PHPStan / Psalm vs WP HealthKit
PHPStan catches type errors. WP HealthKit catches WordPress security errors. Run both.
| PHPStan / Psalm | WP HealthKit | |
|---|---|---|
| What it does | PHP type checking and taint analysis | WordPress-specific security, quality, and accessibility audit |
| Who it's for | PHP developers (any framework) | WordPress plugin and theme developers |
| How it works | AST analysis + type inference + taint tracking | 49 verification layers: 45 deterministic + 4 AI engines |
| Price range | Free (open source) | Free – £499/mo |
What PHPStan / Psalm does well
- Free, open source, battle-tested on massive PHP codebases
- PHPStan: 9 strictness levels, catches type inconsistencies and undefined references
- Psalm: taint analysis tracks untrusted data through code to dangerous sinks
- Both integrate into CI/CD pipelines
- Work on any PHP codebase, not just WordPress
- Large extension ecosystems including WordPress-specific extensions
What WP HealthKit does differently
- Understands WordPress's security model natively: wp_verify_nonce(), current_user_can(), $wpdb->prepare(), REST API permission callbacks
- PHPStan sees $_POST['action'] as untrusted input — WP HealthKit checks whether wp_verify_nonce() was called correctly
- Covers non-PHP concerns: GDPR, plugin lifecycle hygiene, multisite safety, WooCommerce patterns, accessibility
- Generates human-readable reports for stakeholders, not CI output
- No configuration required — upload a ZIP, get results
- MCP Server lets Claude, Cursor, and other AI tools trigger audits and read findings via the Model Context Protocol
- WP-CLI plugin runs full audits directly from the terminal — same engine, scriptable from any CI runner
- GitHub Action drops into existing workflows for audit-on-push and audit-on-PR with severity-gated checks
- WordPress Playground activation matrix tests real plugin activation across WP 7.0/6.8 and PHP 8.1/8.2/8.3 — catches fatals PHPStan cannot model
- Companion plugin for continuous site monitoring — auto re-audit when plugins update
Where they overlap
Both catch some PHP issues: type errors, undefined variables, unreachable code. PHPStan/Psalm do this with deeper PHP-level precision. WP HealthKit trades PHP depth for WordPress breadth.
When to use both
- Use PHPStan/Psalm in your CI pipeline for continuous type safety on every commit
- Use WP HealthKit before major releases for a comprehensive WordPress-aware audit covering GDPR, lifecycle, multisite, WooCommerce, and accessibility
- They're complementary: PHPStan catches 'Argument #2 of update_option expects string, int given'. WP HealthKit catches 'you're storing emails without a privacy policy disclosure.'
Decision framework
| If you need... | Use... |
|---|---|
| PHP type safety in CI/CD | PHPStan / Psalm |
| WordPress-specific security audit | WP HealthKit |
| Taint analysis for data flows | Psalm |
| GDPR, accessibility, WooCommerce checks | WP HealthKit |
| Maximum code quality coverage | Use both |
PHPStan / Psalm pricing
Free (open source)
WP HealthKit pricing
Free (2 audits/mo), £4.99 single, £29/mo Pro, £149/mo Agency, £499/mo Enterprise
Run a free audit on your plugin
See what WP HealthKit finds in your code — 2 free tokens, no credit card required.
Start Free AuditMore comparisons
One protects your site from known threats. The other finds the threats nobody knows about yet.
WordfenceOne guards your front door. The other checks your house for structural flaws before you move in.
Plugin Check (PCP)Plugin Check is spell check. WP HealthKit is editorial review.
SucuriSucuri is your bodyguard. WP HealthKit is your architect checking the building plans.
WPScan / Jetpack ProtectWPScan tells you if your plugin has a known problem. WP HealthKit tells you if your code has an unknown one.
SonarQubeSonarQube knows PHP. WP HealthKit knows WordPress.
SnykSnyk protects your supply chain. WP HealthKit protects what you built with it.
SolidWPSolidWP locks your house. WP HealthKit checks whether the house was built safely.
MalCareMalCare cleans up the mess. WP HealthKit helps you not make it.
CodeRabbit / AI Code ReviewGeneral AI knows PHP. WP HealthKit knows WordPress.
WP UmbrellaWP Umbrella tells you when a plugin update drops. WP HealthKit tells you if the update is safe.
SemgrepWP HealthKit runs Semgrep. It also runs 29 other things.
BuiltByGoOne is a WordPress security product. The other is a small team that somehow built it. The product is winning.
DrataDrata gets your SaaS company SOC 2 ready. WP HealthKit gets your WordPress fleet CRA ready. Same job, different surface.
VantaVanta automates compliance for SaaS. WP HealthKit automates compliance for WordPress.
SecureframeSecureframe is for SaaS companies chasing SOC 2. WP HealthKit is for WordPress agencies chasing CRA.