Fast, zero-dependency WordPress performance analyzer that catches critical issues before they crash your site.
Versioning: See
dist/README.mdfor the current released version. The version in the dist README (and the main bash script header) is the canonical source of truth.
WordPress sites fail in production because of performance antipatterns that slip through code review:
- 🔥 Unbounded queries (
posts_per_page => -1) that fetch 50,000 posts and crash the server - 🐌 N+1 query patterns that turn 1 request into 1,000 database calls
- 💥 Missing capability checks that let subscribers delete your entire site
- 🔐 Insecure deserialization that opens remote code execution vulnerabilities
- 🧲 Debug code in production (
var_dump,console.log) that exposes sensitive data
WP Code Check catches these issues in seconds — before they reach production.
Prefer working directly in the terminal? We've got you covered with a streamlined shell experience:
👉 Shell Quick Start Guide - One-command installation, tab completion, and shell-first workflows
# One-command install
git clone https://github.com/Hypercart-Dev-Tools/WP-Code-Check.git
cd WP-Code-Check
./install.sh
# Then just:
wpcc ~/my-pluginFeatures for shell users:
- ✅ Automated installation with
install.sh - ✅ Tab completion for all options
- ✅
wpccprimary alias (withwp-checkfor backward compatibility) - ✅ AI-powered triage with
--ai-triageflag - ✅ Enhanced
--helpwith examples
Time to first scan: 30 seconds (vs. 5 minutes manual setup)
If you're using an AI coding assistant (Cursor, GitHub Copilot, Augment, etc.):
- Open
dist/TEMPLATES/_AI_INSTRUCTIONS.mdin your editor - Ask your AI: "Please review this document and what can I do with this tool?"
- For automated workflows, ask: "Run template [name] end to end"
Your AI agent will guide you through:
- Phase 1: Scanning WordPress plugins/themes (with template auto-completion)
- Phase 2: AI-assisted triage to identify false positives
- Phase 3: Automated GitHub issue creation
See AI Instructions for the complete end-to-end workflow.
| Feature | WP Code Check | WPCS | PHPStan-WP |
|---|---|---|---|
| Zero dependencies | ✅ Bash + grep only | ❌ Requires PHP, Composer | ❌ Requires PHP, Composer |
| Runs anywhere | ✅ Local, CI/CD, any OS | ||
| WordPress-specific | ✅ WP performance focus | ||
| Speed | ✅ Scans 10K files in <5s | ||
| Production-tested | ✅ Real-world patterns | ✅ Industry standard | ✅ Type-focused |
| AI Supercharged | ✅ Built-in AI-assisted triage | ❌ No AI support | ❌ No AI support |
Choose the installation method that best fits your workflow:
Best for: Users who only need WP Code Check
# Clone the repository
git clone https://github.com/Hypercart-Dev-Tools/WP-Code-Check.git
cd WP-Code-Check
# Run installer (sets up wpcc and wp-check aliases)
./install.sh
# Then use the wpcc command
wpcc /path/to/your/plugin
# Or use the full path
./dist/bin/check-performance.sh --paths /path/to/your/pluginBest for: Teams using AI coding assistants, developers managing multiple WordPress projects, or anyone who wants a centralized toolkit
What is AI-DDTK? AI-DDTK (AI Driven Development ToolKit) is a centralized toolkit that includes WP Code Check plus additional WordPress development tools, all accessible from a single installation.
