Skip to main content
WP HealthKit
Built for plugin developers

Ship plugins you are confident about

Whether you are submitting to WordPress.org, building for clients, or maintaining a commercial plugin — WP HealthKit gives you a thorough 42-layer security audit, processed in priority order.

Why developers use WP HealthKit

WordPress.org submission

30.5% of plugin submissions get rejected. Run a pre-submission audit to catch the exact issues the review team looks for — security flaws, coding standards violations, and compatibility problems.

During development

Integrate audits into your development workflow. Catch vulnerabilities, type errors, and standards issues as you build. Run autofix to download a patched ZIP with fixes applied automatically — then deploy with confidence.

Client delivery

Deliver plugins with a professional audit report attached. Show clients you take security seriously with documented verification across 42 layers.

What the audit covers

Every audit runs your plugin through 42 verification layers — 38 deterministic engines and 4 AI-powered engines.

Wordfence CVE database

Deterministic

Cross-references every dependency against known vulnerabilities

Secret detection

Deterministic

Scans for hardcoded API keys, passwords, tokens, and credentials

PHP compatibility

Deterministic

Checks code against PHP 8.0 through 8.4 for deprecated functions and breaking changes

PHPCS standards

Deterministic

WordPress-Extra ruleset scoring for coding standards compliance

PHPStan type safety

Deterministic

Static analysis at Level 5 for type errors and logic bugs

Metadata & lifecycle

Deterministic

Validates plugin headers, readme.txt, hooks usage, and update mechanisms

AI security engine

AI-powered

Deep analysis of authentication, authorization, input handling, and data flow

AI quality engine

AI-powered

Code architecture, maintainability, WordPress best practices, and documentation

AI accessibility engine

AI-powered

WCAG compliance, ARIA usage, keyboard navigation, and screen reader support

AI performance engine

AI-powered

Database query efficiency, caching patterns, asset loading, and memory usage

Open Source Program

Building a free, open-source plugin?

If your plugin is 100% free, GPL-licensed, listed on WordPress.org, and has 100+ active installs, you qualify for free Pro-tier audits through our Open Source Program. Same 42-layer engine, completely free.

Plans for every stage

Pay as you go

£4.99 per token

Perfect for one-off submissions or trying WP HealthKit on a real project.

  • Full 49-layer audit
  • PDF report with fixes
  • 1 AI fix prompt
  • Priority processing

Pro

£29 per month

For active developers building and maintaining multiple plugins.

  • 30 tokens per month
  • Unlimited AI fix prompts
  • 3 autofix patched ZIPs/mo
  • Dashboard & trends
  • API access
  • Re-audit at 50% off

Agency

£149 per month

For teams and agencies shipping WordPress at scale.

  • 200 audits/mo
  • White-label reports
  • 5 team seats
  • Bulk API
  • GitHub Actions
  • CRA compliance kit

Every account starts with 3 free audits. No credit card required.

Developer questions answered

I already use PHPStan in CI — why do I need WP HealthKit?

PHPStan catches PHP type errors. WP HealthKit catches WordPress security errors. PHPStan does not know that wp_verify_nonce() must be called before processing $_POST data, or that $wpdb->prepare() must be used for direct queries. WP HealthKit is WordPress-aware; PHPStan is PHP-aware. They are complementary, and WP HealthKit runs PHPStan internally as one of its 45 deterministic engines.

Does a passing audit guarantee my plugin will be accepted by wp.org?

No — the WordPress review team makes the final call, and they may flag issues beyond what automated tools check. But WP HealthKit catches the most common rejection reasons. Auditing before submitting significantly reduces the chance of rejection on security and standards grounds.

How does the free tier work?

Every account gets 2 free tokens — no credit card required. Each audit runs the full 49-layer engine. After 2 tokens, you can purchase single audits for £4.99 or upgrade to Pro for 30 tokens per month.

Can I automate audits in my CI/CD pipeline?

Yes. The CLI (npx @wphealthkit/cli) and REST API both support automation. Trigger audits, poll for results, and fail CI builds on critical findings — all without leaving your terminal or pipeline.

What file formats does WP HealthKit accept?

Plugin ZIP files, or a wp.org slug. The ZIP should be the standard plugin package — the same file you would upload to wp.org. Maximum file size is 50MB.

Does the open-source program cover commercial plugins with a GPL license?

The program covers plugins that are genuinely open source — publicly hosted on GitHub, GitLab, or WordPress.org with a GPL-compatible license. Commercially-licensed plugins or closed-source plugins with a GPL shell do not qualify.

Your plugin deserves a proper audit

Upload your plugin ZIP and get a thorough 42-layer security audit. Queue position shown immediately. Your first 3 audits are free.

Upload Your Plugin

No credit card required · Full 42-layer audit · Priority queue for Agency and Enterprise

WP HealthKit for Plugin Developers — Security Audits | WP HealthKit