{"id":327615,"date":"2026-06-29T18:57:24","date_gmt":"2026-06-29T18:57:24","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/preflight-scanner\/"},"modified":"2026-06-26T19:58:29","modified_gmt":"2026-06-26T19:58:29","slug":"preflight-scanner","status":"publish","type":"plugin","link":"https:\/\/fuc.wordpress.org\/plugins\/preflight-scanner\/","author":21120326,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.3","stable_tag":"1.0.3","tested":"7.0","requires":"5.9","requires_php":"7.4","requires_plugins":null,"header_name":"PreFlight Scanner","header_author":"Boulley Technology","header_description":"Scan any plugin ZIP for PHP version conflicts, function\/class collisions, malicious code patterns, and security issues \u2014 before installing. No plugin code is executed.","assets_banners_color":"0e324c","last_updated":"2026-06-26 19:58:29","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/boulleytechnology.ca\/preflight-scanner.php","header_author_uri":"https:\/\/boulleytechnology.ca\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":22,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.3":{"tag":"1.0.3","author":"tboulley","date":"2026-06-29 17:27:17"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3590462,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3590462,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3590462,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3590462,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3590462,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.3"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Upload form \u2014 select a plugin ZIP to begin the pre-flight check.","2":"ALL CLEAR result \u2014 all 13 checks passed; install with a single click.","3":"WARNINGS FOUND result \u2014 advisory issues listed; review before installing.","4":"CRITICAL ISSUES result \u2014 dangerous code or fatal collisions detected."}},"plugin_section":[],"plugin_tags":[191246,1184,159648,6464,600],"plugin_category":[54],"plugin_contributors":[264647],"plugin_business_model":[],"class_list":["post-327615","plugin","type-plugin","status-publish","hentry","plugin_tags-conflict","plugin_tags-malware","plugin_tags-plugin-check","plugin_tags-scanner","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-tboulley","plugin_committers-tboulley"],"banners":{"banner":"https:\/\/ps.w.org\/preflight-scanner\/assets\/banner-772x250.png?rev=3590462","banner_2x":"https:\/\/ps.w.org\/preflight-scanner\/assets\/banner-1544x500.png?rev=3590462","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/preflight-scanner\/assets\/icon.svg?rev=3590462","icon":"https:\/\/ps.w.org\/preflight-scanner\/assets\/icon.svg?rev=3590462","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>PreFlight Scanner lets you upload any plugin .zip and run a comprehensive static safety scan before it ever touches your live WordPress environment. <strong>No plugin code is executed during the scan.<\/strong><\/p>\n\n<p>One bad plugin can white-screen an entire e-commerce store. PreFlight catches the problems before they happen.<\/p>\n\n<h4>What PreFlight Scanner checks<\/h4>\n\n<p><strong>Version Compatibility<\/strong><\/p>\n\n<ul>\n<li>PHP version compatibility \u2014 reads the plugin header and detects modern syntax your server cannot run (match expressions, nullsafe operators, typed properties, arrow functions, etc.)<\/li>\n<li>WordPress version compatibility \u2014 validates Requires At Least and Tested Up To headers against the running site<\/li>\n<\/ul>\n\n<p><strong>Collision Detection<\/strong><\/p>\n\n<ul>\n<li>Function name collisions \u2014 detects global functions that already exist in the active environment; a guaranteed PHP fatal error<\/li>\n<li>Class name collisions \u2014 same result, often harder to diagnose<\/li>\n<li>Hook priority conflicts \u2014 two plugins registering the same add_filter() hook at the same priority silently overwrite each other's return value; a common source of checkout and pricing bugs on WooCommerce sites<\/li>\n<\/ul>\n\n<p><strong>Security \u2014 Critical<\/strong><\/p>\n\n<ul>\n<li>Obfuscated and malicious code patterns (eval\/base64, compressed payloads, preg_replace \/e modifier, large base64 blobs)<\/li>\n<li>Dangerous PHP functions \u2014 shell_exec, exec, system, passthru, proc_open, popen, pcntl_exec<\/li>\n<li>Suspicious file types inside the ZIP \u2014 .exe, .sh, .bat, .cmd, .py, .rb, .pl, .vbs<\/li>\n<\/ul>\n\n<p><strong>Warnings &amp; Best Practices<\/strong><\/p>\n\n<ul>\n<li>Missing PHP namespaces \u2014 files that define global functions or classes without a namespace declaration are at elevated collision risk as the site grows<\/li>\n<li>Deprecated WordPress functions \u2014 code that generates notices or breaks on current and future WordPress versions<\/li>\n<li>Suspicious outbound HTTP calls \u2014 wp_remote_get\/post(), curl_exec(), file_get_contents() with hardcoded external URLs<\/li>\n<li>Direct database queries \u2014 raw $wpdb-&gt;query() and string-concatenated SELECT statements that risk SQL injection<\/li>\n<li>Missing nonce and capability checks \u2014 files that read $_POST\/$_GET without check_admin_referer() or current_user_can()<\/li>\n<\/ul>\n\n<h4>After the scan<\/h4>\n\n<ul>\n<li><strong>ALL CLEAR<\/strong> \u2014 one click to install immediately, then activate from the Plugins page.