Plugin Check (PCP) vs WP HealthKit
Plugin Check is spell check. WP HealthKit is editorial review.
| Plugin Check (PCP) | WP HealthKit | |
|---|---|---|
| What it does | WordPress.org directory compliance checks | Deep security, quality, and accessibility audit |
| Who it's for | Plugin authors submitting to wp.org | Plugin authors who want production-ready code |
| How it works | Rule-based pattern matching (40+ checks) | 49 verification layers: 45 deterministic + 4 AI engines |
| Price range | Free (open source) | Free – £499/mo |
What Plugin Check (PCP) does well
- Official WordPress.org tool, maintained by the Performance Team
- Free and open source
- Checks readme.txt format, PHP coding standards, basic security patterns, performance flags
- Required for WordPress.org plugin directory submissions
- Available as WP Admin tool or WP-CLI command
- Gets regular updates aligned with directory review team priorities
What WP HealthKit does differently
- Catches complex security vulnerabilities, logic flaws, and authentication bypass patterns that rule-based checks miss
- AI analysis understands context — not just pattern matching, but reasoning about code behaviour
- Covers GDPR/privacy, PHP 8.x compatibility, multisite safety, WooCommerce security, supply chain health
- 30.5% of wp.org submissions get rejected — many pass Plugin Check but fail manual review. WP HealthKit catches what human reviewers catch
- Generates professional PDF reports with remediation guidance
- Companion plugin for continuous site monitoring — auto re-audit when plugins update
Where they overlap
Both check WordPress coding standards and basic security patterns. Plugin Check is the source of truth for directory compliance. WP HealthKit covers the same ground but goes 10x deeper on security.
When to use both
- Always use both. Plugin Check is mandatory and free — run it first for formatting and compliance
- Then run WP HealthKit to catch security and quality issues that Plugin Check's rule-based approach can't detect
- Think of it as: Plugin Check = spell check, WP HealthKit = editorial review
Decision framework
| If you need... | Use... |
|---|---|
| Pass WordPress.org directory review | Plugin Check (mandatory) + WP HealthKit (recommended) |
| Basic coding standards compliance | Plugin Check |
| Deep security audit with AI analysis | WP HealthKit |
| GDPR, accessibility, WooCommerce checks | WP HealthKit |
| Maximum confidence before submission | Use both |
Plugin Check (PCP) pricing
Free (open source)
WP HealthKit pricing
Free (2 audits/mo), £4.99 single, £29/mo Pro, £149/mo Agency, £499/mo Enterprise
Run a free audit on your plugin
See what WP HealthKit finds in your code — 2 free tokens, no credit card required.
Start Free AuditMore comparisons
One protects your site from known threats. The other finds the threats nobody knows about yet.
WordfenceOne guards your front door. The other checks your house for structural flaws before you move in.
SucuriSucuri is your bodyguard. WP HealthKit is your architect checking the building plans.
WPScan / Jetpack ProtectWPScan tells you if your plugin has a known problem. WP HealthKit tells you if your code has an unknown one.
PHPStan / PsalmPHPStan catches type errors. WP HealthKit catches WordPress security errors. Run both.
SonarQubeSonarQube knows PHP. WP HealthKit knows WordPress.
SnykSnyk protects your supply chain. WP HealthKit protects what you built with it.
SolidWPSolidWP locks your house. WP HealthKit checks whether the house was built safely.
MalCareMalCare cleans up the mess. WP HealthKit helps you not make it.
CodeRabbit / AI Code ReviewGeneral AI knows PHP. WP HealthKit knows WordPress.
WP UmbrellaWP Umbrella tells you when a plugin update drops. WP HealthKit tells you if the update is safe.
SemgrepWP HealthKit runs Semgrep. It also runs 29 other things.
BuiltByGoOne is a WordPress security product. The other is a small team that somehow built it. The product is winning.
DrataDrata gets your SaaS company SOC 2 ready. WP HealthKit gets your WordPress fleet CRA ready. Same job, different surface.
VantaVanta automates compliance for SaaS. WP HealthKit automates compliance for WordPress.
SecureframeSecureframe is for SaaS companies chasing SOC 2. WP HealthKit is for WordPress agencies chasing CRA.