A smart WordPress code health analyzer. Scans custom plugins and themes for security issues, PHP 8 compatibility, performance problems, and more.
- Smart Plugin Detection - Auto-detects WordPress.org plugins vs custom code
- Security Analysis - SQL injection, missing nonces, capability checks, XSS
- PHP 8 Compatibility - Null safety issues, deprecated functions
- Performance Audits - N+1 queries, uncached remote requests
- Health Score - 0-100 score for quick assessment
- Claude Code Integration - Auto-configures permissions for AI-assisted fixing
git clone https://github.com/accentdesign/wp-doctor.git
cd wp-doctor
./wp-doctor-setupThis checks prerequisites (PHP, Node.js, Composer), installs dependencies, and creates the MCP config.
Then start Claude:
claudeSay anything (like "go" or "hi") and Claude will:
- Ask for your WordPress installation path
- Scan your custom plugins and active theme
- Show issues and offer to fix them
git clone https://github.com/accentdesign/wp-doctor.git
cd wp-doctor
composer install
php bin/wp-doctor scan /path/to/wordpress/wp-content# Non-interactive mode (for CI/scripts)
php bin/wp-doctor scan /path/to/wp-content --non-interactive
# JSON output for automation
php bin/wp-doctor scan /path/to/wp-content --format=jsonWP Doctor automatically detects plugins from WordPress.org and skips them. For custom plugins, it will prompt you to classify them:
# Detect unclassified plugins (outputs JSON)
php bin/wp-doctor detect /path/to/wp-content
# Set plugin classification
php bin/wp-doctor set-plugin /path/to/wp-content my-plugin custom
php bin/wp-doctor set-plugin /path/to/wp-content some-lib third-party
# Set active theme
php bin/wp-doctor set-theme /path/to/wp-content theme-name# Default: Custom plugins + active theme only
php bin/wp-doctor scan /path/to/wp-content
# Scan ALL plugins (including third-party)
php bin/wp-doctor scan /path/to/wp-content --allWP Doctor calculates a health score from 0-100:
| Score | Rating | Description |
|---|---|---|
| 90-100 | Great | Minor or no issues |
| 70-89 | Good | Some issues to address |
| 50-69 | Fair | Needs attention |
| 0-49 | Poor | Significant problems |
Scoring Formula:
- Each error rule type: -1.5 points
- Each warning rule type: -0.75 points
- SQL injection vulnerabilities
- Missing nonce verification
- Missing capability checks on AJAX handlers
- Debug code in production
- Null passed to count(), strlen(), etc.
- Deprecated functions
- Type safety issues
- N+1 query patterns
- Uncached remote requests
- Inefficient database queries
- WordPress coding standards
- Hook usage problems
- Dead code detection
WP Doctor stores configuration in .wp-doctor/ in your project root:
plugins.json- Plugin classifications and active theme
On first run, it also creates:
.claude/settings.local.json- Claude Code permissions.gitignoreentry for.wp-doctor/
WP Doctor includes an MCP server that gives Claude direct access to scanning tools:
wp_doctor_scan- Full health scanwp_doctor_check_file- Check a specific filewp_doctor_preview_fixes- Preview auto-fixeswp_doctor_apply_fixes- Apply fixes
Run ./wp-doctor-setup once, then claude to start. Claude handles the rest.
# Fail if score below 80
score=$(php bin/wp-doctor scan /path/to/wp-content --format=json --non-interactive | jq '.score.score')
if [ "$score" -lt 80 ]; then
echo "Health score $score is below threshold"
exit 1
fiWP Doctor is completely safe:
- Read-only - Scanning never modifies any files
- No database access - Never touches the database
- No remote calls - Works entirely offline
- Skips vendored code - Ignores vendor/, node_modules/, etc.
- PHP 7.4 or higher
- Node.js (for MCP server)
- Composer (for installation)
- Claude Code (for AI-assisted workflow)
MIT - see LICENSE
Built by Accent Design