llScanTool
Try Free for 15 Days No Credit Card Required

For Make WordPress Contributors

Scan the patch before it lands in core.

We scan, then we forget. You keep what you want.

Core is the foundation more than forty percent of the web runs on. A regression you introduce in a patch, a backport, or a new API does not affect one site — it ships to millions on the next release. AllScanTool scans the WordPress core PHP and JS you touch — patches, backports, function changes, and new endpoints — for SQL injection, XSS, hardcoded credentials, and insecure functions, right in your browser, before the diff goes on the ticket. No logs. No storage. No retention. Your code stays private.

A core patch is the highest-leverage code you will ever write

When you contribute to core, your diff becomes the security baseline for the entire ecosystem. These are the risks AllScanTool catches before the patch lands on the ticket.

A regression that ships to millions

A subtle escaping or sanitization change in a core function propagates to every site on the next release, long before anyone files the report.

Backports that drift from the fix

Porting a security fix across branches by hand can drop a guard or reorder a check, leaving an older line quietly exposed.

New core APIs that set the pattern

A new function or REST route in core becomes the example thousands of developers copy, so an insecure default multiplies across the ecosystem.

$wpdb changes in the data layer

Query construction edits deep in core are easy to review for logic and easy to miss for an unprepared statement built from input.

Test scaffolding left in the diff

Debug output, sample tokens, or temporary credentials added while reproducing a ticket can survive into the committed patch.

A long review queue, a fast deadline

Committers carry a heavy review load near a beta freeze, and a final automated pass on the diff is an easy gate to add before commit.

Ask AST

Questions core and ecosystem contributors bring to the Delivery-Layer Engine.

QI am about to attach a patch to a Trac ticket — how do I confirm my $wpdb changes do not introduce an SQL injection in core?

Paste the diff into the scanner before you upload it. AST flags any query built from unsanitized input and points to $wpdb->prepare(), so the patch a committer reviews is already clean.

QI backported a security fix to an older branch by hand — how do I check I did not drop an escaping or capability guard?

Scan the backported hunk on its own. AST highlights missing escaping, absent capability checks, and unguarded output so the ported fix matches the protection of the original.

QI am adding a new REST endpoint to core — how do I make sure it sets a secure pattern for everyone who copies it?

Drop the endpoint into the scanner. AST surfaces missing permission callbacks and nonce checks so the example the ecosystem will copy ships with the right defaults from day one.

QI added debug output and a test token while reproducing a ticket — how do I make sure none of it survived into my committed patch?

Scan the final diff before commit. AST detects hardcoded credentials, stray secrets, and insecure debug functions so nothing from the reproduction step lands in core.

No Logs Policy
No Storage
No Retention
Your Code Stays Private