WordPress SQL Injection Scanner
SQL injection is the most common way WordPress sites get compromised. Custom themes and plugins often pass $_GET, $_POST, or $_COOKIE values directly into database queries without sanitization. WP Scan scans every PHP file for these patterns: direct string concatenation into $wpdb queries, unsafe use of $wpdb->query() with user input, and missing prepare() calls where they're needed.
What WP Scan detects
- ✓ Unsanitized $_GET/$_POST/$_COOKIE in $wpdb queries
- ✓ String concatenation directly into SQL without prepare()
- ✓ Missing or incorrect use of $wpdb->prepare()
- ✓ Unsafe ORDER BY and LIMIT clauses from user input
- ✓ Second-order injection patterns in stored data
- ✓ Custom PDO/mysqli queries without parameterization
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
Not if used correctly. $wpdb->prepare() with placeholders is safe. WP Scan flags the unsafe patterns: where user input touches a query without going through prepare() or proper sanitization functions like absint() or sanitize_text_field() + esc_sql().
WordPress's own queries are safe. The risk is in custom code in themes and plugins that build queries manually.
Always use $wpdb->prepare() with %d, %s, or %f placeholders. Never concatenate user input into query strings. For IDs, use absint() as a first-pass sanitizer before prepare().
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $7.99/mo →