WPS Cleaner cleans your WordPress site as well as your database.
Category Scores
Top Issues by Category
security629
maintainability203
Issues Details
921 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action_url'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of a non-sanitized input variable: $_POST['action']
$_POST['action'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_GET['attachment_id']. Check that the array index exists before using it.
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Mismatched text domain. Expected 'wps-cleaner' but got 'wps-limit-login'.
Unescaped parameter $db_table used in $wpdb->get_results()\n$db_table assigned unsafely at line 122.
Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.
Function "delete_network_option()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.2.0.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Total found: %s Comments and %s Comment Meta.'.
The use of function set_time_limit() is discouraged
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
unlink() is discouraged. Use wp_delete_file() to delete a file.
The plugin name includes a restricted term. Your chosen plugin name - "WPS Cleaner" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Use placeholders and $wpdb->prepare(); found interpolated variable $blog_id at "SELECT media_id FROM {$db_table->get_table_name()} WHERE type = 'whitelist' AND blog_id = $blog_id AND object_id = '0'"
print_r() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action_url'. | 155 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 146 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 91 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 90 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['action'] | 80 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST['action'] not unslashed before sanitization. Use wp_unslash() or similar | 80 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['attachment_id']. Check that the array index exists before using it. | 63 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 57 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 29 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 28 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $db_table | 25 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'wps-cleaner' but got 'wps-limit-login'. | 11 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $db_table used in $wpdb->get_results()\n$db_table assigned unsafely at line 122. | 9 |
| WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder | ERROR | Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'. | 6 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "delete_network_option()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.2.0. | 5 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 4 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Total found: %s Comments and %s Comment Meta.'. | 4 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function set_time_limit() is discouraged | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 3 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WPS Cleaner" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $blog_id at "SELECT media_id FROM {$db_table->get_table_name()} WHERE type = 'whitelist' AND blog_id = $blog_id AND object_id = '0'" | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 2 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 2 |
Latest Snapshot
Findings
921
Errors
430
Warnings
491
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.6.10.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.6.10.2
30
Latest
- Findings
- 921
- Errors
- 430
- Warnings
- 491
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 30 | 921 | 430 | 491 | v1.6.10.2 | 2.0.0 | 2026.06-mvp-static-v2 |
