Every Plugin. Every Layer.
Every Audit.
45 deterministic scanners and 4 AI engines work together to give your WordPress plugin or theme the most thorough security, quality, and accessibility audit available.
Deterministic Scanners
Zero false positives. Every check is rules-based and reproducible across runs.
DETERMINISTIC
Wordfence CVE Cross-Reference
Checks every dependency and code pattern against the Wordfence vulnerability database with severity ratings and remediation guidance.
DETERMINISTIC
Composer Dependency Audit
Scans composer.lock against Packagist security advisories plus OSV.dev (GitHub Security Advisories + FriendsOfPHP) for CVE coverage across every Packagist-published package.
DETERMINISTIC
Dependency Freshness Scanner
Flags any bundled npm or composer release published less than 48 hours before the audit. Brand-new releases are the highest-risk window for supply-chain attacks — typosquats and account takeovers are usually caught within 24-48 hours of upload.
DETERMINISTIC
Socket.dev Behavioural Risk
Surfaces typosquatting, install-script abuse, malware, shell-access, hidden binaries, and unverified-author signals on every bundled dependency. Goes beyond CVE databases to catch supply-chain compromise before an advisory is filed.
DETERMINISTIC
Secret & Credential Detection
Detects 22 patterns of hardcoded API keys, database passwords, tokens, and private keys that should never be in source code.
DETERMINISTIC
PHP Compatibility Analysis
Validates your plugin against PHP 8.0 through 8.4 for deprecated functions, removed features, and breaking syntax changes.
DETERMINISTIC
PHPCS WordPress Standards
Runs PHP_CodeSniffer with the WordPress-Extra ruleset covering security sniffs, naming conventions, and best practices.
DETERMINISTIC
PHPStan Type Safety
Level 5 static analysis catching type errors, undefined variables, incorrect method calls, and logic bugs before runtime.
DETERMINISTIC
Metadata & Lifecycle Validation
Validates plugin headers, readme.txt format, hook usage, update mechanisms, and lifecycle compliance that lead to wp.org rejections.
DETERMINISTIC
WordPress Version Compatibility
Detects deprecated WordPress functions and APIs, mapping minimum version requirements from actual code usage against declared headers.
DETERMINISTIC
WooCommerce Compatibility
Checks HPOS incompatibility, deprecated WooCommerce hooks, Checkout Block conflicts, and payment gateway compliance.
DETERMINISTIC
Plugin Conflict Detection
Identifies naming collisions, asset handle conflicts, REST API namespace clashes, and bundled library conflicts against 100+ popular plugins.
DETERMINISTIC
Hook Wiring Audit
Catches dead callbacks, incorrect argument counts, premature function usage, and duplicate hook registrations that cause silent failures.
DETERMINISTIC
Performance Anti-Patterns
Finds N+1 queries, global asset loading, uncached remote requests, missing pagination, and autoload option bloat.
DETERMINISTIC
i18n Readiness
Detects hardcoded user-facing strings, wrong text domains, concatenated translatable strings, and gettext function misuse.
DETERMINISTIC
Database Schema Audit
Validates custom table creation with dbDelta, charset/collation, indexes, and uninstall cleanup.
DETERMINISTIC
Anti-Malware Scanning
Multi-layer detection of obfuscated backdoors, nulled plugins, and data-exfiltration payloads using pattern matching and entropy analysis.
DETERMINISTIC
REST API Authorization Scanner
Detects missing or weak permission_callback on every REST endpoint — the #1 exploited WordPress vulnerability class. Flags is_user_logged_in()-only checks and __return_true wildcards.
DETERMINISTIC
GDPR Compliance Scanner
Flags external data transmission without explicit consent, missing wp_add_privacy_policy_content registrations, and absent data erasure / export hooks under GDPR Articles 17 and 20.
DETERMINISTIC
npm / JavaScript Dependency Scanner
OSV.dev batch CVE check across package-lock.json and yarn.lock — covers transitive JS vulnerabilities your bundle ships with.
DETERMINISTIC
Gutenberg Block Security
Validates render_callback escaping, block.json attribute safety, server-rendered block sanitization, and dynamic block output for XSS vectors.
DETERMINISTIC
Host Compatibility Scanner
Scores your plugin against 8 managed WordPress hosts — WP Engine, Kinsta, Flywheel, Cloudways, SiteGround, Pressable, GridPane, Rocket.net. Flags disallowed functions, file system writes, persistent object cache assumptions, and host-specific restrictions before you ship.
DETERMINISTIC
CRA Compliance Scanner
Checks SECURITY.md presence, Vulnerability Disclosure Policy contact details, and changelog security tagging — mandatory under the EU Cyber Resilience Act from September 2026.
DETERMINISTIC
Multisite Compatibility Scanner
Flags manage_options used where manage_network_options is required, and $wpdb->prefix usage inside multi-blog loops that cause silent data leaks across sites.
DETERMINISTIC
GPL / License Compatibility
Checks Composer and npm production dependencies against the GPL-compatibility list — catches BSD-4, proprietary, and non-redistributable licenses before wp.org rejection.
DETERMINISTIC
CodeCanyon / Envato Submission
Pre-submission checks for inline JS, debug code, hardcoded URLs, missing documentation, and compressed PHP — the patterns that get marketplace submissions soft-rejected.
DETERMINISTIC
Theme Scanner
Themes only: validates style.css headers, FSE / block-theme readiness, customizer sanitization, and WooCommerce template overrides for version drift.
Security AI Engine
Deep analysis of authentication flows, authorization, input sanitization, SQL injection, XSS, CSRF, and data flow tracking.
AI ENGINE
Auth & Session Management
Analyses authentication flows and session handling for bypasses, fixation, and insecure storage patterns.
