Question 1

How is this different from Plugin Check (PCP)?

Accepted Answer

Plugin Check runs basic lint-level checks against WordPress coding standards. WP HealthKit goes much deeper: it cross-references known CVEs via Wordfence Intelligence, scans for hardcoded secrets and credentials, checks dependency security via Packagist advisories, verifies PHP version compatibility, runs PHPCS and PHPStan analysis, traces data flows through your code, analyses authentication and authorization logic, checks every REST endpoint for permission gaps, evaluates CSRF/XSS/SQLi vectors, scans for unsafe AI-generated code patterns, validates accessibility compliance, and audits production readiness across 30+ checks. We catch the issues that PCP misses and that wp.org reviewers will flag.

Question 2

What powers the audits?

Accepted Answer

Every audit runs through 46 verification layers. First, 42 deterministic scanners check verifiable facts: the Wordfence Intelligence CVE database, WPScan, WPVulnerability/Patchstack advisories, Composer dependency advisories (Packagist + OSV.dev for full GitHub Security Advisory coverage), npm/JS dependencies via OSV.dev, a dependency freshness scanner that flags any bundled release published less than 48 hours before the audit (the highest-risk window for supply-chain attacks), optional Socket.dev behavioural risk scoring (typosquat / install-script / malware / hidden-binary signals), 22 secret detection patterns, PHP version compatibility analysis, WordPress version compatibility, WooCommerce compatibility, plugin conflict detection, malware scanning, hook wiring audit, performance anti-pattern detection, i18n readiness checks, database schema audit, REST API authorization scanning (the #1 exploited WordPress vulnerability class), GDPR compliance, Gutenberg block security, host compatibility scoring across 8 managed WordPress hosts (WP Engine, Kinsta, Flywheel, Cloudways, SiteGround, Pressable, GridPane, Rocket.net), EU CRA compliance checking, multisite compatibility, GPL and license compatibility, CodeCanyon/Envato submission readiness, PHPCS WordPress coding standards, PHPStan level 5 type safety, Semgrep and Psalm static analysis. Then 4 WP-specialised AI engines run in parallel: a Security engine (including AI-generated code safety), a Quality-of-Life engine (9 dimensions of production readiness), an Accessibility engine (WCAG 2.1 AA + EAA compliance), and a merge/triage engine (Claude AI). Deterministic results are flagged before AI analysis begins.

Question 3

Do you check for known CVEs?

Accepted Answer

Yes. Every audit cross-references your plugin or theme against the Wordfence Intelligence vulnerability database — the broadest, most up-to-date WordPress vulnerability dataset available — plus WPScan and the WPVulnerability advisory feed for triple-source coverage. Known CVEs are flagged with severity, affected versions, and remediation guidance before AI analysis even begins. This is a deterministic check, not an AI guess.

Question 4

Do you scan for hardcoded secrets?

Accepted Answer

Yes. Our secret detection scanner checks for 22 patterns covering AWS access keys and secret keys, Stripe publishable and secret keys, Google API keys, Slack tokens, GitHub tokens, database credentials, private RSA/SSH keys, JWT secrets, and more. All detected values are fully redacted in reports — we never store or display your actual credentials.

Question 5

What PHP versions do you check?

Accepted Answer

Our PHP compatibility scanner detects PHP 8.0, 8.1, 8.2, 8.3, and 8.4 features used in your code (named arguments, enums, fibers, readonly classes, typed class constants, property hooks, asymmetric visibility, etc.) and warns about deprecated constructs. If your plugin declares a minimum PHP version in its headers but uses features from a higher version, we flag the mismatch. The optional WordPress Playground activation matrix can run your plugin against WP 7.0/6.8 paired with PHP 8.1/8.2/8.3 to catch activation fatals before users see them.

Question 6

Do you audit themes too?

Accepted Answer

Yes. When you upload a theme ZIP, WP HealthKit automatically activates a dedicated 7-phase Theme engine in addition to the standard security, quality, and accessibility engines, plus a deterministic theme scanner that validates style.css headers, FSE/block readiness, customizer sanitization, and WooCommerce template overrides. It handles both classic and block-based themes.

