llScanTool
Try Free for 15 Days No Credit Card Required

For WordPress Developers

Scan your plugin and theme code before you ship it.

We scan, then we forget. You keep what you want.

Every release you push reaches thousands of installs you will never see. A single unescaped query or leftover API key in a plugin or theme becomes a vulnerability in every site that trusts your code. AllScanTool scans your WordPress PHP and JS — plugin releases, theme templates, REST endpoints, and update routines — for SQL injection, XSS, hardcoded credentials, and insecure functions, right in your browser, before you tag the version. No logs. No storage. No retention. Your code stays private.

Your code ships to sites you will never log into

When you build for the WordPress ecosystem, your release is someone else’s attack surface. These are the risks AllScanTool catches before you publish.

Unescaped output in templates

Theme and plugin templates that echo user or meta data without escaping ship XSS to every site that installs your release.

Raw $wpdb queries

Custom database calls built from request data without prepare() open SQL injection across the entire user base, not just one site.

Hardcoded keys in distributed code

An API key or license secret left in source gets shipped to every download and is one unzip away from being public.

Unprotected REST and AJAX endpoints

Custom endpoints missing nonce and capability checks let any visitor trigger actions you assumed only admins could reach.

Bundled dependencies you did not write

Vendored libraries and copied helpers ride along in your release carrying insecure functions you never reviewed.

No security gate before release

Solo and small-team developers tag and publish under deadline with no final scan standing between the commit and thousands of installs.

Ask AST

Questions WordPress plugin and theme developers bring to the Delivery-Layer Engine.

QI am about to tag a plugin release — how do I make sure there is no SQL injection in my custom $wpdb queries?

Paste the data layer into the scanner before you tag. AST flags every query built from unsanitized input and points you to $wpdb->prepare() so the release ships safe to every install.

QMy theme template echoes custom field values directly — is that an XSS risk for the sites using it?

Yes, and AST will catch it. Scan the template and it highlights unescaped output, recommending esc_html(), esc_attr(), and esc_url() before the theme reaches a single user.

QI added a custom REST endpoint to my plugin — how do I check it is not exposing actions to anyone?

Drop the endpoint code into the scanner. AST surfaces missing permission callbacks, absent nonce checks, and unguarded capability assumptions before the endpoint ships in your update.

QI left a test API key in my code during development — how do I make sure none of those are in my release build?

Scan the build before you zip it. AST detects hardcoded credentials and secrets anywhere in the source so a development shortcut never ends up inside a public download.

No Logs Policy
No Storage
No Retention
Your Code Stays Private