Skip to main content
WP HealthKit
49 Verification Layers

Every Plugin. Every Layer. Every Audit.

45 deterministic scanners and 4 AI engines work together to give your WordPress plugin or theme the most thorough security, quality, and accessibility audit available.

35 Deterministic Scanners

Deterministic Scanners

Zero false positives. Every check is rules-based and reproducible across runs.

DETERMINISTIC

Wordfence CVE Cross-Reference

Checks every dependency and code pattern against the Wordfence vulnerability database with severity ratings and remediation guidance.

DETERMINISTIC

Composer Dependency Audit

Scans composer.lock against Packagist security advisories plus OSV.dev (GitHub Security Advisories + FriendsOfPHP) for CVE coverage across every Packagist-published package.

DETERMINISTIC

Dependency Freshness Scanner

Flags any bundled npm or composer release published less than 48 hours before the audit. Brand-new releases are the highest-risk window for supply-chain attacks — typosquats and account takeovers are usually caught within 24-48 hours of upload.

DETERMINISTIC

Socket.dev Behavioural Risk

Surfaces typosquatting, install-script abuse, malware, shell-access, hidden binaries, and unverified-author signals on every bundled dependency. Goes beyond CVE databases to catch supply-chain compromise before an advisory is filed.

DETERMINISTIC

Secret & Credential Detection

Detects 22 patterns of hardcoded API keys, database passwords, tokens, and private keys that should never be in source code.

DETERMINISTIC

PHP Compatibility Analysis

Validates your plugin against PHP 8.0 through 8.4 for deprecated functions, removed features, and breaking syntax changes.

DETERMINISTIC

PHPCS WordPress Standards

Runs PHP_CodeSniffer with the WordPress-Extra ruleset covering security sniffs, naming conventions, and best practices.

DETERMINISTIC

PHPStan Type Safety

Level 5 static analysis catching type errors, undefined variables, incorrect method calls, and logic bugs before runtime.

DETERMINISTIC

Metadata & Lifecycle Validation

Validates plugin headers, readme.txt format, hook usage, update mechanisms, and lifecycle compliance that lead to wp.org rejections.

DETERMINISTIC

WordPress Version Compatibility

Detects deprecated WordPress functions and APIs, mapping minimum version requirements from actual code usage against declared headers.

DETERMINISTIC

WooCommerce Compatibility

Checks HPOS incompatibility, deprecated WooCommerce hooks, Checkout Block conflicts, and payment gateway compliance.

DETERMINISTIC

Plugin Conflict Detection

Identifies naming collisions, asset handle conflicts, REST API namespace clashes, and bundled library conflicts against 100+ popular plugins.

DETERMINISTIC

Hook Wiring Audit

Catches dead callbacks, incorrect argument counts, premature function usage, and duplicate hook registrations that cause silent failures.

DETERMINISTIC

Performance Anti-Patterns

Finds N+1 queries, global asset loading, uncached remote requests, missing pagination, and autoload option bloat.

DETERMINISTIC

i18n Readiness

Detects hardcoded user-facing strings, wrong text domains, concatenated translatable strings, and gettext function misuse.

DETERMINISTIC

Database Schema Audit

Validates custom table creation with dbDelta, charset/collation, indexes, and uninstall cleanup.

DETERMINISTIC

Anti-Malware Scanning

Multi-layer detection of obfuscated backdoors, nulled plugins, and data-exfiltration payloads using pattern matching and entropy analysis.

DETERMINISTIC

REST API Authorization Scanner

Detects missing or weak permission_callback on every REST endpoint — the #1 exploited WordPress vulnerability class. Flags is_user_logged_in()-only checks and __return_true wildcards.

DETERMINISTIC

GDPR Compliance Scanner

Flags external data transmission without explicit consent, missing wp_add_privacy_policy_content registrations, and absent data erasure / export hooks under GDPR Articles 17 and 20.

DETERMINISTIC

npm / JavaScript Dependency Scanner

OSV.dev batch CVE check across package-lock.json and yarn.lock — covers transitive JS vulnerabilities your bundle ships with.

DETERMINISTIC

Gutenberg Block Security

Validates render_callback escaping, block.json attribute safety, server-rendered block sanitization, and dynamic block output for XSS vectors.

DETERMINISTIC

Host Compatibility Scanner

Scores your plugin against 8 managed WordPress hosts — WP Engine, Kinsta, Flywheel, Cloudways, SiteGround, Pressable, GridPane, Rocket.net. Flags disallowed functions, file system writes, persistent object cache assumptions, and host-specific restrictions before you ship.

DETERMINISTIC

CRA Compliance Scanner

Checks SECURITY.md presence, Vulnerability Disclosure Policy contact details, and changelog security tagging — mandatory under the EU Cyber Resilience Act from September 2026.

DETERMINISTIC

Multisite Compatibility Scanner

Flags manage_options used where manage_network_options is required, and $wpdb->prefix usage inside multi-blog loops that cause silent data leaks across sites.

DETERMINISTIC

GPL / License Compatibility

Checks Composer and npm production dependencies against the GPL-compatibility list — catches BSD-4, proprietary, and non-redistributable licenses before wp.org rejection.

DETERMINISTIC

CodeCanyon / Envato Submission

Pre-submission checks for inline JS, debug code, hardcoded URLs, missing documentation, and compressed PHP — the patterns that get marketplace submissions soft-rejected.

DETERMINISTIC

Theme Scanner

Themes only: validates style.css headers, FSE / block-theme readiness, customizer sanitization, and WooCommerce template overrides for version drift.