Installation:
# Clone AI-DDTK to your bin directory
git clone https://github.com/Hypercart-Dev-Tools/AI-DDTK.git ~/bin/ai-ddtk
cd ~/bin/ai-ddtk
# Run installer (adds tools to PATH)
./install.sh
# Activate in current shell
source ~/.zshrc # or ~/.bashrc
# Verify - wpcc is now available globally
wpcc --help
wpcc --features # See all available featuresWhat You Get with AI-DDTK:
| Tool | Description | Value |
|---|---|---|
| WP Code Check | Full scanner with MCP, AI Triage, GitHub Issues | All WPCC features automatically |
Global wpcc command |
Call from any directory | No need to remember paths |
| AI Agent Guidelines | AGENTS.md v2.4.0 with Phase 1-4 workflows | Structured AI-assisted scanning |
| local-wp wrapper | WP-CLI for Local by Flywheel sites | Simplified database queries |
| WP AJAX Test | AJAX endpoint testing without browser | Fast endpoint validation |
| Playwright integration | Browser automation for E2E tests | Visual regression testing |
| Fix-Iterate Loop | Autonomous test-verify-fix pattern | AI-driven debugging workflow |
| PHPStan recipes | WordPress/WooCommerce setup guides | Static analysis integration |
| One-command updates | ./install.sh update-wpcc |
Always get latest WPCC |
Key Benefits:
✅ Centralized Toolkit - One installation, multiple tools
✅ AI-Optimized - Built for Claude Code, Cursor, Augment, GitHub Copilot
✅ Global Access - wpcc command works from any project directory
✅ Automatic Updates - Pull latest WPCC with one command
✅ Workflow Automation - Pre-built patterns for common tasks
✅ Zero Conflicts - Tools are isolated, won't interfere with project dependencies
How It Works:
AI-DDTK embeds WP Code Check via git subtree, so you get the complete, official WPCC with all features (MCP server, AI triage, GitHub issue creation) automatically. The wpcc wrapper provides convenient global access while keeping WPCC self-contained.
Example Workflow:
# Scan any plugin from any directory
cd ~/projects/client-site
wpcc ./wp-content/plugins/custom-plugin
# Use AI agent for end-to-end workflow
# Ask your AI: "Run a full scan with triage on this plugin"
# AI will execute Phase 1-4 automatically using AGENTS.md guidelines
# Update to latest WPCC
cd ~/bin/ai-ddtk
./install.sh update-wpccWhen to Choose AI-DDTK:
- ✅ You use AI coding assistants (Claude Code, Cursor, Augment, etc.)
- ✅ You manage multiple WordPress projects
- ✅ You want a centralized development toolkit
- ✅ You need WP-CLI, AJAX testing, or browser automation
- ✅ You prefer global commands over remembering paths
When to Choose Standalone:
- ✅ You only need WP Code Check
- ✅ You prefer minimal installations
- ✅ You're integrating WPCC into CI/CD pipelines
- ✅ You want direct control over the WPCC repository
Learn More: AI-DDTK Repository
━━━ CRITICAL CHECKS (will fail build) ━━━
▸ Unbounded posts_per_page [CRITICAL]
✗ FAILED
./includes/query-helpers.php:45: 'posts_per_page' => -1
▸ Debug code in production [CRITICAL]
✗ FAILED
./admin/js/admin.js:293: debugger;
━━━ SUMMARY ━━━
Errors: 2
Warnings: 0
✗ Check failed with 2 error(s)
WP Code Check provides two complementary analysis tools for complete coverage:
- 30+ WordPress-specific checks in under 5 seconds
- Critical: Unbounded queries, insecure deserialization, localStorage sensitive data, client-side serialization, direct database queries without $wpdb->prepare()
- High: Direct superglobal manipulation, unsanitized superglobal read, admin functions without capability checks, WooCommerce N+1 patterns, AJAX without nonce validation, unbounded SQL, expensive WP functions in polling
- Medium: N+1 patterns, transients without expiration, HTTP requests without timeout, unsafe RegExp construction, PHP short tags, WooCommerce Subscriptions queries without limits
- Low: Timezone-sensitive patterns
See full check list.