AI ENGINE
Authorization & Capabilities
Verifies capability checks, role enforcement, and privilege escalation vectors across every endpoint.
AI ENGINE
Input Validation & Escaping
Traces user input from source to sink to ensure proper sanitization and output escaping at every boundary.
AI ENGINE
SQL Injection & XSS Vectors
Detects SQL injection patterns, prepared statement gaps, and cross-site scripting vectors in rendered output.
Quality AI Engine
Evaluates architecture, maintainability, WordPress best practices, documentation, error handling, and overall code health.
AI ENGINE
Architecture & Separation
Evaluates code structure, separation of concerns, and adherence to WordPress design patterns.
AI ENGINE
Error Handling & Degradation
Checks for graceful error handling, fallbacks, and recovery patterns throughout your plugin.
AI ENGINE
Hook & Filter Patterns
Reviews hook and filter implementation for proper priority, extensibility, and WordPress API usage.
AI ENGINE
Documentation & Comments
Assesses inline documentation, PHPDoc completeness, and backward compatibility considerations.
Accessibility AI Engine
WCAG 2.1 AA compliance, ARIA usage, keyboard navigation, screen reader compatibility, and admin interface accessibility.
AI ENGINE
WCAG 2.1 AA Compliance
Analyses front-end output and admin interfaces against WCAG 2.1 AA patterns, ARIA roles, and semantic HTML.
AI ENGINE
Keyboard & Focus Management
Checks keyboard navigation support, focus trapping, visible focus indicators, and tab order correctness.
AI ENGINE
Screen Reader Support
Verifies live regions, announcements, form label associations, and error state communication for assistive tech.
AI ENGINE
Color & Contrast
Analyses color contrast ratios, colour-only information conveyance, and high-contrast mode support.
Theme AI Engine
Seven-phase audit: template hierarchy, child theme compatibility, FSE readiness, Customizer API, accessibility, performance, and WooCommerce overrides.
AI ENGINE
Template Hierarchy & FSE
Validates template hierarchy correctness, conditional tags, block theme readiness, and theme.json usage.
AI ENGINE
Child Theme Compatibility
Checks parent/child theme compatibility, override patterns, and pluggable function safety.
AI ENGINE
WooCommerce Overrides
Analyses WooCommerce template overrides for version compatibility and deprecated template usage.
AI ENGINE
Asset Loading & Performance
Reviews front-end asset loading, critical CSS patterns, render-blocking resources, and enqueueing best practices.
From findings to a patched ZIP — automatically
WP HealthKit doesn't just find problems — it fixes them. The Autofix Engine combines deterministic fixes with AI-generated patches, verifies every change, and produces a patched plugin ZIP ready to install.
- Deterministic fixes: PHPCBF formatting, deprecated function replacement, ABSPATH guards
- AI-generated patches: Claude generates targeted unified diffs for each finding
- Verification pipeline: PHP syntax check + PHPCS re-run before producing ZIP
- Download a patched plugin ZIP ready to install on your site
- Included with Pro (3/mo), Agency (10/mo), and Enterprise (50/mo) — or £14.99 one-off (£9.99 for Pro+)
Deterministic Fixes
PHPCBF, deprecated functions, ABSPATH guards
AI Patches
Claude-generated unified diffs per finding
Verification
PHP syntax + PHPCS re-run before ZIP
Download
Patched plugin ZIP ready to install
Companion Plugin & Site Monitoring
Install our lightweight WordPress plugin to connect your site. Get continuous security monitoring, auto-audits on plugin updates, health scores, and instant alerts.
- WordPress companion plugin for automatic syncing
- Auto re-audit when plugins update
- Site health score dashboard
- Critical finding & CVE email alerts
- WP admin dashboard widget
- Agency multi-site monitoring (up to 50 sites)
Companion Plugin
Lightweight WP plugin syncs your site automatically
Auto Re-Audit
Triggers a new audit when any plugin updates
Health Score
Real-time site health score on your dashboard
Email Alerts
Instant notifications for critical findings & CVEs
CRA & EAA compliance readiness
The EU Cyber Resilience Act (CRA) and European Accessibility Act (EAA) are introducing mandatory security and accessibility requirements for software sold in the EU. WP HealthKit helps you prepare now.
- CRA vulnerability handling requirements mapping
- Security-by-default configuration analysis
- Software Bill of Materials (SBOM) readiness
- EAA accessibility compliance baseline
- Documentation and disclosure requirements
- Agency plan includes full CRA compliance kit
CRA Deadline Approaching
The EU Cyber Resilience Act requires all software with digital elements sold in the EU to meet mandatory cybersecurity requirements. Plugins distributed commercially — including freemium models — will need to demonstrate compliance.
WP HealthKit's Agency plan includes a CRA compliance kit with vulnerability disclosure templates, SBOM generation, and security documentation aligned to CRA requirements.
Built for Every WordPress Professional
Whether you're shipping to wp.org, building for clients, or managing a plugin portfolio — WP HealthKit fits your workflow.
Plugin Developers
Audit before every release. Catch security and QoL issues before your users do.
Learn moreAgencies
Bulk audits, white-label PDF reports, and team seats for your whole dev team.
Learn moreFreelancers
Demonstrate due diligence to clients with a shareable audit report.
Learn moreWooCommerce Developers
HPOS, Cart Blocks, and payment gateway-specific checks built in.
Learn moreTheme Developers
FSE, customizer, and WooCommerce template override audits for themes.
Learn morewp.org Submissions
Pre-flight mode mirrors what the review team looks for before you submit.
Learn moreAudit Your Plugin Free
Upload a .zip and get a thorough 49-layer audit. Queue position shown immediately. No credit card required.
Upload Your PluginFree tier includes 2 full audits per month. No credit card required.