Free & Open Source

The WordPress Plugin Starter
That Ships Secure From Line One

Stop copying broken boilerplate code from Stack Overflow. Generate a production-ready, security-audited WordPress plugin scaffold — customized with your name, namespace, and slug in seconds. Built by the team behind WP HealthKit's 46-layer security audit.

Generate Your Plugin Audit an Existing Plugin

Used by 500+ developers. Passes all 46 WP HealthKit verification layers.

Every WordPress Plugin Starts With The Same Mistakes

Copied from tutorials

Most WordPress plugin tutorials teach patterns from 2015. No namespaces, no nonces, no capability checks. Your first plugin ships with the same vulnerabilities as the tutorial.

AI-generated code is worse

Asked ChatGPT to make a plugin? It probably used echo $_POST['data'] without sanitization, skipped ABSPATH guards, and forgot nonce verification. AI doesn't know WordPress security.

Boilerplates are unmaintained

WPPB hasn't been updated since 2021. WordPress Plugin Boilerplate Generator uses PHP 5.6 patterns. The ecosystem is full of abandoned scaffolds that teach bad habits.

Everything You Need, Nothing You Don't

Security

ABSPATH guard on every file

Nonce verification on all forms

Capability checks on all admin actions

Prepared SQL queries — no raw $wpdb->query()

Escaped output everywhere — esc_html(), esc_attr()

Sanitized input — sanitize_text_field(), wp_unslash()

Structure

PHP 8.0+ with namespaces and PSR-4 autoloading

Proper activation/deactivation/uninstall hooks

Clean uninstall.php with WP_UNINSTALL_PLUGIN guard

Admin settings page with WordPress-native UI

Text domain + load_plugin_textdomain() for i18n

DevOps

GitHub Actions CI with WP HealthKit audit on every push

readme.txt template for WordPress.org submission

.distignore for clean plugin builds

Proper plugin headers (requires WP, requires PHP, tested up to)

The Perfect Base for AI-Assisted Plugin Development

Whether you're using Claude, Cursor, ChatGPT, or Copilot — start with a secure foundation.

AI coding assistants are incredible at building features fast. But they consistently make the same WordPress security mistakes: unescaped output, missing nonces, direct superglobal access, raw SQL queries.

Start with our scaffold and the AI has nowhere to go wrong.

The security patterns are already in place. The AI just needs to add your business logic inside a framework that's already doing the right thing.

Then audit it.

When you're done building, run your plugin through WP HealthKit's 46-layer audit to catch anything the AI missed. Upload the ZIP or use our CLI:

npx @wphealthkit/cli audit ./my-plugin.zip

Catch Security Issues Before They Ship

name: WP HealthKit Audit
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Create plugin ZIP
        run: zip -r plugin.zip . -x ".git/*" ".github/*"
      - name: Run WP HealthKit audit
        env:
          WPHK_API_KEY: ${{ secrets.WPHK_API_KEY }}
        run: npx @wphealthkit/cli audit plugin.zip

Every push to your repository triggers a full security audit. If new vulnerabilities are introduced, you'll know immediately — before your users do.

Get your free API key at Settings → API Keys (Pro plan required for CI/CD integration).

Understand How Your Plugin Is Used

Optional telemetry powered by WP HealthKit — privacy-first, GDPR-compliant.

Add 3 lines of code to integrate WP HealthKit Telemetry into your plugin. Track activations, deactivations, PHP/WordPress versions, and plugin conflicts — without being creepy.

Install/uninstall trends

PHP & WordPress version distribution

Conflict detection with other plugins

Deactivation reason surveys

All data is anonymous by default. Users choose their opt-in level.

Learn more about Telemetry

How It Compares

Feature	WP HealthKit Starter	WPPB.me	WP Plugin Boilerplate	From Scratch
Last updated	2026	2021	2019	—
PHP 8.0+				Maybe
Nonce verification			Partial	Maybe
Capability checks				Maybe
Escaped output				Maybe
CI/CD included
Passes security audit	Grade A	Grade D	Grade D	Unknown
Custom generation				—
Telemetry option
i18n ready				Maybe
Free				—

Get Started in 60 Seconds

Generate

Fill in your plugin name below. We auto-generate the slug, namespace, and constants. Click download.

Develop

Open in your editor or IDE. Add your features. The security scaffolding is already in place.

Audit

Upload to WP HealthKit or push to GitHub. Our 46-layer audit catches anything you missed.

Generate Your Plugin

Plugin Name *

Frequently Asked Questions

Is this really free?

Yes, completely free and open source. No account required to download. Generate as many plugin scaffolds as you need.

What PHP version does it require?

PHP 8.0+. The scaffold uses namespaces, type hints, and modern patterns. It will not run on PHP 7.x or lower.

Can I use this for commercial plugins?

Absolutely. The generated code is GPL-2.0+ licensed. Use it for free plugins, premium plugins, or client work.

How is this different from WPPB?

WPPB hasn't been updated since 2021 and uses PHP 5.6 patterns. Our starter uses PHP 8.0+, includes security measures (nonces, capability checks, escaping), and has CI/CD built in.

Does it work with AI coding tools?

Yes — that's one of its best use cases. The secure foundation means AI assistants add features on top of correct security patterns instead of generating vulnerable code from scratch.

How do I add WP HealthKit Telemetry?

Download the telemetry SDK from our telemetry page and include it in your plugin's main file. It's 3 lines of code.

Ready to build your next WordPress plugin?

Generate a secure scaffold in seconds.