- 6 architectural rules that catch design-level antipatterns
- Duplication detection: Find duplicate functions across files
- State management: Catch direct state mutations bypassing handlers
- Configuration centralization: Eliminate magic strings and hardcoded values
- Query optimization: Context-aware N+1 detection in loops
- Error handling: Ensure graceful failure for HTTP/file operations
- Production readiness: Flag debug code and TODO comments
⚠️ Experimental: Functional but may have false positives. Best for code reviews and learning. See experimental README for complete usage guide.
See Golden Rules documentation.
# Human-readable text (default)
./dist/bin/check-performance.sh --paths .
# JSON for CI/CD integration
./dist/bin/check-performance.sh --paths . --format json
# Auto-generated HTML reports
# Opens in browser automatically (local development)- When you run with
--format jsonand logging enabled (i.e., without--no-log), WP Code Check writes a JSON log file todist/logs/YYYY-MM-DD-HHMMSS-UTC.json. - As of version 1.3.36, these log files contain a single valid JSON document suitable for direct consumption by tools like the HTML report generator and AI agents.
- Logs generated by versions before 1.3.36 may include non-JSON lines (for
example Python tracebacks or
/dev/ttyerrors) before the JSON payload. If you must parse an older log, strip all lines before the first{or re-run the scan with a newer version of WP Code Check.
Manage technical debt in legacy codebases:
# Generate baseline from current state
./dist/bin/check-performance.sh --paths . --generate-baseline
# Future scans only report NEW issues
./dist/bin/check-performance.sh --paths .Save scan configurations for frequently-checked projects:
# Create template (AI agents can auto-complete metadata)
./dist/bin/run my-plugin
# Reuse template
./dist/bin/run my-pluginAI Agent Features:
- ✅ Auto-completion - AI extracts plugin name, version, and GitHub repo from headers
- ✅ Template Variations - Handles hyphens, underscores, spaces in filenames
- ✅ GitHub Integration - Optional
GITHUB_REPOfield for automated issue creation
See HOWTO-TEMPLATES.md for manual usage or AI Instructions - Phase 1b for AI-assisted template creation.
Validate findings and identify false positives with AI assistance:
# After running a scan, use AI to triage the results
# AI analyzes the JSON log and provides:
# - Summary stats (reviewed, confirmed, false positives)
# - Overall narrative assessment
# - Recommendations for next stepsFeatures:
- ✅ False Positive Detection - Identifies common false positives (e.g.,
phpcs:ignorecomments, adjacent sanitization) - ✅ Confidence Scoring - Rates overall assessment confidence (high/medium/low)
- ✅ Actionable Recommendations - Prioritized list of issues to fix
- ✅ Executive Summary - 3-5 paragraph narrative for stakeholders
- ✅ TL;DR Format - Summary appears at top of HTML report for quick review
Workflow:
- Run scan with template:
./dist/bin/run [template-name] - AI agent analyzes findings and updates JSON with
ai_triagesection - HTML report regenerated with AI summary at top
- Optionally create GitHub issue with confirmed findings
See AI Instructions - Phase 2 for detailed triage workflow and common false positive patterns.
