WP Audit is a VS Code extension that scans WordPress themes and plugins for performance antipatterns and security vulnerabilities. In other words, it brings static PHP analysis and live URL scanning directly into your editor — with diagnostics, quick fixes, and HTML reports — so you can catch issues before they reach production.
Additionally, WP Audit was built specifically for WordPress developers who work with PHP daily. It understands WordPress functions, hooks, and common coding patterns. As a result, it flags real issues like unsanitized user input, SQL injection risks, render-blocking scripts, and exposed version numbers — not generic PHP warnings.
Furthermore, the extension is free, open source, and ships as a lightweight VS Code extension with zero external dependencies. Install it, open a PHP file, and start scanning immediately.
What Is a WordPress PHP Security Scanner for VS Code?
WordPress powers over 40% of the web, and most WordPress sites rely on themes and plugins written in PHP. However, many of these plugins contain security vulnerabilities and performance antipatterns that go unnoticed until they cause real damage.
For example, a plugin that uses $_GET without sanitization is vulnerable to cross-site scripting (XSS) attacks. A theme that runs query_posts() instead of WP_Query wastes server resources on every page load. A function that builds SQL queries without $wpdb->prepare() is an open door to SQL injection.
Moreover, these issues are difficult to spot during code review. They hide inside hundreds of PHP files, spread across functions and templates. Manual scanning is slow and error-prone.
WP Audit solves this problem. It scans every PHP file in your workspace, flags issues as editor diagnostics with squiggly underlines, and offers quick fixes to resolve them. As a result, you see security and performance problems the moment you write them — not after deployment.
How WP Audit Works
WP Audit combines two analysis modes inside a single VS Code extension:
- Static PHP Analysis — scans PHP source files using regex-based pattern matching with block-level context awareness. It detects 20 rules across performance and security categories.
- Live URL Scanning — fetches a WordPress site’s HTML response and analyzes the rendered output for front-end performance and security issues.
In addition, the architecture is intentionally simple:
PHP Files → Scanner → Diagnostics → Editor Underlines + Quick Fixes
Live URL → Fetcher → Analyzer → TreeView + HTML ReportSpecifically, when you run a scan, the scanner reads each PHP file, applies all enabled rules, and creates VS Code diagnostics for every match. Consequently, issues appear as yellow or red underlines directly in your code, with hover messages explaining the problem and suggested fixes.
Static Analysis: 20 Rules for WordPress PHP
WP Audit includes 10 performance rules and 10 security rules designed specifically for WordPress development:
Performance Rules (WPA001–WPA010)
| Rule | What It Detects |
|---|---|
WPA001 |
Scripts enqueued without in_footer: true — blocks page rendering |
WPA002 |
WordPress version exposed in asset URLs via get_bloginfo('version') |
WPA003 |
query_posts() usage — should use WP_Query instead |
WPA004 |
get_posts() without an explicit numberposts limit |
WPA005 |
jQuery listed as a script dependency |
WPA006 |
Inline <style> blocks instead of enqueued stylesheets |
WPA007 |
Inline <script> blocks instead of enqueued scripts |
WPA008 |
Images without loading="lazy" attribute |
WPA009 |
Mixed content — HTTP URLs that should be HTTPS |
WPA010 |
Inline CSS via style= attributes instead of enqueued stylesheets |
Security Rules (WPS001–WPS010)
| Rule | What It Detects |
|---|---|
WPS001 |
Unsanitized $_GET, $_POST, $_REQUEST superglobal access |
WPS002 |
SQL queries without $wpdb->prepare() — SQL injection risk |
WPS003 |
eval() usage — arbitrary code execution |
WPS004 |
extract() usage — variable injection |
WPS005 |
REST routes missing permission_callback |
WPS006 |
REST routes missing sanitize_callback |
WPS007 |
unserialize() with untrusted data — object injection |
WPS008 |
echo output without esc_html() escaping — XSS risk |
WPS009 |
file_get_contents() with user-controlled paths — path traversal |
WPS010 |
shell_exec() and exec() usage — command injection |
Live URL Scanning: 8 Front-End Rules
Beyond static analysis, WP Audit can fetch and analyze a live WordPress site. Run WP Audit: Scan Live URL, enter a URL, and the extension checks 8 front-end rules:
| Rule | What It Detects |
|---|---|
WPL001 |
Render-blocking scripts loaded in <head> |
WPL002 |
Missing security headers (HSTS, X-Content-Type-Options) |
WPL003 |
WordPress version exposed in meta generator tag |
WPL004 |
jQuery Migrate loaded — unnecessary on modern sites |
WPL005 |
High DOM node count — slows rendering and interaction |
WPL006 |
Images without width/height attributes — CLS risk |
WPL007 |
Missing or weak Cache-Control headers |
WPL008 |
High total HTTP request count |
As a result, you get a complete picture of both your source code quality and your site’s front-end health in a single tool.
