WordPress Monthly Health Status
March 2026
Aggregated, anonymised data from public audits during March 2026.
All-time totals
Aggregate snapshot across every public audit we have logged.
37
Plugins Audited
697
Total Findings Logged
authentication
Most Flagged Category
-
Most Improved Month
March 2026
Headline stats for the selected month.
8
Total Audits
3
Critical Findings
accessibility
Most Common Category
-
Average Risk Grade
Category trend
Top 5 categories — March 2026 vs February 2026.
- accessibility+16March16February0
- php compatibility+11March11February0
- coding standards+10March10February0
- authentication+10March10February0
- lifecycle+7March7February0
Top 10 Finding Categories
Where WordPress plugins struggled the most this month.
- 1accessibility16 (14.8%)
- 2php compatibility11 (10.2%)
- 3coding standards10 (9.3%)
- 4authentication10 (9.3%)
- 5lifecycle7 (6.5%)
- 6performance6 (5.6%)
- 7csrf6 (5.6%)
- 8xss6 (5.6%)
- 9php compat6 (5.6%)
- 10wp compatibility5 (4.6%)
Top 10 Plugins by Findings
Plugins with the most findings logged across all time.
| # | Plugin | Findings | Top Category | Last Audit |
|---|---|---|---|---|
| 1 | regenerate-thumbnails | 57 | type safety | April 2026 |
| 2 | wp-super-cache | 42 | csrf | April 2026 |
| 3 | bbg-confetti-preloader | 37 | accessibility | March 2026 |
| 4 | wps-hide-login | 36 | i18n | April 2026 |
| 5 | coming-soon | 35 | authentication | April 2026 |
| 6 | swft-digital | 31 | type safety | April 2026 |
| 7 | swft-license | 28 | performance | April 2026 |
| 8 | classic-widgets | 28 | lifecycle | April 2026 |
| 9 | swft-funnels | 27 | lifecycle | April 2026 |
| 10 | so-widgets-bundle | 20 | authentication | April 2026 |
Top 10 Most Common Findings
Specific issues that appeared most often across audits this month.
| # | Finding | Severity | Category | Count |
|---|---|---|---|---|
| 1 | PHP Version Mismatch: Declared vs Required | HIGH | php compatibility | 5 |
| 2 | PHP 8.0+ Required: Named arguments | HIGH | php compatibility | 4 |
| 3 | Deprecated: get_settings() (since WP 2.1) | HIGH | wp compatibility | 1 |
| 4 | Version mismatch: declares WP 4.9+ but uses WP 5.0+ functions | HIGH | wp compatibility | 1 |
| 5 | Deprecated: block_editor_settings filter (since WP 5.9) | MEDIUM | wp compatibility | 1 |
| 6 | Missing 'Tested up to' header | MEDIUM | wp compatibility | 1 |
| 7 | Direct superglobal access without sanitization wrapper | LOW | coding standards | 1 |
| 8 | Direct superglobal access pattern | LOW | coding standards | 1 |
| 9 | Direct superglobal access in multiple locations | LOW | coding standards | 1 |
| 10 | Direct superglobal access in get_edit_post_link | LOW | coding standards | 1 |
Severity Breakdown
How findings broke down across severity levels.
Grade Distribution
How audits scored across the WP HealthKit grading system.
Want to know how your plugin scores?
Run a free security audit and see how your plugin compares to the March 2026 averages.