Run AI-powered triage directly from the command line with Claude Code integration:
# Basic usage - auto-detect and run AI triage
wpcc ~/my-plugin --ai-triage
# Explicit Claude backend with custom timeout
wpcc ~/my-plugin --ai-triage --ai-backend claude --ai-timeout 600
# With verbose output to see progress
wpcc ~/my-plugin --ai-triage --ai-verbose
# Limit AI analysis to top 50 findings
wpcc ~/my-plugin --ai-triage --ai-max-findings 50
# Combine with other options
wpcc ~/my-plugin --format json --ai-triage --ai-verboseNew CLI Flags:
| Flag | Description | Default |
|---|---|---|
--ai-triage |
Enable AI-powered finding analysis | Disabled |
--ai-backend <name> |
Backend: claude or fallback |
auto (detect) |
--ai-timeout <seconds> |
AI analysis timeout | 300 |
--ai-max-findings <n> |
Max findings to analyze | 200 |
--ai-verbose |
Show AI triage progress | Disabled |
How It Works:
- Deterministic Scan - WP Code Check runs the standard pattern-based analysis
- AI Triage - If
--ai-triageenabled:- Detects available backends (Claude Code CLI, fallback)
- Sends findings to Claude for classification
- Falls back to built-in
ai-triage.pyif Claude unavailable
- JSON Update - AI results injected into JSON log with
ai_triagesection - HTML Regeneration - Report automatically regenerated with AI analysis
Features:
- ✅ Claude Code Integration - Uses Claude Code CLI for advanced analysis (if available)
- ✅ Graceful Fallback - Automatically falls back to built-in Python triage if Claude unavailable
- ✅ Timeout Handling - Prevents hanging on slow AI analysis (configurable)
- ✅ JSON Persistence - AI results saved in JSON log for reproducibility
- ✅ Automatic HTML Update - Reports include AI classification and confidence scores
- ✅ Extensible Architecture - Ready for OpenAI, Ollama, and custom backends
Example Output:
{
"ai_triage": {
"triaged_findings": [
{
"finding_key": {"id": "unbounded-query", "file": "query.php", "line": 45},
"classification": "Confirmed",
"confidence": "high",
"rationale": "posts_per_page => -1 will fetch all posts without limit"
}
],
"summary": {
"confirmed_issues": 8,
"false_positives": 2,
"needs_review": 1,
"confidence_level": "high"
},
"recommendations": [
"Priority 1: Fix unbounded queries (8 issues)",
"Priority 2: Review capability checks (1 issue)"
]
}
}Requirements:
- For Claude backend: Claude Code CLI v1.0.88+ installed (
claude --version) - For fallback: Built-in
ai-triage.py(always available)
Troubleshooting:
# Check if Claude CLI is available
command -v claude && echo "Claude CLI found" || echo "Claude CLI not found"
# Check Claude version
claude --version
# If Claude unavailable, fallback will be used automatically
# To force fallback explicitly:
wpcc ~/my-plugin --ai-triage --ai-backend fallbackAutomatically create GitHub issues from scan results with AI triage data:
# Create issue from latest scan (specify repo)
./dist/bin/create-github-issue.sh \
--scan-id 2026-01-12-155649-UTC \
--repo owner/repo
# Or use template's GitHub repo (if GITHUB_REPO is set in template)
./dist/bin/create-github-issue.sh --scan-id 2026-01-12-155649-UTC
# Generate issue body without creating (no repo needed)
# Useful for manual issue creation or when repo is not specified
./dist/bin/create-github-issue.sh --scan-id 2026-01-12-155649-UTC
# → Saves to dist/issues/GH-issue-2026-01-12-155649-UTC.mdFeatures:
- ✅ Auto-formatted Issues - Clean, actionable GitHub issues with checkboxes
- ✅ AI Triage Integration - Shows confirmed issues vs. needs review
- ✅ Template Integration - Reads GitHub repo from project templates (optional)
- ✅ Interactive Preview - Review before creating the issue
- ✅ Graceful Degradation - Works without GitHub repo (generates issue body only)
- ✅ Persistent Issue Files - Saves to
dist/issues/with matching filename pattern for easy manual copy/paste - ✅ Multi-Platform Support - Use issue bodies in Jira, Linear, Asana, Trello, etc.
Requirements:
- GitHub CLI (
gh) installed and authenticated (only for automated creation) - Scan with AI triage data (recommended for best results)
See AI Instructions - Phase 3 for complete workflow and error handling.
WP Code Check supports the Model Context Protocol (MCP), allowing AI assistants like Claude Desktop and Cline to directly access scan results.
