Build WordPress Plugins with AI.
Ship them securely.
AI tools write plugin boilerplate in seconds — but they consistently miss WordPress-specific security patterns. WP HealthKit closes that gap: audit what AI produced, load our security bible as AI context, and run wp.org pre-flight checks — all inside your AI editor.
Free tier: 3 audits — no card required
What AI tools consistently get wrong in WordPress plugins
These are the patterns WP HealthKit catches that general AI tools miss — because they require WordPress-specific context, not just PHP knowledge.
AI generates register_rest_route() without permission_callback — publicly accessible endpoints by default. The #1 actively exploited WordPress vulnerability class.
AI writes AJAX handlers processing $_POST without check_ajax_referer(). Every form handler without nonce verification is open to CSRF.
AI produces echo $variable without esc_html(). Any dynamic value without escaping is a stored XSS vector.
AI uses add_option() without disabling autoload — storing large arrays that load on every single page request, slowing down the entire site.
The AI-first plugin development workflow
WP HealthKit connects to your AI tool via MCP — auditing becomes part of the development loop, not an afterthought.
Use Cursor, Claude Code, or Copilot to scaffold your plugin. AI handles boilerplate — class structure, hooks, admin pages — in seconds.
In your AI tool: "use the WP HealthKit security bible to review my plugin". The guide is loaded as context — your AI now knows every WordPress-specific security pattern.
Upload to WP HealthKit or run: npx @wphealthkit/cli audit ./my-plugin.zip. 49 verification layers check what AI missed — REST auth, nonces, escaping, CVEs, PHPCS, PHPStan.
Get the fix prompt from your audit, paste it into Claude or Cursor, apply all fixes in one go. Re-audit to confirm they landed cleanly.
Run the preflight_wporg prompt before submitting. PASS/WARN/FAIL against every common rejection reason — ABSPATH guards, escaping, nonces, telemetry consent, licensing.
Developer guides — as AI context
Six curated reference guides available as MCP resources. Your AI tool fetches them as context when you reference them — no copy-paste.
wphk://guides/security-bibleEvery WordPress security pattern — REST API auth, nonces, escaping, SQL, file uploads — with bad/good code examples. Loaded as AI context in one command.
wphk://guides/wporg-submissionThe complete WordPress.org rejection checklist. Catch every common reason before you submit.
wphk://guides/performance-bibleN+1 queries, autoload bloat, transient caching, conditional asset loading. AI consistently misses all of these.
wphk://guides/woocommerce-securityHPOS compatibility, REST auth for order data, server-side amount verification, webhook signatures.
wphk://guides/block-securityGutenberg render_callback escaping, block.json attribute safety, REST auth for block data.
wphk://stats/top-findingsThe most common security findings in WordPress plugins right now — live from the WP HealthKit database.
{
"mcpServers": {
"wphealthkit": {
"command": "npx",
"args": ["-y", "@wphealthkit/mcp-server@latest"],
"env": { "WPHK_API_KEY": "whk_live_your_key" }
}
}
}Common questions
Does the MCP server require a paid plan?
The MCP server requires a Pro plan or higher. Pro starts at £29/month and includes 30 audits, API access, and the full MCP server with tools, resources, and prompts.
Can I use the security bible offline?
Yes. Five of the six MCP resources are bundled in the package and available without a network connection. Only the live top-findings resource requires an API call.
Does this work in Windsurf and other MCP-compatible editors?
Yes — any MCP-compatible AI tool works. Cursor, Claude Desktop, Claude Code, and Windsurf are all tested. The config format is identical across all of them.
How is this different from asking AI to review my code directly?
A general AI review uses training data that may be outdated. The WP HealthKit security bible is data-backed and current — based on patterns from thousands of real plugin audits. The audit also runs 45 deterministic scanners (PHPStan, PHPCS, Wordfence CVE lookup) that no AI can replicate from training data alone.
Can I automate this in CI/CD?
Yes. Use the GitHub Action (wp-healthkit/audit-action) or the REST API to audit on every PR. The CLI (npx @wphealthkit/cli) works in any CI environment.
Build WordPress plugins with AI — the right way.
Connect the MCP server in minutes. First audit is free — queue position shown immediately.