Want to take your software engineering career to the next level? Join the mailing list for career tips & advice Click here


Scan all sorts of themes and files and things!

Subscribe to updates I use vip-scanner

Statistics on vip-scanner

Number of watchers on Github 143
Number of open issues 113
Average time to close an issue 3 months
Main language PHP
Average time to merge a PR 18 days
Open pull requests 13+
Closed pull requests 11+
Last commit almost 3 years ago
Repo Created over 8 years ago
Repo Last Updated about 2 years ago
Size 1.55 MB
Homepage https://automatti...
Organization / Authorautomattic
Page Updated
Do you use vip-scanner? Leave a review!
View open issues (113)
View vip-scanner activity
View on github
Fresh, new opensource launches 🚀🚀🚀
Software engineers: It's time to get promoted. Starting NOW! Subscribe to my mailing list and I will equip you with tools, tips and actionable advice to grow in your career.
Evaluating vip-scanner for your project? Score Explanation
Commits Score (?)
Issues & PR Score (?)

VIP Scanner Build Status

A WordPress plugin that enables you to scan all sorts of themes and files and things.

Contributors: Mohammad Jangda, Automattic, Thorsten Ott, Michael Fields, Filipe Varela, Josh Betz, Mike Blouin, Nick Daugherty and Frnk Klein.

Requires WordPress version 3.4 or greater and PHP >= 5.4.


The plugin itself is simply a UI for the VIP Scanner library, which does all the heavy lifting. The library allows you to create arbitrary Checks (e.g. UndefinedFunctionCheck), group them together as Reviews (e.g. WP.com Theme Review), and run them against themes, plugins, directories, single files, and even diffs.

This plugin is based on code from the Theme Check (written by Pross and Otto42) and Exploit Scanner (written by donncha) plugins.


For parsing PHP files, VIP Scanner uses PHP-Parser, which it includes as a git submodule. When cloning VIP Scanner's git repo, use the --recursive parameter to include PHP-Parser, i.e. git clone --recursive git@github.com:Automattic/vip-scanner.git If you have already cloned the repo without the --recursive parameter and find yourself with an empty vendor/PHP-Parser directory, run git submodule update --init --recursive.


  1. Upload the plugin folder to the /wp-content/plugins/ directory
  2. Activate the plugin through the 'Plugins' menu in WordPress


Install using the Plugin Installer.


You can find the tool under Tools > VIP Scanner. There, you can choose what type of scan you'd like to perform -- there's a dropdown list on the right hand side, just next to the Scan button.

The dropdown allows you to choose between three types of scan:

  1. Undefined Function Check
  2. WP.com Theme Review
  3. VIP Theme Review

Once you have selected a scan type, you can hit the Scan button and see the results in the tabbed view below.


If you prefer to use the wp-cli tool for your check, there's a vip-scanner command with two main actions:

  1. analyze-theme
  2. scan-theme
$ wp vip-scanner
usage: wp vip-scanner analyze-theme [--theme=<theme>] [--scan_type=<scan-type>] [--depth=<depth>]
   or: wp vip-scanner scan-theme [--theme=<theme>] [--scan_type=<scan_type>] [--summary] [--format=<format>]
  • --theme is the theme's path relative to the WP themes directory, for example, vip/test-theme or pub/twentyfourteen. Defaults to the current theme.
  • --scan_type expects one of the following options: "Undefined Function Check", "WP.com Theme Review" or "VIP Theme Review". Defaults to VIP Theme Review.
  • --depth expects an integer. You can change the parameter to indicate how many levels of hierarchy you would like outputted. 0 outputs everything. Defaults to 1.
  • --summary gives you just an overview of how many files were checked, how many checks were done and how many errors, warnings and blockers were found.
  • --format allows you to select a output format: table, JSON, CSV. Defaults to table.



