For WordPress Support
Paste the plugin code before you activate it.
We scan, then we forget. You keep what you want.
A snippet from the support forums, a functions.php edit from a tutorial, a WooCommerce hook from a previous developer — one activation is all it takes to break a site or open a hole. AllScanTool scans WordPress PHP and JS for SQL injection, XSS, hardcoded credentials, and insecure functions, right in your browser, before the code ever goes live. No logs. No storage. No retention. Your code stays private.
Code reaches WordPress from everywhere
Plugins, themes, tutorials, and inherited sites all pour code into your install. These are the risks AllScanTool catches before you hit activate.
Forum snippets that broke the site
A plugin snippet pasted straight from the support forums took the site down — because no one scanned it before activating.
functions.php edits from tutorials
Code copied into functions.php from a how-to post carries security implications the tutorial never mentioned.
WooCommerce payment customizations
Hooks that touch the checkout and payment flow ship to production without ever being security-reviewed.
Inherited child theme code
A child theme handed down from a previous developer comes with no audit trail and no record of what it actually does.
Stale repository plugins
Free plugins that have not been updated in two years sit live on the site, carrying old and unpatched vulnerability patterns.
Layers of freelancer code
Client sites where multiple freelancers added code over the years, with no one ever reviewing what the last person shipped.
Ask AST
Questions the WordPress Support community brings to the Delivery-Layer Engine.
QI found this PHP snippet on the WordPress Support Forums — does it have any SQL injection risks before I add it to functions.php?
Paste it into the scanner first. AST flags raw $wpdb queries built from unsanitized input and points you to prepared statements before the snippet ever touches functions.php.
QThis WooCommerce hook modifies the checkout process — are there any security issues I should fix before the client goes live?
Scan the hook before launch. AST highlights unescaped output, missing nonce checks, and unsafe data handling in payment flows so you can fix them before real orders run through it.
QI inherited a WordPress site with custom code from three different developers — where do I start with a security review?
Start by pasting each custom file into the scanner. AST surfaces injection sinks, hardcoded credentials, and insecure functions across the whole pile so you know which developer’s code to fix first.
QThis plugin has not been updated in 18 months — does the code have any known vulnerability patterns I should check?
Drop the plugin source into the scanner. AST checks for the classic stale-plugin patterns — unsanitized inputs, deprecated insecure calls, and exposed secrets — so an abandoned plugin does not become your open door.