Skip to main content
WP HealthKit
For theme developers

Ship themes that pass theme review

WordPress themes are more than design — they execute PHP, process user inputs, and render database content. WP HealthKit audits your theme's PHP code for securityvulnerabilities, accessibility issues, and wp.org theme review requirements.

Audit Your ThemeView Pricing

30%+ rejections

Submissions rejected by wp.org

46 verification layers

Security, quality & accessibility

Free for open source

GPL-licensed themes qualify

Themes aren't just CSS — they're PHP running on every page load

A WordPress theme runs PHP on every page request. It processes query variables, handles template selection, renders user-generated content, and often registers custom shortcodes, widgets, and REST endpoints. Vulnerabilities in a theme — stored XSS in a custom widget, SQL injection in a theme option, missing capability checks on an AJAX handler — affect every user of every site running it. The WordPress theme review team rejects a significant portion of submissions for exactly these issues. WP HealthKit audits your theme's PHP code with the same 46-layer engine used for plugins.

How theme developers use WP HealthKit

Pre-submission audit

Run a full audit before submitting to wp.org's Theme Review Team. Catch escaping issues, improper function prefixing, and security patterns that get submissions rejected.

Block theme FSE compatibility

Checks Full Site Editing patterns, block template usage, and theme.json configuration for common compatibility issues in block themes.

WCAG accessibility

AI accessibility engine reviews frontend output patterns, ARIA usage in PHP-rendered HTML, keyboard navigation in custom components, and colour contrast in dynamically-applied styles.

Customizer and settings security

Audits Customizer controls and theme options for missing sanitization callbacks, improper capability checks, and insecure data handling.

Template security

Reviews all template files for unescaped output, direct database queries, and missing nonce verification on form submissions.

PHP escaping completeness

Checks every output in your theme against WordPress escaping functions: esc_html(), esc_attr(), esc_url(), wp_kses_post(). Flags any unescaped dynamic output.

What the theme audit covers

Escaping completeness across all template output
Function and hook prefixing (prevent plugin conflicts)
Customizer sanitization callback coverage
Block theme and FSE compatibility patterns
Theme option capability checks
AJAX handler nonce verification in theme code
WCAG 2.1 AA accessibility (AI-powered)
wp.org theme review requirement checks
PHP 8.0–8.4 compatibility
PHPCS WordPress theme coding standards
PHPStan Level 5 type safety
Secret and credential detection in theme files
Open Source Program

Free audits for GPL themes

GPL-licensed themes hosted on WordPress.org or GitHub qualify for WP HealthKit's open-source program — the same 46-layer engine, free.

Check Eligibility

Pricing for theme developers

Single

£4.99/audit

Perfect for testing before submission.

  • Full 46-layer audit
  • PDF report with fixes
  • 1 AI fix prompt
  • Priority processing
Get Started

Pro

£29/month

For active theme developers.

  • 30 tokens per month
  • Unlimited AI fix prompts
  • 3 autofix patched ZIPs/mo
  • Dashboard & trends
  • API access
  • Re-audit at 50% off
Get Started

Agency

£149/month

For teams building at scale.

  • 200 audits per month
  • White-label reports
  • 5 team seats
  • Bulk audit API
  • GitHub Actions integration
  • Multi-site monitoring
Get Started

Also relevant for

Plugin DevelopersAgenciesFreelancersWooCommerce Developerswp.org Submissions

Audit your theme before it ships

Catch escaping issues, accessibility problems, and security vulnerabilities before the review team does.

Upload Your Theme
WP HealthKit for Theme Developers — Security & Quality Audits | WP HealthKit