Skip to main content
WP HealthKit
30.5% of submissions get rejected

Pass WordPress.org Plugin Review on the first try

The WordPress.org review team rejects nearly 1 in 3 plugin submissions. Most rejections are for issues a pre-submission audit would have caught. WP HealthKit scans your plugin with 49 verification layers before you submit.

30.5%
submissions rejected
30
verification layers
< 5 min
Agency queue start

What Plugin Check misses, WP HealthKit catches

The official Plugin Check tool covers basics. WP HealthKit goes deeper with the same checks the review team actually looks for.

Plugin Check (PCP)

  • Basic PHPCS sniffs
  • Readme.txt validation
  • File type checks
  • Limited security patterns
  • No CVE database check
  • No AI analysis

WP HealthKit

  • Full PHPCS with WordPress-Extra ruleset
  • PHPStan Level 5 type safety
  • Wordfence CVE database cross-reference
  • Secret & credential detection
  • PHP 8.0-8.4 compatibility analysis
  • 4 AI engines: security, quality, accessibility, performance
  • Metadata & lifecycle validation
  • PDF report with exact code fix suggestions

Five steps to a clean submission

01

Upload your ZIP

The same ZIP you would submit to WordPress.org

02

49-layer scan

Queue position shown immediately. Wordfence CVEs, PHPCS, PHPStan, secrets, PHP compat, AI engines — processed in order.

03

Get your report

Actionable findings with exact code fix suggestions, ready when processing completes.

04

Autofix

Run autofix to automatically resolve coding standards and deprecated function issues — download the patched ZIP

05

Submit with confidence

Re-audit if needed, then submit knowing issues are resolved

Real rejection reasons we catch

These are actual rejection reasons from WordPress.org plugin reviews — and the WP HealthKit engine that flags them before submission.

Calling file operations without nonce verification

Caught by: AI Security Engine

Direct database queries without prepare()

Caught by: PHPCS + AI Security

Hardcoded API keys in source code

Caught by: Secret Detection

Using deprecated WordPress functions

Caught by: PHP Compatibility

Missing sanitization on $_POST/$_GET inputs

Caught by: AI Security Engine

Incorrect text domain or missing translations

Caught by: PHPCS Standards

Enqueuing scripts without proper dependencies

Caught by: AI Quality Engine

Missing capability checks on admin actions

Caught by: AI Security Engine

Catch issues before the review team does

30.5%
of submissions rejected by wp.org
30
verification layers in every audit
< 5 min
Agency priority queue start

Submission questions answered

How long does an audit take?

Audits are queued and processed in priority order. Pro plan jobs start within 15 minutes; Agency within 5 minutes; Enterprise within 2 minutes. Free tier runs in the background queue (under 60 minutes). The 49-layer engine runs deterministic checks in parallel, then processes the 4 AI engines.

Does passing a WP HealthKit audit guarantee acceptance by WordPress.org?

No — the review team makes the final decision, and they occasionally flag issues automated engines do not cover. However, WP HealthKit catches the most common rejection reasons, and developers who audit first have a significantly higher first-submission acceptance rate.

What is the difference between WP HealthKit and the official Plugin Check tool?

Plugin Check (PCP) is WordPress.org's official compliance checker — mandatory and free. WP HealthKit goes 10x deeper: CVE database cross-referencing, AI security analysis, PHP 8.x compatibility, GDPR checks, and accessibility auditing. Use both: Plugin Check for directory compliance, WP HealthKit for comprehensive security.

My plugin passed Plugin Check but was still rejected — can WP HealthKit help?

Yes. Most rejections that happen despite passing Plugin Check are for issues that rule-based tools miss: insecure direct object references, logic-level CSRF vulnerabilities, missing capability checks on AJAX handlers. These are exactly what WP HealthKit's AI engines detect.

Is the first audit really free?

Yes — every account gets 2 free tokens with the full 49-layer engine. No credit card required. Re-audits are 50% off on Pro and above, so fixing and re-checking is affordable.

Can I use WP HealthKit for theme submissions too?

Yes. WP HealthKit's engine audits both plugins and themes. The same PHPCS, PHPStan, secret detection, and AI engines apply. Theme-specific checks including escaping completeness, Customizer sanitization, and FSE compatibility are included.

Submit with confidence

Run a full 49-layer audit before you submit to WordPress.org. 2 free tokens — no card required.

Upload Your Plugin

No credit card required · Full 49-layer audit · Queue position shown immediately

Pass WordPress.org Plugin Review — Security Audit | WP HealthKit