74% wpscan

Code Review | WPScan - WordPress Security Scanner

WordPress plugin WPScan - WordPress Security Scanner scored74%from 54 tests.

About plugin

  • Plugin page: wpscan
  • Plugin version: 1.15.7
  • PHP compatiblity: 5.5+
  • PHP version: 7.4.16
  • WordPress compatibility: 3.4-6.3.2
  • WordPress version: 6.3.1
  • First release: Mar 2, 2019
  • Latest release: Oct 22, 2023
  • Number of updates: 86
  • Update frequency: every 19.7 days
  • Top authors: ethicalhack3r (54.65%)xFireFartx (27.91%)erwanlr (15.12%)miguelxavierpenha (4.65%)arsihasi (2.33%)

Code review

54 tests

User reviews

28 reviews

Install metrics

10,000+ active /197,275 total downloads


Plugin footprint 65% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | All plugins must install correctly, without throwing any errors, warnings, or notices
This plugin's installer ran successfully

Server metrics [RAM: ▲1.67MB] [CPU: ▲11.57ms] Passed 4 tests

Server-side resources used by WPScan - WordPress Security Scanner
This plugin has minimal impact on server resources
PageMemory (MB)CPU Time (ms)
Home /5.12 ▲1.6559.33 ▲21.01
Dashboard /wp-admin4.98 ▲1.6762.35 ▲12.30
Posts /wp-admin/edit.php5.03 ▲1.6760.39 ▲12.12
Add New Post /wp-admin/post-new.php7.58 ▲1.6993.27 ▲0.85
Media Library /wp-admin/upload.php4.90 ▲1.6768.10 ▲35.43
Scheduled Actions /wp-admin/tools.php?page=action-scheduler5.0566.53
Report /wp-admin/admin.php?page=wpscan4.9150.69
Settings /wp-admin/admin.php?page=wpscan_settings4.8349.85

Server storage [IO: ▲7.80MB] [DB: ▲0.08MB] Passed 3 tests

Filesystem and database footprint
There were no storage issued detected upon installing this plugin
Filesystem: 194 new files
Database: 4 new tables, 10 new options
New tables
New WordPress options

Browser metrics Passed 4 tests

This is an overview of browser requirements for WPScan - WordPress Security Scanner
Minimal impact on browser resources
PageNodesMemory (MB)Script (ms)Layout (ms)
Home /2,908 ▲14714.17 ▼0.252.23 ▲0.6440.66 ▲4.95
Dashboard /wp-admin2,277 ▲995.73 ▲0.0982.59 ▼18.2271.51 ▲31.87
Posts /wp-admin/edit.php2,162 ▲652.15 ▲0.1435.64 ▲1.6635.02 ▼1.18
Add New Post /wp-admin/post-new.php1,734 ▲20622.32 ▼0.82775.45 ▲108.0544.17 ▼10.87
Media Library /wp-admin/upload.php1,462 ▲594.13 ▼0.23101.81 ▲7.3165.10 ▲21.44
Scheduled Actions /wp-admin/tools.php?page=action-scheduler1,2801.8326.2830.19
Report /wp-admin/admin.php?page=wpscan1,5773.6959.3928.12
Settings /wp-admin/admin.php?page=wpscan_settings9981.6825.7926.92

Uninstaller [IO: ▲0.00MB] [DB: ▲0.08MB] 50% from 4 tests

🔸 Tests weight: 35 | Verifying that this plugin uninstalls completely without leaving any traces
Please fix the following items
  • Zombie tables were found after uninstall: 4 tables
    • wp_actionscheduler_actions
    • wp_actionscheduler_groups
    • wp_actionscheduler_logs
    • wp_actionscheduler_claims
  • This plugin does not fully uninstall, leaving 10 options in the database
    • theysaidso_admin_options
    • can_compress_scripts
    • action_scheduler_hybrid_store_demarkation
    • widget_recent-comments
    • widget_theysaidso_widget
    • schema-ActionScheduler_LoggerSchema
    • schema-ActionScheduler_StoreSchema
    • db_upgraded
    • action_scheduler_lock_async-request-runner
    • widget_recent-posts

Smoke tests 75% from 4 tests

Server-side errors Passed 1 test

🔹 Test weight: 20 | This is a shallow check for server-side errors
Good news, no errors were detected

