PreFlight Scanner

PreFlight Scanner lets you upload any plugin .zip and run a comprehensive static safety scan before it ever touches your live WordPress environment. No plugin code is executed during the scan.

One bad plugin can white-screen an entire e-commerce store. PreFlight catches the problems before they happen.

What PreFlight Scanner checks

Version Compatibility

• PHP version compatibility — reads the plugin header and detects modern syntax your server cannot run (match expressions, nullsafe operators, typed properties, arrow functions, etc.)
• WordPress version compatibility — validates Requires At Least and Tested Up To headers against the running site

Collision Detection

• Function name collisions — detects global functions that already exist in the active environment; a guaranteed PHP fatal error
• Class name collisions — same result, often harder to diagnose
• Hook priority conflicts — two plugins registering the same add_filter() hook at the same priority silently overwrite each other’s return value; a common source of checkout and pricing bugs on WooCommerce sites

Security — Critical

• Obfuscated and malicious code patterns (eval/base64, compressed payloads, preg_replace /e modifier, large base64 blobs)
• Dangerous PHP functions — shell_exec, exec, system, passthru, proc_open, popen, pcntl_exec
• Suspicious file types inside the ZIP — .exe, .sh, .bat, .cmd, .py, .rb, .pl, .vbs

Warnings & Best Practices

• Missing PHP namespaces — files that define global functions or classes without a namespace declaration are at elevated collision risk as the site grows
• Deprecated WordPress functions — code that generates notices or breaks on current and future WordPress versions
• Suspicious outbound HTTP calls — wp_remote_get/post(), curl_exec(), file_get_contents() with hardcoded external URLs
• Direct database queries — raw $wpdb->query() and string-concatenated SELECT statements that risk SQL injection
• Missing nonce and capability checks — files that read $_POST/$_GET without check_admin_referer() or current_user_can()

After the scan

• ALL CLEAR — one click to install immediately, then activate from the Plugins page.
• WARNINGS FOUND — advisory issues; review and decide whether to proceed.
• CRITICAL ISSUES — a confirmation dialog warns you before proceeding; installing is strongly discouraged.

Privacy

PreFlight Scanner performs all analysis locally on your own server. No data is sent anywhere. No external HTTP requests are made.

PreFlight Pro

Upgrade to PreFlight Pro for continuous monitoring of your already-installed plugins:

• Scheduled background scans — automatically re-scan all active plugins daily or weekly
• Site risk score — dashboard widget with a 0–100 risk score across all active plugins
• WooCommerce hook rules — deeper conflict detection for checkout, cart, pricing, and payment hooks
• Scan history — every scan saved and browsable with full results
• Email alerts — get notified when a scheduled scan finds critical issues or warnings
• CSV export — export scan history for client reports

Lite ($39 / 1 site) • Plus ($79 / 3 sites) • Pro ($149 / unlimited sites)