WordPress Monthly Health Status
April 2026
Aggregated, anonymised data from public audits during April 2026.
All-time totals
Aggregate snapshot across every public audit we have logged.
37
Plugins Audited
697
Total Findings Logged
authentication
Most Flagged Category
-
Most Improved Month
April 2026
Headline stats for the selected month.
42
Total Audits
151
Critical Findings
authentication
Most Common Category
D
Average Risk Grade
Category trend
Top 5 categories — April 2026 vs March 2026.
- authentication+69April79March10
- php compatibility+38April49March11
- csrf+42April48March6
- xss+42April48March6
- lifecycle+41April48March7
Top 10 Finding Categories
Where WordPress plugins struggled the most this month.
- 1authentication79 (13.4%)
- 2php compatibility49 (8.3%)
- 3csrf48 (8.1%)
- 4xss48 (8.1%)
- 5lifecycle48 (8.1%)
- 6type safety47 (8%)
- 7file security41 (7%)
- 8sqli36 (6.1%)
- 9accessibility31 (5.3%)
- 10php compat19 (3.2%)
Top 10 Plugins by Findings
Plugins with the most findings logged across all time.
| # | Plugin | Findings | Top Category | Last Audit |
|---|---|---|---|---|
| 1 | regenerate-thumbnails | 57 | type safety | April 2026 |
| 2 | wp-super-cache | 42 | csrf | April 2026 |
| 3 | bbg-confetti-preloader | 37 | accessibility | March 2026 |
| 4 | wps-hide-login | 36 | i18n | April 2026 |
| 5 | coming-soon | 35 | authentication | April 2026 |
| 6 | swft-digital | 31 | type safety | April 2026 |
| 7 | swft-license | 28 | performance | April 2026 |
| 8 | classic-widgets | 28 | lifecycle | April 2026 |
| 9 | swft-funnels | 27 | lifecycle | April 2026 |
| 10 | so-widgets-bundle | 20 | authentication | April 2026 |
Top 10 Most Common Findings
Specific issues that appeared most often across audits this month.
| # | Finding | Severity | Category | Count |
|---|---|---|---|---|
| 1 | PHP 8.0+ Required: Named arguments | HIGH | php compatibility | 26 |
| 2 | PHP Version Mismatch: Declared vs Required | HIGH | php compatibility | 21 |
| 3 | Missing Nonce Verification on AJAX Handler | CRITICAL | csrf | 6 |
| 4 | No plugin files provided for audit | HIGH | lifecycle | 5 |
| 5 | Missing text domain in __() call | HIGH | i18n | 5 |
| 6 | N+1 query: get_post_meta() inside foreach loop | HIGH | performance | 4 |
| 7 | Cannot assess GDPR compliance | HIGH | privacy | 3 |
| 8 | Function wc_get_products not found. | MEDIUM | type safety | 3 |
| 9 | Function wc_get_product not found. | MEDIUM | type safety | 3 |
| 10 | Missing nonce verification in AJAX handler | CRITICAL | authentication | 3 |
Severity Breakdown
How findings broke down across severity levels.
Grade Distribution
How audits scored across the WP HealthKit grading system.
Want to know how your plugin scores?
Run a free security audit and see how your plugin compares to the April 2026 averages.