Skip to main content
WP HealthKit
Changelog

What's new in WP HealthKit

Recent updates to the audit engine, platform features, and marketing pages. Updated as work ships.

  1. May 2026

    WordPress 7 ready

    WordPress 7 support

    • Activation matrix now benchmarks against WordPress 7.0 (released 2026-05-20) and 6.8 — every audit reflects the latest stable
    • WP compatibility scanner emits a dedicated WordPress 7 clarification finding so reports state exactly which version they were tested against
    • wp_specialchars() flagged as removed in WP 7.0 (after a decade of deprecation) — replace with esc_html() for escaping
    • Context7 doc-cache integration — AI engines pull current WordPress 7 deprecation notes live rather than relying on training-cutoff knowledge
    • Tested up to validation now compares against 7.0 by default; set LATEST_WP_VERSION env var to override per environment

  2. April 2026

    Major Update

    Scan engine (49 verification layers)

    • REST API authorization scanner — detects missing permission_callback (the #1 exploited WordPress vulnerability class)
    • GDPR compliance scanner — flags external data transmission without consent, missing data erasure hooks
    • npm/JS dependency scanner — OSV.dev batch CVE check on bundled JavaScript packages
    • Gutenberg block scanner — render_callback escaping, block.json attribute type safety
    • Host compatibility scanner — WP Engine, Kinsta, Flywheel compatibility scoring with affiliate disclosure
    • CRA compliance scanner — SECURITY.md presence, VDP contact, changelog security tagging (EU Cyber Resilience Act)
    • Multisite compatibility scanner — manage_options vs manage_network_options, $wpdb->prefix in multi-blog loops
    • GPL/license compatibility scanner — Composer + npm production deps against GPL compatibility list
    • CodeCanyon/Envato submission scanner — inline JS, debug code, hardcoded URLs, missing docs, compressed PHP
    • Theme scanner (themes only) — style.css headers, FSE/block readiness, customizer sanitization, WooCommerce template overrides
    • WordPress Playground activation matrix — optional engine testing WP 7.0/6.8 × PHP 8.1/8.2/8.3 + WooCommerce conflict check
    • SBOM generation — CycloneDX 1.6 and SPDX 2.3 from Composer + npm dependencies

    Token pricing

    • Free tier: 2 tokens/month
    • Standard audit = 1 token; audit with optional engine (Playground/Performance) = 2 tokens
    • Pro: 30 tokens/month · Agency: 200 tokens/month

    New features

    • wp.org pre-flight mode — frames audit for WordPress.org submission review, always private
    • Supply chain ownership monitoring — alerts when a monitored plugin changes author on WordPress.org
    • Email drip series — CRA countdown (4 emails) and AI plugin security (3 emails) sequences
    • Performance regression tracking — Playground engine tracks memory/query deltas across plugin versions
    • Monthly findings log — aggregate findings analytics powering the /reports infographic dashboard
    • MCP v0.5.2 — generate_sbom and get_telemetry_stats tools; 6 reference resources; 3 prompt templates

    New marketing pages

    • /features/playground, /features/sbom, /features/supply-chain, /features/host-compatibility
    • /cra-compliance — CRA September 2026 deadline guide
    • /for/ai-plugin-development, /for/ai-generated-plugins, /for/envato-authors

Want to see what shipped before this?

Browse community updates from verified plugin developers, or read the latest from the WP HealthKit blog.

Community updatesVisit the blog