Quick Fixes for Common Issues
WP Audit does not just flag problems — it fixes them. Click the lightbulb icon on any flagged line to apply an automatic fix:
- Move scripts to footer — adds
in_footer: truetowp_enqueue_script()calls - Replace query_posts() — converts to
new WP_Query() - Fix mixed content — replaces
http://withhttps:// - Sanitize user input — wraps
$_GET/$_POSTwithsanitize_text_field() - Escape output — wraps
echooutput withesc_html()
Moreover, all quick fixes follow WordPress coding standards and best practices. They produce clean, production-ready code.
HTML Report with Score
Run WP Audit: Show Report to generate a visual HTML report inside VS Code. The report includes:
- Audit score (0–100) calculated from the severity and count of findings
- Summary badges showing total errors, warnings, and info items
- Live URL stats including response time, DOM node count, script count, and image count
- Full findings table with file locations, rule IDs, and descriptions
In addition, the report opens in a VS Code webview panel. You can keep it open alongside your code and re-run scans to watch your score improve as you fix issues.
Setting Up WP Audit
Step 1: Install the Extension
Install WP Audit directly from the VS Code Marketplace or search for “WP Audit” in the VS Code extensions panel. After installation, the extension activates automatically when you open a PHP file.
Step 2: Scan a PHP File
Open any WordPress PHP file and run WP Audit: Scan Current File from the command palette (Ctrl+Shift+P / Cmd+Shift+P). Issues appear as editor diagnostics immediately.
Step 3: Scan Your Entire Workspace
For a full audit, run WP Audit: Scan Workspace. The scanner processes all PHP files in your project, excluding vendor/, node_modules/, wp-admin/, and wp-includes/ by default.
Step 4: Scan a Live Site
Finally, run WP Audit: Scan Live URL and enter your WordPress site URL. The extension fetches the page, analyzes the HTML response, and reports front-end issues in the sidebar TreeView and HTML report.
Configuration Options
WP Audit includes four settings you can customize in VS Code:
| Setting | Default | Description |
|---|---|---|
wpAudit.scanOnSave |
false |
Automatically scan PHP files every time you save |
wpAudit.enablePerformanceRules |
true |
Enable or disable the 10 performance rules |
wpAudit.enableSecurityRules |
true |
Enable or disable the 10 security rules |
wpAudit.ignorePaths |
["vendor/**", ...] |
Glob patterns for directories to skip during workspace scans |
Built for WordPress Developers
WP Audit was built during daily WordPress plugin and theme development. In fact, the rules come directly from real-world code reviews — every rule targets a pattern that has caused actual bugs, security incidents, or performance regressions in production WordPress sites.
Moreover, the extension follows the same development philosophy behind the Contact Form 7 Mailchimp Extension and the other free WordPress plugins on this site: lightweight code, zero bloat, and one focused purpose.
Additionally, WP Audit is part of a collection of VS Code extensions built for developers:
- Arc — a VS Code terminal bridge that gives AI coding agents full terminal control via MCP.
- GA4 Analytics MCP — query Google Analytics 4 data directly from your AI agent inside VS Code.
- Iris for Claude — a Telegram bridge that lets you message Claude Code from your phone.
Common Questions
Does WP Audit work with any PHP project or only WordPress?
WP Audit is designed specifically for WordPress. The rules target WordPress functions like wp_enqueue_script(), query_posts(), $wpdb->prepare(), and register_rest_route(). It will scan any PHP file, but the rules are most useful for WordPress themes and plugins.
Will WP Audit slow down VS Code?
No. The extension activates only when you open a PHP file or run a command. Scanning is fast because it uses regex-based pattern matching, not a full PHP parser. A workspace scan with hundreds of files completes in seconds.
Does WP Audit catch every security issue?
No static analysis tool catches everything. WP Audit uses regex-based scanning, which means it may miss issues inside complex multi-line expressions or produce false positives on strings that look like vulnerable patterns. However, it catches the most common and dangerous patterns reliably.
Can I disable specific rules?
You can disable entire categories (performance or security) via VS Code settings. Individual rule toggling is planned for a future release.
Does the live URL scanner work with password-protected sites?
The live scanner fetches the public HTML response. It does not handle authentication, so it works best with publicly accessible WordPress sites.
Requirements
- Visual Studio Code 1.85.0 or higher
- PHP files in your workspace for static analysis
- A live WordPress URL for front-end scanning (optional)
Getting Started
WP Audit is a WordPress PHP security scanner and performance auditor that brings static analysis and live site scanning directly into VS Code. As a result, you catch security vulnerabilities, performance antipatterns, and front-end issues before they reach production — not after.
Additionally, if you need help with setup or have questions, contact us directly. For more tools built for developers, visit Arc and GA4 Analytics MCP.