Do you want to secure and customize the WordPress login page? Download the All in One Login plugin for login page security and customization.
Category Scores
Top Issues by Category
maintainability1,328
security557
Issues Details
2,085 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$VARS".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <a href='{$skip_url}' class='button button-small button-secondary'>{$use_plugin_anonymously_text}</a>"'.
Mismatched text domain. Expected 'change-wp-admin-login' but got 'aio-login'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_fs_text".
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FS_Admin_Menu_Manager".
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_API__ADDRESS".
Function "is_post_status_viewable()" requires WordPress 5.7.0, but your plugin minimum supported version is WordPress 4.6.0.
Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 124.
Mismatched text domain. Expected 'change-wp-admin-login' but got 'default'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['url']
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "fs_plugins_api".
$_SERVER[$key] not unslashed before sanitization. Use wp_unslash() or similar
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Sanitization missing for register_setting().
Attempting a database schema change is discouraged.
Processing form data without nonce verification.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: class FS_Plugin_Updater
The plugin name includes a restricted term. Your chosen plugin name - "All In One Login — Login Page Security and Customization for WordPress with Google reCAPTCHA, Social Login, Temporary Login, 2FA, and more." - contains the restricted term "wordpress" which cannot be used at all in your plugin name.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$VARS". | 1,091 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <a href='{$skip_url}' class='button button-small button-secondary'>{$use_plugin_anonymously_text}</a>"'. | 521 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'change-wp-admin-login' but got 'aio-login'. | 174 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_fs_text". | 99 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FS_Admin_Menu_Manager". | 55 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_API__ADDRESS". | 27 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "is_post_status_viewable()" requires WordPress 5.7.0, but your plugin minimum supported version is WordPress 4.6.0. | 20 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 124. | 10 |
| WordPress.WP.I18n.TextDomainMismatch | WARNING | Mismatched text domain. Expected 'change-wp-admin-login' but got 'default'. | 10 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 8 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'. | 7 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 6 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 6 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 6 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['url'] | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "fs_plugins_api". | 4 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_SERVER[$key] not unslashed before sanitization. Use wp_unslash() or similar | 4 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 4 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 2 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 2 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 2 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
| plugin_updater_detected | ERROR | Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: class FS_Plugin_Updater | 2 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "All In One Login — Login Page Security and Customization for WordPress with Google reCAPTCHA, Social Login, Temporary Login, 2FA, and more." - contains the restricted term "wordpress" which cannot be used at all in your plugin name. | 2 |
Latest Snapshot
Findings
2,085
Errors
742
Warnings
1,343
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.3.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.3.1
23
Latest
- Findings
- 2,085
- Errors
- 742
- Warnings
- 1,343
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 2,085 | 742 | 1,343 | v2.3.1 | 2.0.0 | 2026.06-mvp-static-v2 |
