Title: PreFlight Scanner
Author: Tim Boulley
Published: <strong>Korse 29, 2026</strong>
Last modified: Korse 26, 2026

---

Search plugins

![](https://ps.w.org/preflight-scanner/assets/banner-772x250.png?rev=3590462)

![](https://ps.w.org/preflight-scanner/assets/icon.svg?rev=3590462)

# PreFlight Scanner

 By [Tim Boulley](https://profiles.wordpress.org/tboulley/)

[Download](https://downloads.wordpress.org/plugin/preflight-scanner.1.0.3.zip)

 * [Details](https://fuc.wordpress.org/plugins/preflight-scanner/#description)
 * [Reviews](https://fuc.wordpress.org/plugins/preflight-scanner/#reviews)
 *  [Installation](https://fuc.wordpress.org/plugins/preflight-scanner/#installation)
 * [Development](https://fuc.wordpress.org/plugins/preflight-scanner/#developers)

 [Support](https://wordpress.org/support/plugin/preflight-scanner/)

## Description

PreFlight Scanner lets you upload any plugin .zip and run a comprehensive static
safety scan before it ever touches your live WordPress environment. **No plugin 
code is executed during the scan.**

One bad plugin can white-screen an entire e-commerce store. PreFlight catches the
problems before they happen.

#### What PreFlight Scanner checks

**Version Compatibility**

 * PHP version compatibility — reads the plugin header and detects modern syntax
   your server cannot run (match expressions, nullsafe operators, typed properties,
   arrow functions, etc.)
 * WordPress version compatibility — validates Requires At Least and Tested Up To
   headers against the running site

**Collision Detection**

 * Function name collisions — detects global functions that already exist in the
   active environment; a guaranteed PHP fatal error
 * Class name collisions — same result, often harder to diagnose
 * Hook priority conflicts — two plugins registering the same add_filter() hook 
   at the same priority silently overwrite each other’s return value; a common source
   of checkout and pricing bugs on WooCommerce sites

**Security — Critical**

 * Obfuscated and malicious code patterns (eval/base64, compressed payloads, preg_replace/
   e modifier, large base64 blobs)
 * Dangerous PHP functions — shell_exec, exec, system, passthru, proc_open, popen,
   pcntl_exec
 * Suspicious file types inside the ZIP — .exe, .sh, .bat, .cmd, .py, .rb, .pl, .
   vbs

**Warnings & Best Practices**

 * Missing PHP namespaces — files that define global functions or classes without
   a namespace declaration are at elevated collision risk as the site grows
 * Deprecated WordPress functions — code that generates notices or breaks on current
   and future WordPress versions
 * Suspicious outbound HTTP calls — wp_remote_get/post(), curl_exec(), file_get_contents()
   with hardcoded external URLs
 * Direct database queries — raw $wpdb->query() and string-concatenated SELECT statements
   that risk SQL injection
 * Missing nonce and capability checks — files that read $_POST/$_GET without check_admin_referer()
   or current_user_can()

#### After the scan

 * **ALL CLEAR** — one click to install immediately, then activate from the Plugins
   page.
 * **WARNINGS FOUND** — advisory issues; review and decide whether to proceed.
 * **CRITICAL ISSUES** — a confirmation dialog warns you before proceeding; installing
   is strongly discouraged.

#### Privacy

PreFlight Scanner performs all analysis locally on your own server. No data is sent
anywhere. No external HTTP requests are made.

#### PreFlight Pro

Upgrade to [PreFlight Pro](https://boulleytechnology.ca/preflight-scanner.php) for
continuous monitoring of your already-installed plugins:

 * **Scheduled background scans** — automatically re-scan all active plugins daily
   or weekly
 * **Site risk score** — dashboard widget with a 0–100 risk score across all active
   plugins
 * **WooCommerce hook rules** — deeper conflict detection for checkout, cart, pricing,
   and payment hooks
 * **Scan history** — every scan saved and browsable with full results
 * **Email alerts** — get notified when a scheduled scan finds critical issues or
   warnings
 * **CSV export** — export scan history for client reports

Lite ($39 / 1 site) • Plus ($79 / 3 sites) • Pro ($149 / unlimited sites)

## Installation

 1. Upload the `preflight-scanner` folder to the `/wp-content/plugins/` directory, 
    or install via the WordPress Plugins screen.
 2. Activate the plugin through the **Plugins** menu in WordPress.
 3. Navigate to **Tools  PreFlight Scanner**.
 4. Upload any plugin .zip file and click **Run Pre-Flight Scan**.