SRP 50% from 2 tests

🔹 Tests weight: 20 | The single-responsibility principle applies for WordPress plugins as well - please make sure your PHP files perform no actions when accessed directly
Please take a closer look at the following
  • 73× PHP files trigger server errors when accessed directly (only 10 are shown):
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_SimpleSchedule' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/schedules/ActionScheduler_CanceledSchedule.php:6
    • > PHP Fatal error
      Uncaught Error: Class 'CronExpression_AbstractField' not found in wp-content/plugins/wpscan/libraries/action-scheduler/lib/cron-expression/CronExpression_HoursField.php:8
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/procedural_api/procedural_api_Test.php:6
    • > PHP Fatal error
      Uncaught Error: Class 'WP_CLI_Command' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/WP_CLI/Migration_Command.php:22
    • > PHP Fatal error
      Uncaught Error: Class 'Action_Scheduler\\Migration\\ActionMigrator' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/migration/DryRun_ActionMigrator.php:15
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/migration/Config_Test.php:9
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_SimpleSchedule' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/schedules/ActionScheduler_NullSchedule.php:6
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_Abstract_QueueRunner' not found in wp-content/plugins/wpscan/libraries/action-scheduler/classes/ActionScheduler_QueueRunner.php:6
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/migration/LogMigrator_Test.php:9
    • > PHP Fatal error
      Uncaught Error: Class 'ActionScheduler_UnitTestCase' not found in wp-content/plugins/wpscan/libraries/action-scheduler/tests/phpunit/logging/ActionScheduler_wpCommentLogger_Test.php:7

User-side errors Passed 1 test

🔹 Test weight: 20 | This is a smoke test targeting browser errors/issues
There were no browser issues found


Plugin configuration 97% from 29 tests

readme.txt 94% from 16 tests

The readme.txt file is important because it is parsed by WordPress.org for the public listing of your plugin
Attributes that need to be fixed:
  • Screenshots: Please add images for these screenshots: #1 (List of vulnerabilities and icon at Admin Bar.), #2 (Notification settings.), #3 (Site health page.)
You can look at the official readme.txt

wpscan/wpscan.php Passed 13 tests

The main file in "WPScan - WordPress Security Scanner" v. 1.15.7 serves as a complement to information provided in readme.txt and as the entry point to the plugin
126 characters long description:
WPScan WordPress Security Scanner. Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.

Code Analysis Passed 3 tests

File types Passed 1 test

🔸 Test weight: 35 | Executable files are considered dangerous and should not be included with any WordPress plugin
Everything looks great! No dangerous files found in this plugin14,474 lines of code in 173 files:
LanguageFilesBlank linesComment linesLines of code
Bourne Shell23022137

PHP code Passed 2 tests

Analyzing cyclomatic complexity and code structure
Great job! No cyclomatic complexity issues were detected in this plugin
Cyclomatic complexity
Average complexity per logical line of code0.24
Average class complexity9.97
▷ Minimum class complexity1.00
▷ Maximum class complexity88.00
Average method complexity2.31
▷ Minimum method complexity1.00
▷ Maximum method complexity26.00
Code structure
▷ Abstract classes1612.70%
▷ Concrete classes11087.30%
▷ Final classes00.00%
▷ Static methods677.35%
▷ Public methods75382.66%
▷ Protected methods13514.82%
▷ Private methods232.52%
▷ Named functions1851.43%
▷ Anonymous functions1748.57%
▷ Global constants2139.62%
▷ Class constants3260.38%
▷ Public constants32100.00%

Plugin size 50% from 2 tests

Image compression 50% from 2 tests

PNG files should be compressed to save space and minimize bandwidth usage
9 PNG files occupy 0.78MB with 0.36MB in potential savings
Potential savings
Compression of 5 random PNG files using pngquant
FileSize - originalSize - compressedSavings
screenshot-2.png112.38KB35.89KB▼ 68.07%
screenshot-3.png217.60KB58.64KB▼ 73.05%
screenshot-1.png448.65KB128.47KB▼ 71.37%
libraries/action-scheduler/docs/mstile-150x150.png4.15KB3.67KB▼ 11.47%
libraries/action-scheduler/docs/favicon-16x16.png0.39KB0.38KB▼ 3.02%