Ship plugins you are confident about
Whether you are submitting to WordPress.org, building for clients, or maintaining a commercial plugin — WP HealthKit gives you a thorough 42-layer security audit, processed in priority order.
Why developers use WP HealthKit
WordPress.org submission
30.5% of plugin submissions get rejected. Run a pre-submission audit to catch the exact issues the review team looks for — security flaws, coding standards violations, and compatibility problems.
During development
Integrate audits into your development workflow. Catch vulnerabilities, type errors, and standards issues as you build. Run autofix to download a patched ZIP with fixes applied automatically — then deploy with confidence.
Client delivery
Deliver plugins with a professional audit report attached. Show clients you take security seriously with documented verification across 42 layers.
What the audit covers
Every audit runs your plugin through 42 verification layers — 38 deterministic engines and 4 AI-powered engines.
Wordfence CVE database
DeterministicCross-references every dependency against known vulnerabilities
Secret detection
DeterministicScans for hardcoded API keys, passwords, tokens, and credentials
PHP compatibility
DeterministicChecks code against PHP 8.0 through 8.4 for deprecated functions and breaking changes
PHPCS standards
DeterministicWordPress-Extra ruleset scoring for coding standards compliance
PHPStan type safety
DeterministicStatic analysis at Level 5 for type errors and logic bugs
Metadata & lifecycle
DeterministicValidates plugin headers, readme.txt, hooks usage, and update mechanisms
AI security engine
AI-poweredDeep analysis of authentication, authorization, input handling, and data flow
AI quality engine
AI-poweredCode architecture, maintainability, WordPress best practices, and documentation
AI accessibility engine
AI-poweredWCAG compliance, ARIA usage, keyboard navigation, and screen reader support
AI performance engine
AI-poweredDatabase query efficiency, caching patterns, asset loading, and memory usage
Building a free, open-source plugin?
If your plugin is 100% free, GPL-licensed, listed on WordPress.org, and has 100+ active installs, you qualify for free Pro-tier audits through our Open Source Program. Same 42-layer engine, completely free.
Plans for every stage
Pay as you go
£4.99 per token
Perfect for one-off submissions or trying WP HealthKit on a real project.
- Full 49-layer audit
- PDF report with fixes
- 1 AI fix prompt
- Priority processing
Pro
£29 per month
For active developers building and maintaining multiple plugins.
- 30 tokens per month
- Unlimited AI fix prompts
- 3 autofix patched ZIPs/mo
- Dashboard & trends
- API access
- Re-audit at 50% off
Agency
£149 per month
For teams and agencies shipping WordPress at scale.
- 200 audits/mo
- White-label reports
- 5 team seats
- Bulk API
- GitHub Actions
- CRA compliance kit
Every account starts with 3 free audits. No credit card required.
Developer questions answered
I already use PHPStan in CI — why do I need WP HealthKit?
PHPStan catches PHP type errors. WP HealthKit catches WordPress security errors. PHPStan does not know that wp_verify_nonce() must be called before processing $_POST data, or that $wpdb->prepare() must be used for direct queries. WP HealthKit is WordPress-aware; PHPStan is PHP-aware. They are complementary, and WP HealthKit runs PHPStan internally as one of its 45 deterministic engines.
Does a passing audit guarantee my plugin will be accepted by wp.org?
No — the WordPress review team makes the final call, and they may flag issues beyond what automated tools check. But WP HealthKit catches the most common rejection reasons. Auditing before submitting significantly reduces the chance of rejection on security and standards grounds.
How does the free tier work?
Every account gets 2 free tokens — no credit card required. Each audit runs the full 49-layer engine. After 2 tokens, you can purchase single audits for £4.99 or upgrade to Pro for 30 tokens per month.
Can I automate audits in my CI/CD pipeline?
Yes. The CLI (npx @wphealthkit/cli) and REST API both support automation. Trigger audits, poll for results, and fail CI builds on critical findings — all without leaving your terminal or pipeline.
What file formats does WP HealthKit accept?
Plugin ZIP files, or a wp.org slug. The ZIP should be the standard plugin package — the same file you would upload to wp.org. Maximum file size is 50MB.
Does the open-source program cover commercial plugins with a GPL license?
The program covers plugins that are genuinely open source — publicly hosted on GitHub, GitLab, or WordPress.org with a GPL-compatible license. Commercially-licensed plugins or closed-source plugins with a GPL shell do not qualify.
Your plugin deserves a proper audit
Upload your plugin ZIP and get a thorough 42-layer security audit. Queue position shown immediately. Your first 3 audits are free.
Upload Your PluginNo credit card required · Full 42-layer audit · Priority queue for Agency and Enterprise