74% wpscan

Code Review | WPScan - WordPress Security Scanner

WordPress plugin WPScan - WordPress Security Scanner scored 74% from 54 tests.

About plugin

  • Plugin page: wpscan
  • Plugin version: 1.15.5
  • PHP compatiblity: 5.5+
  • PHP version: 7.4.16
  • WordPress compatibility: 3.4-5.8
  • WordPress version: 5.8.1
  • First release: Mar 2, 2019
  • Latest release: Aug 10, 2021
  • Number of updates: 80
  • Update frequency: every 11.2 days
  • Top authors: ethicalhack3r (58.75%)xFireFartx (30%)erwanlr (13.75%)

Code review

54 tests

User reviews

22 reviews

Install metrics

8,000+ active / 119,126 total downloads


Plugin footprint 65% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | All plugins must install correctly, without throwing any errors, warnings, or notices
This plugin's installer ran successfully

Server metrics [RAM: ▲1.65MB] [CPU: ▼128.17ms] Passed 4 tests

Server-side resources used by WPScan - WordPress Security Scanner
This plugin has minimal impact on server resources
PageMemory (MB)CPU Time (ms)
Home /4.45 ▲1.7356.01 ▲27.45
Dashboard /wp-admin4.72 ▲1.6666.18 ▲21.56
Posts /wp-admin/edit.php4.77 ▲1.6664.00 ▲17.10
Add New Post /wp-admin/post-new.php7.07 ▲1.63102.57 ▼567.14
Media Library /wp-admin/upload.php4.66 ▲1.6649.40 ▲15.82
Settings /wp-admin/admin.php?page=wpscan_settings4.6548.61
Scheduled Actions /wp-admin/tools.php?page=action-scheduler4.8159.54
Report /wp-admin/admin.php?page=wpscan4.6956.89

Server storage [IO: ▲7.79MB] [DB: ▲0.01MB] Passed 3 tests

Filesystem and database footprint
There were no storage issued detected upon installing this plugin
Filesystem: 193 new files
Database: 4 new tables, 4 new options
New tables
New WordPress options

Browser metrics Passed 4 tests

This is an overview of browser requirements for WPScan - WordPress Security Scanner
Minimal impact on browser resources
PageNodesMemory (MB)Script (ms)Layout (ms)
Home /3,811 ▲21515.92 ▲0.1611.58 ▲1.6845.84 ▼4.12
Dashboard /wp-admin3,065 ▲1345.93 ▼0.01155.92 ▲5.68128.43 ▲22.66
Posts /wp-admin/edit.php2,818 ▲792.71 ▼0.0164.73 ▼10.7189.20 ▼3.04
Add New Post /wp-admin/post-new.php1,751 ▲25124.08 ▲5.43387.54 ▼9.70110.12 ▲3.53
Media Library /wp-admin/upload.php1,812 ▲644.99 ▲0.00143.08 ▼12.85153.50 ▲35.06
Settings /wp-admin/admin.php?page=wpscan_settings1,2562.0953.8175.49
Scheduled Actions /wp-admin/tools.php?page=action-scheduler1,6282.2455.6472.07
Report /wp-admin/admin.php?page=wpscan2,1034.2890.6292.20

Uninstaller [IO: ▲0.00MB] [DB: ▲0.01MB] 50% from 4 tests

🔸 Tests weight: 35 | Verifying that this plugin uninstalls completely without leaving any traces
Please fix the following items
  • Zombie tables were found after uninstall: 4 tables
    • wp_actionscheduler_actions
    • wp_actionscheduler_groups
    • wp_actionscheduler_claims
    • wp_actionscheduler_logs
  • This plugin does not fully uninstall, leaving 4 options in the database
    • schema-ActionScheduler_StoreSchema
    • schema-ActionScheduler_LoggerSchema
    • action_scheduler_hybrid_store_demarkation
    • action_scheduler_lock_async-request-runner

Smoke tests 75% from 4 tests

Server-side errors Passed 1 test

🔹 Test weight: 20 | This is a shallow check for server-side errors
Good news, no errors were detected

