Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.
Category Scores
Top Issues by Category
maintainability1,484
security158
Issues Details
4,124 issues found in latest scan
Mismatched text domain. Expected 'jetpack' but got 'jetpack-account-protection'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$global_name".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'jitm_' . $envelope->CTA->hook".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "Markdown".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$errstr (file: $errfile; line: $errline)"'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $child_table used in $wpdb->get_results()\n$child_table assigned unsafely at line 357.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DISABLE_JETPACK_WAF".
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Abstract_Jetpack_Site".
Detected usage of meta_key, possible slow query.
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Detected usage of meta_value, possible slow query.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Processing form data without nonce verification.
Detected usage of meta_query, possible slow query.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$filter".
Offloading images, js, css, and other scripts to your servers or any remote service is disallowed.
Detected usage of tax_query, possible slow query.
error_log() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'jetpack' but got 'jetpack-account-protection'. | 2,429 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$global_name". | 435 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'jitm_' . $envelope->CTA->hook". | 290 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 181 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "Markdown". | 155 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 89 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$errstr (file: $errfile; line: $errline)"'. | 89 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 68 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 65 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $child_table used in $wpdb->get_results()\n$child_table assigned unsafely at line 357. | 56 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DISABLE_JETPACK_WAF". | 48 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 35 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Abstract_Jetpack_Site". | 28 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 18 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 18 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 16 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 14 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 14 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 13 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$filter". | 12 |
| PluginCheck.CodeAnalysis.Offloading.OffloadedContent | ERROR | Offloading images, js, css, and other scripts to your servers or any remote service is disallowed. | 5 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 5 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function do_shortcode_tag() is forbidden | 3 |
Latest Snapshot
Findings
4,124
Errors
2,821
Warnings
1,303
Score History
First score snapshot
First scan completed Jun 19, 2026
v15.9 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v15.9
23
Latest
- Findings
- 4,124
- Errors
- 2,821
- Warnings
- 1,303
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 23 | 4,124 | 2,821 | 1,303 | v15.9 | 2.0.0 | 2026.06-mvp-static-v2 |