## FAQ

### Does this plugin execute the uploaded plugin’s code?

No. PreFlight Scanner performs static analysis only — it reads and parses PHP files
as plain text without executing them. The ZIP is opened entirely in memory using
PHP’s ZipArchive. No files are extracted to disk.

### Can I install a plugin that has warnings?

Yes. Warnings are advisory — the plugin may still work correctly on your site. The
scan results give you the information to make an informed decision.

### Can I install a plugin that has critical (DANGER) issues?

You can, but a confirmation dialog warns you strongly against it. Critical issues
typically mean a PHP fatal error is guaranteed on activation.

### Does it scan plugins already installed on my site?

No. PreFlight Scanner is a pre-installation tool. To audit an already-installed 
plugin, deactivate it, download its ZIP, and upload that ZIP for scanning.

### How long are scan results stored?

Scan results and the temporary staging directory are automatically deleted after
5 minutes. If you close the browser mid-scan, leftover data is cleaned up on the
next page load.

### Is PreFlight Scanner safe to use on production sites?

Yes. The scanner is fully read-only. It never modifies any plugin files, settings,
or database values outside of its own short-lived transients.

### What user role is required?

The Tools  PreFlight Scanner page requires the `install_plugins` capability, which
is reserved for Administrators by default.

### Why are some common hooks like “init” not flagged even when active plugins use them?

Hooks that every WordPress install registers many callbacks on (init, wp_head, admin_init,
etc.) are excluded from hook-conflict reporting to avoid noise. The conflict check
focuses on non-core hooks — plugin-specific filters, WooCommerce hooks, and other
hooks where a collision is genuinely surprising.

### What happens to the uploaded ZIP after scanning?

The ZIP is read entirely in memory and never written to disk. PHP’s standard file
upload handling manages the temporary file and deletes it automatically at the end
of the request.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“PreFlight Scanner” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ Tim Boulley ](https://profiles.wordpress.org/tboulley/)

[Translate “PreFlight Scanner” into your language.](https://translate.wordpress.org/projects/wp-plugins/preflight-scanner)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/preflight-scanner/),
check out the [SVN repository](https://plugins.svn.wordpress.org/preflight-scanner/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/preflight-scanner/)
by [RSS](https://plugins.trac.wordpress.org/log/preflight-scanner/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.3

 * ZIP is now read entirely in memory via ZipArchive — no files are extracted to
   disk, eliminating staging directory and .htaccess requirements.
 * Added PreFlight Pro upsell in the admin UI.

#### 1.0.1

 * Use `wp_handle_upload()` for file uploads instead of `move_uploaded_file()`.
 * Use `Plugin_Upgrader` (WordPress standard API) for plugin installation instead
   of direct filesystem copy.
 * Use `wp_upload_dir()` for staging directory path to respect custom upload locations.
 * Remove `load_plugin_textdomain()` call — handled automatically by WordPress since
   4.6.
 * Installation no longer auto-activates the plugin; user activates from the Plugins
   page.

#### 1.0.0

 * Initial release.
 * 13 checks across version compatibility, collision detection, security, and best
   practices.
 * Pre-install ZIP upload pipeline with static analysis and one-click installation.
 * Hook priority conflict detection against the live active-plugin environment.
 * PHP namespace check for global function and class declarations.

## Meta

 *  Version **1.0.3**
 *  Last updated **4 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.9 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/preflight-scanner/)
 * Tags
 * [conflict](https://fuc.wordpress.org/plugins/tags/conflict/)[malware](https://fuc.wordpress.org/plugins/tags/malware/)
   [plugin check](https://fuc.wordpress.org/plugins/tags/plugin-check/)[scanner](https://fuc.wordpress.org/plugins/tags/scanner/)
   [security](https://fuc.wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://fuc.wordpress.org/plugins/preflight-scanner/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/preflight-scanner/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/preflight-scanner/reviews/)

## Contributors

 *   [ Tim Boulley ](https://profiles.wordpress.org/tboulley/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/preflight-scanner/)