PhastPress automatically optimizes your site for the best possible performance.
Category Scores
Top Issues by Category
security91
maintainability44
supply_chain2
Issues Details
147 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '": {$pattern}"'.
Processing form data without nonce verification.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'.
Detected usage of a non-sanitized input variable: $_SERVER['DOCUMENT_ROOT']
$_SERVER['DOCUMENT_ROOT'] not unslashed before sanitization. Use wp_unslash() or similar
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO.
Detected usage of a possibly undefined superglobal array index: $_SERVER['DOCUMENT_ROOT']. Check that the array index exists before using it.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
unlink() is discouraged. Use wp_delete_file() to delete a file.
set_error_handler() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Short PHP opening tag used with echo; expected "<?php echo esc_html ..." but found "<?= esc_html ..."
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "REQUESTS_SILENCE_PSR0_DEPRECATIONS".
error_log() found. Debug code should not normally be used in production.
Detected usage of a non-sanitized, non-validated input variable _SERVER: ":{$_SERVER['SERVER_PORT']}"
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '": {$pattern}"'. | 31 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 18 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$message'. | 13 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_SERVER['DOCUMENT_ROOT'] | 10 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_SERVER['DOCUMENT_ROOT'] not unslashed before sanitization. Use wp_unslash() or similar | 10 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 8 |
| WordPress.DB.RestrictedClasses.mysql__PDO | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \PDO. | 7 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['DOCUMENT_ROOT']. Check that the array index exists before using it. | 6 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 4 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 3 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function str_rot13() is forbidden | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler | WARNING | set_error_handler() found. Debug code should not normally be used in production. | 2 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| hidden_files | ERROR | Hidden files are not permitted. | 2 |
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo esc_html ..." but found "<?= esc_html ..." | 1 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "REQUESTS_SILENCE_PSR0_DEPRECATIONS". | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 1 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized | WARNING | Detected usage of a non-sanitized, non-validated input variable _SERVER: ":{$_SERVER['SERVER_PORT']}" | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_errno | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_error | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
Latest Snapshot
Findings
147
Errors
95
Warnings
52
Score History
First score snapshot
First scan completed
v3.10 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v3.10
29
Latest
- Findings
- 147
- Errors
- 95
- Warnings
- 52
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 29 | 147 | 95 | 52 | v3.10 | 2.0.0 | 2026.06-mvp-static-v2 |
