Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.
Category Scores
Top Issues by Category
security881
maintainability710
Issues Details
2,020 issues found in latest scan
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" $var=\"$val\""'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
$_COOKIE[self::C_SAME_BROWSER] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_COOKIE[self::C_SAME_BROWSER]
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$role' is not a valid canonical role."'.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'two-factor-user-options-' . $class".
Processing form data without nonce verification.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__composer_autoload_files".
trigger_error() found. Debug code should not normally be used in production.
Detected usage of a possibly undefined superglobal array index: $_GET['page']. Check that the array index exists before using it.
Use placeholders and $wpdb->prepare(); found interpolated variable $extra_checks at \t\t\t$extra_checks\n
Unescaped parameter $build_results['sql'] used in $wpdb->get_results()\n$build_results['sql'] assigned unsafely at line 633.
Mismatched text domain. Expected 'better-wp-security' but got 'stellarwp-telemetry'.
Unescaped parameter $main_options used in $wpdb->get_results()\n$main_options assigned unsafely at line 924.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$this->cron_interval_identifier".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_manually_load_plugin".
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Attempting a database schema change is discouraged.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 248 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" $var=\"$val\""'. | 203 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 195 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 130 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 118 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 110 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[self::C_SAME_BROWSER] not unslashed before sanitization. Use wp_unslash() or similar | 107 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[self::C_SAME_BROWSER] | 101 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$role' is not a valid canonical role."'. | 89 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $blog | 88 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 70 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'two-factor-user-options-' . $class". | 65 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 44 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__composer_autoload_files". | 42 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 39 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['page']. Check that the array index exists before using it. | 39 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $extra_checks at \t\t\t$extra_checks\n | 30 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $build_results['sql'] used in $wpdb->get_results()\n$build_results['sql'] assigned unsafely at line 633. | 24 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'better-wp-security' but got 'stellarwp-telemetry'. | 23 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $main_options used in $wpdb->get_results()\n$main_options assigned unsafely at line 924. | 22 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$this->cron_interval_identifier". | 21 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 16 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_manually_load_plugin". | 15 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 13 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 10 |
Latest Snapshot
Findings
2,020
Errors
1,053
Warnings
967
Score History
First score snapshot
First scan completed Jun 19, 2026
v10.0.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v10.0.2
23
Latest
- Findings
- 2,020
- Errors
- 1,053
- Warnings
- 967
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 23 | 2,020 | 1,053 | 967 | v10.0.2 | 2.0.0 | 2026.06-mvp-static-v2 |