Quick Start:
# 1. Install Node.js dependencies
npm install
# 2. Configure Claude Desktop (macOS)
# Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"wp-code-check": {
"command": "node",
"args": ["/absolute/path/to/wp-code-check/dist/bin/mcp-server.js"]
}
}
}
# 3. Run a scan
./dist/bin/check-performance.sh --paths /path/to/plugin
# 4. Ask Claude: "Show me the latest WP Code Check scan results"Features:
- ✅ Direct AI Access - AI assistants can read scan results without copy/paste
- ✅ Latest Scan Resource -
wpcc://latest-scanreturns most recent JSON - ✅ Historical Scans -
wpcc://scan/{id}accesses specific scans - ✅ HTML Reports -
wpcc://latest-reportreturns formatted reports - ✅ Zero Config - Works with existing JSON output
Supported AI Tools:
- Claude Desktop (macOS, Windows)
- Cline (VS Code extension)
- Any MCP-compatible AI assistant
Developer Guide:
For AI agents using MCP:
// Read latest scan
const scan = await readResource("wpcc://latest-scan");
// Parse findings
const findings = JSON.parse(scan.text).findings;
// Analyze critical issues
const critical = findings.filter(f => f.severity === "CRITICAL");See PROJECT/1-INBOX/PROJECT-MCP.md for complete MCP documentation.
AI Agent Instructions:
When analyzing WP Code Check results via MCP:
- Read
wpcc://latest-scanfor JSON data - Check
ai_triagefield for confirmed vs. false positives - Prioritize CRITICAL and HIGH severity findings
- Suggest fixes with code examples
- Reference specific file paths and line numbers
For complete AI triage workflow and false positive detection patterns, see AI Instructions.
WP Code Check is a complete code quality suite with multiple specialized tools:
| Tool | Type | Purpose | Speed |
|---|---|---|---|
| Quick Scanner | Bash | 30+ WordPress antipatterns | <5s |
| JSON to HTML Converter | Python | Beautiful HTML reports from scan logs | <1s |
| GitHub Issue Creator | Bash | Auto-create GitHub issues from scan results | <2s |
| Slack Integration | Bash | CI/CD notifications | Instant |
| Baseline Manager | Built-in | Track technical debt over time | N/A |
| Project Templates | Built-in | Save scan configurations | N/A |
| Tool | Type | Purpose | Speed | Status |
|---|---|---|---|---|
| Golden Rules Analyzer | PHP | 6 architectural rules with semantic analysis | ~10-30s | Experimental - may have false positives |
Choose your workflow:
- Fast CI/CD: Quick Scanner only (zero dependencies, stable)
- Deep Review: Quick Scanner + Golden Rules (experimental)
- Legacy Audit: Quick Scanner + Baseline + Golden Rules (experimental)
All scan outputs are organized in the dist/ directory:
| Directory | Contents | Git Tracked | Purpose |
|---|---|---|---|
dist/logs/ |
JSON scan results (*.json) |
❌ No | Machine-readable scan data |
dist/reports/ |
HTML reports (*.html) |
❌ No | Human-readable scan reports |
dist/issues/ |
GitHub issue bodies (GH-issue-*.md) |
❌ No | Manual copy/paste to GitHub or project management apps |
dist/TEMPLATES/ |
Project templates (*.txt) |
✅ Yes | Reusable scan configurations |
Filename Pattern: All outputs use matching UTC timestamps for easy correlation:
dist/logs/2026-01-13-031719-UTC.json
dist/reports/2026-01-13-031719-UTC.html
dist/issues/GH-issue-2026-01-13-031719-UTC.md
name: WP Code Check
on: [push, pull_request]
jobs:
quick-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Quick Scan
run: |
git clone https://github.com/Hypercart-Dev-Tools/WP-Code-Check.git
./WP-Code-Check/dist/bin/check-performance.sh --paths . --format json --strict
deep-analysis:
runs-on: ubuntu-latest
needs: quick-scan
steps:
- uses: actions/checkout@v3
- name: Golden Rules Analysis (Experimental)
run: |
git clone https://github.com/Hypercart-Dev-Tools/WP-Code-Check.git
php ./WP-Code-Check/dist/bin/experimental/golden-rules-analyzer.php . --fail-on=errorwp-code-check:
script:
- git clone https://github.com/Hypercart-Dev-Tools/WP-Code-Check.git
- ./WP-Code-Check/dist/bin/check-performance.sh --paths . --format json- User Guide - Complete command reference and examples (includes canonical version number)
- Template Guide - Project template system
- Changelog - Version history and development progress
- AI Agent Guide - WordPress development guidelines for AI assistants
- Disclosure Policy - Responsible disclosure and public report publication policy
# Basic scan
./dist/bin/check-performance.sh --paths /path/to/plugin
# JSON output for CI/CD
./dist/bin/check-performance.sh --paths . --format json
# Strict mode (warnings fail the build)
./dist/bin/check-performance.sh --paths . --strict
# Generate baseline for legacy code
./dist/bin/check-performance.sh --paths . --generate-baseline
# Verbose output (show all findings)
./dist/bin/check-performance.sh --paths . --verbose
# Disable logging
./dist/bin/check-performance.sh --paths . --no-logWe welcome contributions! Please see CONTRIBUTING.md for guidelines.
