This free tool scans any WordPress plugin's source code for security vulnerabilities. According to Patchstack's 2024 State of WordPress Security report, 97% of all WordPress vulnerabilities originate from plugins — not WordPress core. We built this scanner because, in our experience maintaining 15+ WordPress plugins, we found that most security issues follow predictable patterns that static analysis catches before they reach production.
Free tool. No login required. 19 security checks across 9 categories.
Embed this badge on your plugin's readme, website, or GitHub repo to show users your security commitment.
Our scanner runs 19 static analysis rules across 9 vulnerability categories. According to OWASP's Top 10 (2021), injection flaws and broken access controls remain the most critical web application risks. We've tuned our rules based on patterns we've identified across thousands of WordPress plugin reviews since 2024.
Detects missing $wpdb->prepare() and user input directly interpolated into database queries.
Finds unescaped variables in echo statements missing esc_html(), esc_attr(), or esc_url().
Flags eval(), create_function(), and preg_replace() with the dangerous /e modifier.
Checks for direct $_GET, $_POST, and $_REQUEST usage without sanitization functions.
Detects exec(), system(), shell_exec(), and other shell execution functions.
Flags file_get_contents() and file_put_contents() with variable paths, plus dynamic includes.
Verifies all PHP files have the ABSPATH check to prevent direct file access.
Finds print_r(), var_dump(), var_export(), and phpinfo() left in production code.
WordPress plugins are the single largest attack vector for WordPress sites. The Wordfence 2024 Annual Security Report documented 7,966 new plugin vulnerabilities disclosed in 2024 alone — a 68% increase from the previous year. In our own testing across our 15-plugin fleet, we've found that even well-maintained plugins can introduce vulnerabilities through common coding patterns like unsanitized input or missing nonce verification.
The WordPress Plugin Security Team currently monitors over 59,000 plugins in the official directory (WordPress.org, 2026). However, their reviews focus on initial submission — ongoing code changes are not re-reviewed unless a vulnerability is reported. This means plugin updates can introduce new security issues that go undetected until they're exploited.
"Most WordPress hacks aren't the result of sophisticated zero-day exploits. They're caused by plugins with known, preventable coding mistakes — missing input sanitization, SQL queries without prepare(), and unescaped output." — Patchstack, State of WordPress Security (2024)
Most WordPress security tools — including Sucuri, Wordfence, and WPScan — scan live sites or match against known CVE databases. Our approach is fundamentally different: we perform static source code analysis on the plugin itself, before it's installed. This catches vulnerabilities that haven't been reported yet.
| Tool | Approach | Catches Unknown Vulns? | Free? |
|---|---|---|---|
| Royal Plugins Scanner | Static source code analysis | Yes | Yes |
| Sucuri SiteCheck | External HTTP probes on live sites | No — surface-level only | Yes |
| WPScan / Patchstack | CVE database matching | No — known vulns only | Limited free tier |
| Wordfence | Runtime scanning (requires WP install) | Limited — signature-based | Free plugin, paid for real-time |
| WordPress Plugin Check (PCP) | Coding standards compliance | Partially — focused on WP.org rules | Yes |
We built this scanner because we needed it ourselves. As the team behind GuardPress, SEObolt, SiteVault, and 12 other WordPress plugins, we run this exact analysis on every release before it ships. In our experience, the most common vulnerability patterns we catch are:
$wpdb->prepare() — the #1 source of SQL injection in WordPress plugins, per Patchstack's vulnerability databaseecho statements — outputting variables without esc_html() creates XSS vulnerabilities$_POST/$_GET usage — superglobals used without sanitize_text_field() or wp_unslash()if (!defined('ABSPATH')) exit; can be accessed directly"WordPress security is not a product — it's a practice. The best defense is catching issues during development, not after deployment." — Wordfence, 2024 WordPress Security Annual Report
Yes, completely free. No registration, no email, no limits beyond rate limiting. Enter any WordPress.org plugin slug and get instant results.
Enter the plugin's WordPress.org slug (the URL-friendly name from its WP.org page). We download the latest version's source code and run 19 security checks across SQL injection, XSS, command injection, input validation, and more. You get a security grade from A+ to F in seconds.
We check for SQL injection (missing $wpdb->prepare), cross-site scripting (unescaped output), remote code execution (eval, create_function, preg_replace /e), command injection (exec, system, shell_exec), unsanitized input ($_GET/$_POST/$_REQUEST), file operation risks, debug output exposure, inline assets, hardcoded credentials, and missing ABSPATH checks.
You can scan any plugin listed on WordPress.org. Just type the plugin name and select it from the autocomplete suggestions, or enter the slug directly (the URL-friendly name from the plugin's WP.org page, e.g., "contact-form-7").
A+ means zero issues at any severity. A means no critical or high issues and 3 or fewer medium issues. B means no critical or high issues but more than 3 medium issues. C means no critical issues but has high-severity findings. F means critical issues were found.
Our scanner uses the same rules we apply to our own 15+ WordPress plugins before every release. We've tuned the exclude patterns over hundreds of scans to minimize false positives — for example, we exclude $wpdb->prepare() lines from SQL injection checks, and esc_html() calls from XSS checks. That said, static analysis can flag patterns that are technically safe in context (e.g., a sanitized variable used later). The scanner errs on the side of caution — it's better to review a flagged line than miss a real vulnerability.
This scanner checks WP.org plugins on demand. GuardPress Pro monitors your entire WordPress site 24/7 with real-time firewall, malware scanning, 2FA, and login protection.