AI Wrote Your Plugin. Did It Forget Security?
43% of WordPress AI integration plugins have critical security vulnerabilities. AI tools are brilliant at boilerplate — and terrible at WordPress security patterns. We check what they miss.
What AI tools consistently get wrong in WordPress plugins
AI models are trained on vast amounts of general PHP code. WordPress security requires specific patterns — nonces, capability checks, output escaping — that AI tools routinely omit because they are not enforced by PHP itself.
Missing nonce verification
// AI generates this:
if (isset($_POST['action'])) {
update_option('setting', $_POST['val']);
}
// Should be:
check_ajax_referer('my_nonce', 'nonce');
if (isset($_POST['action'])) {
update_option('setting',
sanitize_text_field($_POST['val']));
}AI generates $_POST processing without check_ajax_referer() or wp_verify_nonce(). Every unprotected form handler is a CSRF vulnerability.
Unauthenticated REST endpoints
// AI generates this:
register_rest_route('myplugin/v1', '/data', [
'callback' => 'get_data',
]);
// Should include:
'permission_callback' => function() {
return current_user_can('manage_options');
},register_rest_route() without a permission_callback defaults to public access. REST API authorization issues are the #1 exploited WordPress vulnerability class.
Unescaped output
// AI generates this:
echo '<p>' . $user_input . '</p>';
// Should be:
echo '<p>' . esc_html($user_input) . '</p>';
// Or for attributes:
echo '<input value="' . esc_attr($val) . '">';AI outputs echo $variable instead of echo esc_html($variable). Every unescaped output is a potential XSS vector — especially dangerous in admin pages.
Hardcoded credentials
// AI generates this:
$api_key = 'sk-proj-abc123xyz';
$db_pass = 'MySecretPassword1!';
// Should be:
$api_key = get_option('myplugin_api_key');
// Stored encrypted, entered by adminAPI keys and passwords baked directly into plugin code. WP HealthKit's secret detection engine catches these before they reach version control or the wp.org directory.
What we catch that general AI reviewers miss
Asking an AI to review AI-generated code catches generic issues. WP HealthKit runs WordPress-specific engines that know what WordPress security actually requires.
current_user_can() capability checks
WP HealthKit detects capability-sensitive operations — deleting posts, modifying options, managing users — that lack a current_user_can() gate. General AI reviewers do not know which WordPress functions require capability verification.
WooCommerce payment endpoint vulnerabilities
Payment hooks, order status transitions, and checkout nonce patterns require WooCommerce-specific security knowledge. We check the exact patterns WooCommerce security researchers look for.
PHPCS scoring against WordPress Coding Standards
A 0-100 score against the WordPress-Extra PHPCS ruleset — the same standard wp.org review uses. AI tools do not run PHPCS; WP HealthKit runs it on every audit.
wp.org rejection patterns
Patterns that cause the wp.org plugin review team to reject submissions: unsafe file writes, direct database queries without $wpdb->prepare(), direct $_SERVER access, and more.
SQL injection via $wpdb
AI-generated database queries frequently skip $wpdb->prepare(). WP HealthKit's deterministic engine flags every raw query that interpolates variables directly into SQL.
56 false-positive prevention rules
WordPress functions that look dangerous but are safe in context are correctly identified as non-issues. Fewer noise, more signal — so you fix real problems, not phantom ones.
49
Verification layers
45 deterministic engines + 4 AI engines
56
False-positive prevention rules
Signal without noise
#1
Exploited vulnerability class
REST API authorization — we catch it
How to use WP HealthKit in your AI plugin workflow
Drop it into your existing process — no config required for the first audit.
Generate your plugin with an AI tool
Use Cursor, Copilot, ChatGPT, Claude, or any AI-assisted IDE to scaffold your WordPress plugin as you normally would.
Upload the ZIP to WP HealthKit
Drag the plugin ZIP to wphealthkit.com/upload, or use the CLI: npx @wphealthkit/cli audit ./my-plugin.zip — no account required for the first 2 tokens.
Get a grade and specific findings
The 49-layer engine runs in priority order. Every finding includes the file, line number, severity, and a specific remediation — not generic advice. Queue position shown immediately.
Fix the flagged issues and re-audit
Apply fixes using WPHK's specific remediation hints — paste them into your AI tool for targeted corrections. Re-audits are 50% off on Pro and Agency plans.
Ship with a verified security grade
Attach the shareable audit report to your plugin submission, client delivery, or wp.org listing. Your plugin is audit-verified.
Catch AI-introduced vulnerabilities before they reach production
Add the WP HealthKit GitHub Action to your repository. Every pull request that touches PHP or dependency files triggers an automatic audit. Critical findings fail the build — so AI-generated security issues are caught in review, not in production.
- Audits on every PR touching PHP or dependency files
- Fail builds on critical findings automatically
- Findings posted as PR comments with line-level context
- MCP server for IDE-native audit results in Cursor or VS Code
- REST API for custom pipeline integration
# .github/workflows/plugin-audit.yml
name: WP HealthKit Plugin Audit
on:
pull_request:
paths:
- '**.php'
- 'composer.json'
- 'package.json'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build plugin ZIP
run: zip -r plugin.zip . -x "*.git*" "node_modules/*"
- name: Audit with WP HealthKit
uses: wphealthkit/audit-action@v1
with:
api-key: ${{ secrets.WPHK_API_KEY }}
plugin-zip: plugin.zip
fail-on: criticalAudit your AI-generated plugin
Free, no card required. Get a comprehensive security grade across 49 verification layers — and know exactly what your AI tool missed.
Audit Your AI Plugin — Free2 free tokens on every account — no credit card required
Get the AI plugin security checklist by email
Three short emails covering the WordPress patterns AI tools miss, the generate-audit-fix workflow, and the MCP setup.