Question 7

Do you check accessibility?

Accepted Answer

Yes. Our dedicated Accessibility engine checks WCAG 2.1 Level AA compliance and European Accessibility Act (EAA) conformance — mandatory since June 2025. It covers HTML semantics, ARIA patterns, keyboard navigation, form accessibility, color contrast, media accessibility, and admin interface accessibility. You get specific findings and code fixes, not just a pass/fail score.

Question 8

Is my plugin code kept private?

Accepted Answer

Yes. Your plugin ZIP is processed in an isolated environment and analysed. The ZIP is stored securely for 30 days to enable the autofix feature (patched ZIP download), then automatically deleted. Only you can access your stored files. The generated report is tied to your account.

Question 9

How accurate are the findings?

Accepted Answer

Our deterministic scanners (CVE database, dependency audit, secret detection, PHP compatibility, PHPCS, PHPStan, REST authorization, GDPR, Gutenberg, host compatibility, CRA, multisite, GPL, CodeCanyon, theme) produce verified, factual results with zero false positives. Our AI engines are specifically trained on WordPress security patterns and the wp.org review process. While automated audits complement but do not replace manual penetration testing for critical applications, our users report that WP HealthKit catches the vast majority of issues that wp.org reviewers flag — plus security vulnerabilities that reviewers may not test for.

Question 10

Can I re-audit after fixing issues?

Accepted Answer

Absolutely. Re-auditing is the recommended workflow: audit, fix the findings using the provided code examples, then re-audit to verify everything passes. Pro subscribers get re-audits at 50% off, and Agency plan members get 200 tokens per month.

Question 11

Do you support WooCommerce extensions?

Accepted Answer

Yes. Our audit includes WooCommerce-specific security checks covering payment gateway security, checkout flow integrity, webhook verification, order amount tampering, session validation, and settings sanitization.

Question 12

Can I use this for CRA compliance?

Accepted Answer

Yes. WP HealthKit can generate a complete EU Cyber Resilience Act (CRA) compliance package including a SECURITY.md file, a Vulnerability Disclosure Policy, assessment evidence documentation, and a CycloneDX/SPDX Software Bill of Materials (SBOM) — mandatory under the CRA from September 2026. A dedicated CRA scanner flags missing SECURITY.md, missing VDP contact, and untagged security changelogs ahead of the deadline. Available on Pro and Agency plans.

Question 13

Is my AI-generated code safe?

Accepted Answer

That is exactly what our AI Code Safety scanner checks. It detects patterns commonly introduced by AI code generation tools like Copilot and ChatGPT — missing nonces on AJAX handlers, raw $wpdb queries without prepared statements, insufficient capability checks, REST endpoints without permission_callback, and other security gaps that AI assistants frequently produce. It runs automatically as part of every audit.

Question 14

Can I use this in my CI/CD pipeline?

Accepted Answer

Yes. Pro and Agency plan subscribers get access to our GitHub Actions integration via wp-healthkit/audit-action. It runs a full audit on every pull request and fails the check if findings exceed your configured threshold. Agency plan members also get direct API access for custom integrations.

Question 15

What file size limit do you support?

Accepted Answer

Plugin and theme ZIP files up to 50 MB are supported. This covers the vast majority of WordPress plugins and themes. If you have a larger package, contact us and we can accommodate it.

The compliance layer
your WordPress agency
is missing.

42 deterministic scanners. 4 AI engines. Zero guesswork.

One grade for every buyer. Four grades for every reviewer.

Ship with the receipts.
Not with your fingers crossed.

The compliance layeryour WordPress agencyis missing.

42 deterministic scanners. 4 AI engines. Zero guesswork.

One grade for every buyer. Four grades for every reviewer.

Ship with the receipts.Not with your fingers crossed.

The compliance layer
your WordPress agency
is missing.

Ship with the receipts.
Not with your fingers crossed.