WordPress Powers 43% of the Web.
It Deserves Better Security.
We're building the infrastructure to protect the world's most popular platform — one plugin at a time.
The Security Gap No One Talks About
Reviewed Once, Never Again
WordPress.org reviews plugins on submission. After that? Nothing. Version 1.0 gets checked. Versions 2.0 through 47.0 ship without a second look. Vulnerabilities accumulate silently.
AI Is Writing Plugins Now
AI coding assistants generate WordPress plugins in minutes. They also generate the same security mistakes every time — unescaped output, missing nonces, raw SQL queries. The speed is impressive. The security is not.
The Stakes Are Real
A vulnerability in a plugin with 5 million installs doesn’t affect one site. It affects millions simultaneously. One supply chain attack can compromise more websites than any traditional malware campaign.
Why We Built This
We didn't build WP HealthKit because security tools are profitable. We built it because someone had to.
If WordPress becomes known as “the insecure platform,” the entire ecosystem collapses — developers lose their livelihoods, agencies lose their clients, businesses lose their online presence. 43% of the web can't afford that.
The WordPress community has always been self-reliant. It built its own themes, its own plugins, its own hosting ecosystem. Now it needs to build its own security infrastructure. That's what we're doing.
Our Principles
- 1
Every plugin should be auditable
Not just by security experts, but by anyone. Upload a ZIP, get a comprehensive report in minutes.
- 2
Security should be continuous
A one-time review is a snapshot. Real security requires monitoring every version, every update, every dependency change.
- 3
AI should fix code, not just find problems
Finding 400 vulnerabilities is useless if nobody fixes them. Our autofix pipeline patches issues automatically with deterministic patchers and AI-powered fixes.
- 4
Open source deserves open security
We provide free unlimited audits for open source plugins through our Open Source Program. Security shouldn’t be a luxury.
- 5
Developers aren’t the enemy
Bad tooling is. Most security issues aren’t malicious — they’re patterns nobody taught developers to avoid. We fix the patterns, not the people.
- 6
Transparency builds trust
Our directory publishes security grades for the top 500 plugins publicly. Every audit is reproducible. Every grade is earned.
What We're Building Toward
AI-Audited Before Publication
Every AI-generated plugin audited automatically before it reaches users.
Post-Quantum Readiness
Identifying cryptographic patterns that won’t survive the next decade.
Security as Standard
A security grade as expected as a star rating on WordPress.org.
Developer Accountability
Public grades, claimed profiles, and verified fixes creating a culture of security.
A WordPress That Survives
Not just survives — thrives. Trusted by enterprises, relied on by governments, secure enough for the future.
By the Numbers
500+
Plugins tracked
30
Verification layers
28
Autofix patchers
18
Security categories
Built by BuiltByGo
WP HealthKit is built by BuiltByGo — a small team with a big mission. We're not venture-backed. We're not chasing exits. We're building the security infrastructure that WordPress needs to survive the next decade.
We believe the best tools are built by people who use them. We're WordPress developers ourselves. We've shipped plugins, built client sites, managed agencies. We know the ecosystem because we live in it.