  • Modified check for pre_option_* to also include option_*


  • Modified analyzer to use PHP tokens rather than regular expressions
  • New checks, including white/blacklist checking for file types and names
  • Added basic async scanning as an admin bar node
  • WP CLI scan commands now support paths in addition to theme slugs
  • WP CLI scan_type argument is now optional


  • Analysis tab for analysing functions, classes, namespaces, shortcodes, actions, filters, capabilities, roles, CPTs, taxonomies, scripts, and styles.
  • WP CLI command for analysis: wp vip-scanner analyze-theme
  • New checks, including VCMergeConflictCheck, WordPressCodingStandardsCheck
  • PHP Code Sniffer integration using the WordPress Coding Standards
  • Check improvements: VIPRestrictedCommandsCheck, VIPRestrictedPatternsCheck, PHPShortTagsCheck
  • Added unit testing for some tests


  • ClamAV Integration
  • New checks, including VIPInitCheck, filter_input, WP_Widget_Tag_Cloud, and more!
  • WP CLI Support (using vip-scanner command)
  • Reducing false positives
  • Adjusting severity of several checks


  • UI Refresh
  • Exports
  • Auto scan


  • Various bug fixes, including preventing the annoying upgrade nag between the main VIP Scanner plugin and WP.com Rules.


  • New checks and scans! VIP_PregFile, EscapingCheck, etc.
  • PHP 5.2 compatibility, props kevinmcgillivray and chrisguitarguy
  • Bump WP version requirement (3.4)
  • Code cleanup, props lance


  • Initial version, using slightly older versions of the Theme Check plugin's checks.
vip-scanner open issues Ask a question     (View All Issues)
  • almost 4 years Fatal error: Cannot instantiate interface PhpParser\Parser
  • almost 4 years Error: "Directory doesn't exist" when alternative theme directory is used
  • about 4 years PHP 7 Checks
  • over 4 years add the_comments_navigation in comments navigation checks
  • over 4 years VIP scanner hangs with wp-cli on Code sniffer when scanning plugin
  • over 4 years RetireJS Integration
  • over 4 years Make path to PHP_CodeSniffer configurable
  • over 4 years Filename is missing from many errors
  • over 4 years Create utility class for handling directories and files
  • over 4 years Check for `.screen-reader-text:hover` and `.screen-reader-text:active` style rules.
  • over 4 years Break up checks into smaller methods
  • almost 5 years Title Check: Make title tag theme support required
  • almost 5 years Check for escaping l10n functions
  • almost 5 years Verify that Google Fonts are loaded via HTTPS
  • almost 5 years Check for wp_tempnam()
  • about 5 years Check return values before calling additional functions on variables
  • about 5 years Look specifically for lack of sanitization or escaping of `add_query_arg()` and `remove_query_arg()` return values
  • about 5 years Check for a `primary` nav_menu location
  • about 5 years Flag usage of `query_posts()` and `wp_reset_query()`
  • about 5 years Flag triggering errors and using custom error handlers in VIP sites
  • about 5 years Check for the use of deprecated VIP plugins and libraries
  • about 5 years filter_files() in class-base-check.php should be able to accept an array of file types.
  • about 5 years Flag common XSS vectors in CSS and CSS files
  • about 5 years Scan external JS included on the site
  • over 5 years Flag cache TTLs of longer than 30 days
  • over 5 years Check for posts with very large amounts of post meta
  • over 5 years Flag the usage of site_url()
  • over 5 years Add nudge for add_theme_support( 'print-style' ) in themes
  • over 5 years Flag any output buffering that is opened/closed in different scopes
  • over 5 years Flag registering CPT's and taxonomies outside of `init` or `after_setup_theme` on VIP and WP.com
vip-scanner open pull requests (View All Pulls)
  • Adding three checks for non-escaped localization function calls.
  • Fix underscores reference
  • Get instance of VIP_Scanner_UI to get default_review property
  • Add ability to anayze folders
  • Exit with error codes for scan and scan-theme WP-CLI commands
  • Add checks for batcache variant
  • Basic flagging of HTTP protocol-specific URLs.
  • Flagging of common XSS vectors
  • VIP Scanner: filter_files() now accepts arrays of file types.
  • Warn on escape issues
  • Don't flag restricted commands and functions that appear in comments.
  • Added class to check for forbidden functions only in template files
  • Apply a filter to the WP.com checks config
vip-scanner questions on Stackoverflow (View All Questions)
  • How can you use VIP Scanner to scan and test plugins
vip-scanner list of languages used
Other projects in PHP