n
Occurrences
20
Severity
error

Sample message

The $domain parameter must be a single text string literal. Found: Authenticator::TEXTDOMAIN

WordPress.WP.I18n.NonSingularStringLiteralDomainReference
WARNINGSecurityInput is not sanitizedDetected usage of a non-sanitized input variable: $_ENV['HTTP_AUTHORIZATION']12
Category
Security
Occurrences
12
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_ENV['HTTP_AUTHORIZATION']

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
WARNINGSecurityRequest data is not unslashed$_GET['file'] not unslashed before sanitization. Use wp_unslash() or similar11
Category
Security
Occurrences
11
Severity
warning

Sample message

$_GET['file'] not unslashed before sanitization. Use wp_unslash() or similar

WordPress.Security.ValidatedSanitizedInput.MissingUnslash
ERRORSecurityUnsafe printing functionAll output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.9
Category
Security
Occurrences
9
Severity
error

Sample message

All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

WordPress.Security.EscapeOutput.UnsafePrintingFunctionReference
WARNINGSecurityInput is not validatedDetected usage of a possibly undefined superglobal array index: $_GET['file']. Check that the array index exists before using it.6
Category
Security
Occurrences
6
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_GET['file']. Check that the array index exists before using it.

WordPress.Security.ValidatedSanitizedInput.InputNotValidated
WARNINGSecurityNonce verification recommendedProcessing form data without nonce verification.5
Category
Security
Occurrences
5
Severity
warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Recommended
WARNINGSecuritywp redirect wp redirectwp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.3
Category
Security
Occurrences
3
Severity
warning

Sample message

wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.

WordPress.Security.SafeRedirect.wp_redirect_wp_redirectReference
WARNINGMaintainabilityslow db query meta queryDetected usage of meta_query, possible slow query.2
Category
Maintainability
Occurrences
2
Severity
warning

Sample message

Detected usage of meta_query, possible slow query.

WordPress.DB.SlowDBQuery.slow_db_query_meta_query
ERRORI18nMissing Translators CommentA function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.2
Category
I18n
Occurrences
2
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

WordPress.WP.I18n.MissingTranslatorsCommentReference
Show 10 more
ERRORMaintainabilityMissing direct file access protection2
Category
Maintainability
Occurrences
2
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

missing_direct_file_access_protectionReference
WARNINGI18nDiscouraged text-domain loading1
Category
I18n
Occurrences
1
Severity
warning

Sample message

load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.

PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFoundReference
WARNINGMaintainabilityDirect Query1
Category
Maintainability
Occurrences
1
Severity
warning

Sample message

Use of a direct database call is discouraged.

WordPress.DB.DirectDatabaseQuery.DirectQuery
WARNINGMaintainabilityNo Caching1
Category
Maintainability
Occurrences
1
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

WordPress.DB.DirectDatabaseQuery.NoCaching
WARNINGMaintainabilityNon-prefixed class1
Category
Maintainability
Occurrences
1
Severity
warning

Sample message

Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "HTTP_Auth".

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound
WARNINGSecurityMissing nonce verification1
Category
Security
Occurrences
1
Severity
warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Missing
ERRORMaintainabilityfile system operations readfile1
Category
Maintainability
Occurrences
1
Severity
error

Sample message

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: readfile().

WordPress.WP.AlternativeFunctions.file_system_operations_readfile
ERRORI18nDeprecated parameter: load_plugin_textdomain parameter 21
Category
I18n
Occurrences
1
Severity
error

Sample message

The parameter "FALSE" at position #2 of load_plugin_textdomain() has been deprecated since WordPress version 2.7.0. Use "" instead.

WordPress.WP.DeprecatedParameters.Load_plugin_textdomainParam2Found
ERRORI18nText Domain Mismatch1
Category
I18n
Occurrences
1
Severity
error

Sample message

Mismatched text domain. Expected 'authenticator' but got 'disable-json-api'.

WordPress.WP.I18n.TextDomainMismatchReference
ERRORRepo Complianceoutdated tested upto header1
Category
Repo Compliance
Occurrences
1
Severity
error

Sample message

Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.

outdated_tested_upto_headerReference

External Connections

Not analyzed yet.

Score History

First score snapshot

v1.3.1

41

Latest

Findings
103
Errors
59
Warnings
44
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

29 nodes

Related Plugins

Accessibility New Window Warnings

1k+ active installs

100
Login Security Captcha

10k+ active installs

100
Shibboleth

3k+ active installs

100
Simple Login Log

5k+ active installs

100
Customize Admin

4k+ active installs

99
Disable Login Language Switcher

1k+ active installs

99