Note: Contributors must sign a Contributor License Agreement (CLA) before their first pull request can be merged. This is a one-time process that ensures legal clarity for the dual-license model.
WP Code Check is dual-licensed:
The core tool is licensed under the Apache License 2.0, which means:
- ✅ Free for everyone - Use for personal or commercial projects
- ✅ Modify and distribute - Fork, customize, and share
- ✅ Patent protection - Includes explicit patent grant
- ✅ No restrictions - Use in proprietary software
See LICENSE for full terms.
For organizations that need priority support, advanced features, or SLA guarantees, we offer commercial licenses:
- 🎯 Priority Support - Guaranteed response times, dedicated channels
- 🚀 Advanced Features - Custom rules, white-label reports, team collaboration
- 🏢 Enterprise Features - SSO, audit logs, on-premise deployment
- 📊 Service Level Agreements - Uptime guarantees and compliance support
See LICENSE-COMMERCIAL.md for details and pricing.
Contact: noel@hypercart.io
Repository: github.com/Hypercart-Dev-Tools/AI-DDTK
AI-DDTK is a centralized toolkit that embeds WP Code Check (via git subtree) along with other WordPress development tools. It's designed for AI-driven workflows and provides:
- Global
wpcccommand - Access WP Code Check from any directory - AI Agent Guidelines - Structured workflows for Claude Code, Cursor, Augment, etc.
- Additional Tools - local-wp (WP-CLI wrapper), WP AJAX Test, Playwright integration
- One-Command Updates -
./install.sh update-wpccpulls latest WPCC - Workflow Patterns - Fix-Iterate Loop, PHPStan recipes, and more
How It Works:
AI-DDTK uses git subtree to embed the complete WP Code Check repository at tools/wp-code-check/. This means:
- ✅ You get the official, unmodified WPCC with all features (MCP, AI Triage, GitHub Issues)
- ✅ Updates are pulled directly from the WPCC repository
- ✅ WPCC remains self-contained and can be used standalone
- ✅ The
bin/wpccwrapper provides convenient global access
When to Use AI-DDTK:
Choose AI-DDTK if you:
- Use AI coding assistants for WordPress development
- Manage multiple WordPress projects
- Want a centralized toolkit with multiple tools
- Prefer global commands over remembering paths
When to Use Standalone WPCC:
Choose standalone WPCC if you:
- Only need the code scanner
- Prefer minimal installations
- Are integrating into CI/CD pipelines
- Want direct control over the repository
Both options give you the same WP Code Check features - the difference is in how you access them.
WP Code Check is developed by Hypercart, a DBA of Neochrome, Inc.
- 🌐 Website: WPCodeCheck.com
- 📧 Support: noel@hypercart.io
- 🐛 Issues: GitHub Issues
Made with ❤️ for the WordPress community