Scan Any Plugin
Before It Touches
Your Server
Upload a plugin ZIP, run 13 static safety checks against your live environment, then install with confidence — or don't. No plugin code is ever executed.
How It Works
Three steps between a plugin ZIP and a confident installation decision.
Upload the ZIP
Go to Tools → PreFlight Scanner and upload the plugin ZIP you want to install. The file is extracted to a protected temporary directory — no web-accessible path, no code execution.
Static Analysis Runs
PreFlight reads every PHP file as plain text and runs 13 checks against your live environment — your active plugins, your PHP version, your WordPress version.
Review & Decide
If it passes, install with one click from the results page. If warnings or critical issues are found, you get a full breakdown before a single byte is copied to your plugins folder.
13 Checks. Every Scan.
Four categories of static analysis, all running against your live WordPress environment without executing a single line of the uploaded plugin's code.
PHP Version
Reads the plugin's Requires PHP header and detects modern syntax (match expressions, nullsafe operators, arrow functions, typed properties) your server can't run.
WordPress Version
Validates Requires At Least and Tested Up To headers against the running WordPress version so you know before activating.
Function Name Collisions
Compares every global function in the ZIP against all functions defined by your active plugins and WordPress core. A match = guaranteed PHP fatal error on activation.
CRITICALClass Name Collisions
Same check for classes, interfaces, traits, and enums. A collision is just as fatal and often harder to trace back to the cause.
CRITICALHook Priority Conflicts
Detects add_filter() and add_action() calls that share a hook name and priority with an already-active plugin. Two plugins competing on the same filter silently overwrite each other's output — a common source of WooCommerce checkout bugs.
WARNINGMalicious Code Patterns
Scans for obfuscation signatures: eval(base64_decode()), compressed payload execution (gzinflate, gzuncompress), preg_replace /e modifier, and large base64 blobs.
CRITICALDangerous PHP Functions
Flags shell_exec, exec, system, passthru, proc_open, popen, and pcntl_exec — OS-level command execution that has no place in a WordPress plugin.
CRITICALSuspicious File Types
Detects .exe, .sh, .bat, .cmd, .py, .rb, .pl, and .vbs files bundled inside the ZIP. Executable files have no place in a WordPress plugin package.
CRITICALMissing PHP Namespaces
Flags files that define functions or classes in the global scope without a namespace declaration — an elevated collision risk as more plugins are added to the site.
Deprecated WordPress Functions
Detects calls to WordPress functions that have been deprecated or removed — code that may generate errors on current or future WordPress versions.
Suspicious Outbound Calls
Flags wp_remote_get/post(), curl_exec(), and file_get_contents() with hardcoded external URLs — potential phone-home behaviour worth knowing about.
Direct Database Queries
Detects raw $wpdb->query() calls and string-concatenated SELECT statements that bypass $wpdb->prepare() — SQL injection risks.
Missing Security Checks
Files that read $_POST or $_GET without a detected nonce verification (check_admin_referer, wp_verify_nonce) or capability check (current_user_can) in the same file.
Three Possible Outcomes
ALL CLEAR
No issues detected. One click installs and activates the plugin directly from the results page. The temporary ZIP is deleted immediately.
WARNINGS FOUND
Advisory issues were found — deprecated functions, outbound calls, missing namespaces. The plugin may still work correctly. Review the details and install if you're comfortable.
CRITICAL ISSUES
Malicious code, fatal function collisions, or dangerous functions detected. Installing is strongly discouraged. A confirmation dialog warns you before any files are copied.
Upgrade to PreFlight Pro or Agency
The free version covers pre-installation scanning. Add scheduled monitoring, history, WooCommerce rules, and email alerts with a paid license.
- ✓ All 13 pre-install checks
- ✓ WooCommerce hook rules
- ✓ Scan history (50 entries)
- ✓ Email alerts
- ✓ Weekly background scans
- — Daily scans & risk score
- ✓ Everything in Starter
- ✓ Daily background scans
- ✓ Site risk score dashboard
- ✓ CSV export
- ✓ Unlimited scan history
- ✓ Use on 5 sites
- ✓ Everything in Pro
- ✓ Use on 25 sites
- ✓ Multi-site risk dashboard (soon)
- ✓ Priority support
Scheduled Background Scans
Automatically re-scan all active plugins via WP cron. Starter runs weekly; Pro and Agency unlock daily scanning for tighter coverage.
Site Risk Score
Dashboard widget showing a 0–100 risk score based on the most recent scan results across all active plugins.
WooCommerce Rules
Deeper hook conflict detection targeting checkout, cart, pricing, and payment filter hooks where conflicts cause silent failures.
Scan History & CSV Export
Every scan is saved and browsable. Filter by status, view full results for any past scan, and export to CSV for client reports.
Email Alerts
Get notified by email when a scheduled scan finds critical issues or warnings — configurable threshold and recipient.
Multi-Site Management
Central risk dashboard across all your WordPress installations — coming in a future Pro update.
Frequently Asked Questions
Does PreFlight Scanner execute the uploaded plugin's code?
No. All analysis is purely static — the plugin's PHP files are read as plain text. The uploaded ZIP is extracted to a protected directory inside wp-content/uploads/ that is blocked from web access via .htaccess. No class is loaded, no function is called, no hook is registered.
Is the free version on WordPress.org feature-complete?
Yes. All 13 pre-installation checks are included in the free WordPress.org version. A paid license adds WooCommerce-specific hook rules, scan history, email alerts, and weekly scheduled scans (Starter) or daily scans, a site risk score, and CSV export (Pro/Agency).
Can I still install a plugin that shows warnings?
Yes. Warnings are advisory. The install button remains available. The scan gives you the information to make an informed decision — you decide whether the warnings are acceptable for your site.
What user role is needed to use PreFlight Scanner?
The install_plugins capability, which is reserved for Administrators by default. Non-admin users cannot access the scanner page.
Does it send any data to external servers?
No. Every check runs locally on your own server. No plugin data, scan results, or file contents leave your WordPress installation.
What happens to the uploaded ZIP after scanning?
The ZIP is deleted immediately after extraction. The extracted files are kept in a protected temporary directory for 5 minutes — long enough for you to review and install, after which they are automatically cleaned up.
Never Install Blind Again
Free on WordPress.org — or upgrade to Starter, Pro, or Agency for scheduled monitoring, history, and WooCommerce rules.