AI Engine

Security AI Engine

Deep analysis of authentication flows, authorization, input sanitization, SQL injection, XSS, CSRF, and data flow tracking.

AI ENGINE

Auth & Session Management

Analyses authentication flows and session handling for bypasses, fixation, and insecure storage patterns.

AI ENGINE

Authorization & Capabilities

Verifies capability checks, role enforcement, and privilege escalation vectors across every endpoint.

AI ENGINE

Input Validation & Escaping

Traces user input from source to sink to ensure proper sanitization and output escaping at every boundary.

AI ENGINE

SQL Injection & XSS Vectors

Detects SQL injection patterns, prepared statement gaps, and cross-site scripting vectors in rendered output.

AI Engine

Quality AI Engine

Evaluates architecture, maintainability, WordPress best practices, documentation, error handling, and overall code health.

AI ENGINE

Architecture & Separation

Evaluates code structure, separation of concerns, and adherence to WordPress design patterns.

AI ENGINE

Error Handling & Degradation

Checks for graceful error handling, fallbacks, and recovery patterns throughout your plugin.

AI ENGINE

Hook & Filter Patterns

Reviews hook and filter implementation for proper priority, extensibility, and WordPress API usage.

AI ENGINE

Documentation & Comments

Assesses inline documentation, PHPDoc completeness, and backward compatibility considerations.

AI Engine

Accessibility AI Engine

WCAG 2.1 AA compliance, ARIA usage, keyboard navigation, screen reader compatibility, and admin interface accessibility.

AI ENGINE

WCAG 2.1 AA Compliance

Analyses front-end output and admin interfaces against WCAG 2.1 AA patterns, ARIA roles, and semantic HTML.

AI ENGINE

Keyboard & Focus Management

Checks keyboard navigation support, focus trapping, visible focus indicators, and tab order correctness.

AI ENGINE

Screen Reader Support

Verifies live regions, announcements, form label associations, and error state communication for assistive tech.

AI ENGINE

Color & Contrast

Analyses color contrast ratios, colour-only information conveyance, and high-contrast mode support.

AI Engine

Theme AI Engine

Seven-phase audit: template hierarchy, child theme compatibility, FSE readiness, Customizer API, accessibility, performance, and WooCommerce overrides.

AI ENGINE

Template Hierarchy & FSE

Validates template hierarchy correctness, conditional tags, block theme readiness, and theme.json usage.

AI ENGINE

Child Theme Compatibility

Checks parent/child theme compatibility, override patterns, and pluggable function safety.

AI ENGINE

WooCommerce Overrides

Analyses WooCommerce template overrides for version compatibility and deprecated template usage.

AI ENGINE

Asset Loading & Performance

Reviews front-end asset loading, critical CSS patterns, render-blocking resources, and enqueueing best practices.

Autofix Engine

From findings to a patched ZIP — automatically

WP HealthKit doesn't just find problems — it fixes them. The Autofix Engine combines deterministic fixes with AI-generated patches, verifies every change, and produces a patched plugin ZIP ready to install.

  • Deterministic fixes: PHPCBF formatting, deprecated function replacement, ABSPATH guards
  • AI-generated patches: Claude generates targeted unified diffs for each finding
  • Verification pipeline: PHP syntax check + PHPCS re-run before producing ZIP
  • Download a patched plugin ZIP ready to install on your site
  • Included with Pro (3/mo), Agency (10/mo), and Enterprise (50/mo) — or £14.99 one-off (£9.99 for Pro+)

Deterministic Fixes

PHPCBF, deprecated functions, ABSPATH guards

AI Patches

Claude-generated unified diffs per finding

Verification

PHP syntax + PHPCS re-run before ZIP

Download

Patched plugin ZIP ready to install

Site Monitoring

Companion Plugin & Site Monitoring

Install our lightweight WordPress plugin to connect your site. Get continuous security monitoring, auto-audits on plugin updates, health scores, and instant alerts.

  • WordPress companion plugin for automatic syncing
  • Auto re-audit when plugins update
  • Site health score dashboard
  • Critical finding & CVE email alerts
  • WP admin dashboard widget
  • Agency multi-site monitoring (up to 50 sites)
Download Companion Plugin

Companion Plugin

Lightweight WP plugin syncs your site automatically

Auto Re-Audit

Triggers a new audit when any plugin updates

Health Score

Real-time site health score on your dashboard

Email Alerts

Instant notifications for critical findings & CVEs

EU Compliance

CRA & EAA compliance readiness

The EU Cyber Resilience Act (CRA) and European Accessibility Act (EAA) are introducing mandatory security and accessibility requirements for software sold in the EU. WP HealthKit helps you prepare now.

  • CRA vulnerability handling requirements mapping
  • Security-by-default configuration analysis
  • Software Bill of Materials (SBOM) readiness
  • EAA accessibility compliance baseline
  • Documentation and disclosure requirements
  • Agency plan includes full CRA compliance kit

CRA Deadline Approaching

The EU Cyber Resilience Act requires all software with digital elements sold in the EU to meet mandatory cybersecurity requirements. Plugins distributed commercially — including freemium models — will need to demonstrate compliance.

WP HealthKit's Agency plan includes a CRA compliance kit with vulnerability disclosure templates, SBOM generation, and security documentation aligned to CRA requirements.

Audit Your Plugin Free

Upload a .zip and get a thorough 49-layer audit. Queue position shown immediately. No credit card required.

Upload Your Plugin

Free tier includes 2 full audits per month. No credit card required.