This all-in-one SEO plugin gives you control over meta titles & descriptions, open graph, auto-linking, rich-snippets, 404 monitoring, siloing & more.
Category Scores
Top Issues by Category
security483
maintainability116
i18n79
Issues Details
706 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" /> $label"'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES['settingsfile']['name']
$_GET['object'] not unslashed before sanitization. Use wp_unslash() or similar
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_FILES['settingsfile']['name']. Check that the array index exists before using it.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Sanitization missing for register_setting().
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$s", but got "%d, %s" in '%d %s'.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Missing singular placeholder, needed for some languages. See https://codex.wordpress.org/I18n_for_WordPress_Developers#Plurals
The $text parameter must be a single text string literal. Found: SU_AUTHOR
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found interpolation in unescaped heredoc.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_key, possible slow query.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" /> $label"'. | 189 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 75 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 65 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['settingsfile']['name'] | 57 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['object'] not unslashed before sanitization. Use wp_unslash() or similar | 52 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 52 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 35 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['settingsfile']['name']. Check that the array index exists before using it. | 32 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 31 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 17 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 12 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 11 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$s", but got "%d, %s" in '%d %s'. | 8 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 7 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching. | 5 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function create_function() is forbidden | 4 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 4 |
| WordPress.WP.I18n.MissingSingularPlaceholder | ERROR | Missing singular placeholder, needed for some languages. See https://codex.wordpress.org/I18n_for_WordPress_Developers#Plurals | 4 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: SU_AUTHOR | 4 |
| WordPress.Security.EscapeOutput.HeredocOutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found interpolation in unescaped heredoc. | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 3 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 2 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 2 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 2 |
Latest Snapshot
Findings
706
Errors
437
Warnings
269
Score History
First score snapshot
First scan completed Jun 20, 2026
v7.6.5.9 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v7.6.5.9
24
Latest
- Findings
- 706
- Errors
- 437
- Warnings
- 269
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 24 | 706 | 437 | 269 | v7.6.5.9 | 2.0.0 | 2026.06-mvp-static-v2 |