SRP 50% from 2 tests

🔹 Tests weight: 20 | The single-responsibility principle applies for WordPress plugins as well - please make sure your PHP files perform no actions when accessed directly
Please take a closer look at the following
  • 73× PHP files trigger server errors when accessed directly (only 10 are shown):
    • > PHP Fatal error
      Uncaught Error: Call to undefined function add_action() in wp-content/plugins/wpscan/libraries/action-scheduler/action-scheduler.php:32
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_Logger' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/data-stores/ActionScheduler_wpCommentLogger.php:6
    • > PHP Fatal error
      Uncaught Error: Class 'CronExpression_AbstractField' not found in wp-content/plugins/wpscan/libraries/action-scheduler/lib/cron-expression/CronExpression_DayOfWeekField.php:18
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_AdminView_Deprecated' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/ActionScheduler_AdminView.php:7
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/jobstore/ActionScheduler_HybridStore_Test.php:14
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_DBStore' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/migration/ActionScheduler_DBStoreMigrator.php:10
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/schedules/ActionScheduler_SimpleSchedule_Test.php:7
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_Abstract_Schema' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/schema/ActionScheduler_LoggerSchema.php:10
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_Abstract_QueueRunner' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/WP_CLI/ActionScheduler_WPCLI_QueueRunner.php:10
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/runner/ActionScheduler_QueueRunner_Test.php:7

User-side errors Passed 1 test

🔹 Test weight: 20 | This is a smoke test targeting browser errors/issues
There were no browser issues found


Plugin configuration 97% from 29 tests

readme.txt 94% from 16 tests

The readme.txt file is important because it is parsed by WordPress.org for the public listing of your plugin
Attributes that need to be fixed:
  • Screenshots: Please add images for these screenshots: #1 (List of vulnerabilities and icon at Admin Bar.), #2 (Notification settings.), #3 (Site health page.)
You can look at the official readme.txt

wpscan/wpscan.php Passed 13 tests

The main file in "WPScan - WordPress Security Scanner" v. 1.15.5 serves as a complement to information provided in readme.txt and as the entry point to the plugin
126 characters long description:
WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.

Code Analysis Passed 3 tests

File types Passed 1 test

🔸 Test weight: 35 | Executable files are considered dangerous and should not be included with any WordPress plugin
Everything looks great! No dangerous files found in this plugin14,387 lines of code in 172 files:
LanguageFilesBlank linesComment linesLines of code
Bourne Shell23022137

PHP code Passed 2 tests

Analyzing cyclomatic complexity and code structure
Great job! No cyclomatic complexity issues were detected in this plugin
Cyclomatic complexity
Average complexity per logical line of code0.24
Average class complexity9.91
▷ Minimum class complexity1.00
▷ Maximum class complexity88.00
Average method complexity2.31
▷ Minimum method complexity1.00
▷ Maximum method complexity26.00
Code structure
▷ Abstract classes1612.70%
▷ Concrete classes11087.30%
▷ Final classes00.00%
▷ Static methods677.38%
▷ Public methods75082.60%
▷ Protected methods13514.87%
▷ Private methods232.53%
▷ Named functions1851.43%
▷ Anonymous functions1748.57%
▷ Global constants2139.62%
▷ Class constants3260.38%
▷ Public constants32100.00%

Plugin size 50% from 2 tests

Image compression 50% from 2 tests

PNG files should be compressed to save space and minimize bandwidth usage
9 PNG files occupy 0.78MB with 0.42MB in potential savings
Potential savings
Compression of 5 random PNG files using pngquant
FileSize - originalSize - compressedSavings
libraries/action-scheduler/docs/apple-touch-icon.png6.77KB2.46KB▼ 63.68%
libraries/action-scheduler/docs/android-chrome-192x192.png6.77KB2.46KB▼ 63.68%
screenshot-2.png112.38KB35.89KB▼ 68.07%
screenshot-1.png448.65KB128.47KB▼ 71.37%