<\/li>\n<li><strong>WARNINGS FOUND<\/strong> \u2014 advisory issues; review and decide whether to proceed.<\/li>\n<li><strong>CRITICAL ISSUES<\/strong> \u2014 a confirmation dialog warns you before proceeding; installing is strongly discouraged.<\/li>\n<\/ul>\n\n<h4>Privacy<\/h4>\n\n<p>PreFlight Scanner performs all analysis locally on your own server. No data is sent anywhere. No external HTTP requests are made.<\/p>\n\n<h4>PreFlight Pro<\/h4>\n\n<p>Upgrade to <a href=\"https:\/\/boulleytechnology.ca\/preflight-scanner.php\">PreFlight Pro<\/a> for continuous monitoring of your already-installed plugins:<\/p>\n\n<ul>\n<li><strong>Scheduled background scans<\/strong> \u2014 automatically re-scan all active plugins daily or weekly<\/li>\n<li><strong>Site risk score<\/strong> \u2014 dashboard widget with a 0\u2013100 risk score across all active plugins<\/li>\n<li><strong>WooCommerce hook rules<\/strong> \u2014 deeper conflict detection for checkout, cart, pricing, and payment hooks<\/li>\n<li><strong>Scan history<\/strong> \u2014 every scan saved and browsable with full results<\/li>\n<li><strong>Email alerts<\/strong> \u2014 get notified when a scheduled scan finds critical issues or warnings<\/li>\n<li><strong>CSV export<\/strong> \u2014 export scan history for client reports<\/li>\n<\/ul>\n\n<p>Lite ($39 \/ 1 site) &bull; Plus ($79 \/ 3 sites) &bull; Pro ($149 \/ unlimited sites)<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>preflight-scanner<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory, or install via the WordPress Plugins screen.<\/li>\n<li>Activate the plugin through the <strong>Plugins<\/strong> menu in WordPress.<\/li>\n<li>Navigate to <strong>Tools \u2192 PreFlight Scanner<\/strong>.<\/li>\n<li>Upload any plugin .zip file and click <strong>Run Pre-Flight Scan<\/strong>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20execute%20the%20uploaded%20plugin%27s%20code%3F\"><h3>Does this plugin execute the uploaded plugin's code?<\/h3><\/dt>\n<dd><p>No. PreFlight Scanner performs static analysis only \u2014 it reads and parses PHP files as plain text without executing them. The ZIP is opened entirely in memory using PHP's ZipArchive. No files are extracted to disk.<\/p><\/dd>\n<dt id=\"can%20i%20install%20a%20plugin%20that%20has%20warnings%3F\"><h3>Can I install a plugin that has warnings?<\/h3><\/dt>\n<dd><p>Yes. Warnings are advisory \u2014 the plugin may still work correctly on your site. The scan results give you the information to make an informed decision.<\/p><\/dd>\n<dt id=\"can%20i%20install%20a%20plugin%20that%20has%20critical%20%28danger%29%20issues%3F\"><h3>Can I install a plugin that has critical (DANGER) issues?<\/h3><\/dt>\n<dd><p>You can, but a confirmation dialog warns you strongly against it. Critical issues typically mean a PHP fatal error is guaranteed on activation.<\/p><\/dd>\n<dt id=\"does%20it%20scan%20plugins%20already%20installed%20on%20my%20site%3F\"><h3>Does it scan plugins already installed on my site?<\/h3><\/dt>\n<dd><p>No. PreFlight Scanner is a pre-installation tool. To audit an already-installed plugin, deactivate it, download its ZIP, and upload that ZIP for scanning.<\/p><\/dd>\n<dt id=\"how%20long%20are%20scan%20results%20stored%3F\"><h3>How long are scan results stored?<\/h3><\/dt>\n<dd><p>Scan results and the temporary staging directory are automatically deleted after 5 minutes. If you close the browser mid-scan, leftover data is cleaned up on the next page load.<\/p><\/dd>\n<dt id=\"is%20preflight%20scanner%20safe%20to%20use%20on%20production%20sites%3F\"><h3>Is PreFlight Scanner safe to use on production sites?<\/h3><\/dt>\n<dd><p>Yes. The scanner is fully read-only. It never modifies any plugin files, settings, or database values outside of its own short-lived transients.<\/p><\/dd>\n<dt id=\"what%20user%20role%20is%20required%3F\"><h3>What user role is required?<\/h3><\/dt>\n<dd><p>The Tools \u2192 PreFlight Scanner page requires the <code>install_plugins<\/code> capability, which is reserved for Administrators by default.<\/p><\/dd>\n<dt id=\"why%20are%20some%20common%20hooks%20like%20%22init%22%20not%20flagged%20even%20when%20active%20plugins%20use%20them%3F\"><h3>Why are some common hooks like \"init\" not flagged even when active plugins use them?<\/h3><\/dt>\n<dd><p>Hooks that every WordPress install registers many callbacks on (init, wp_head, admin_init, etc.) are excluded from hook-conflict reporting to avoid noise. The conflict check focuses on non-core hooks \u2014 plugin-specific filters, WooCommerce hooks, and other hooks where a collision is genuinely surprising.<\/p><\/dd>\n<dt id=\"what%20happens%20to%20the%20uploaded%20zip%20after%20scanning%3F\"><h3>What happens to the uploaded ZIP after scanning?<\/h3><\/dt>\n<dd><p>The ZIP is read entirely in memory and never written to disk. PHP's standard file upload handling manages the temporary file and deletes it automatically at the end of the request.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.3<\/h4>\n\n<ul>\n<li>ZIP is now read entirely in memory via ZipArchive \u2014 no files are extracted to disk, eliminating staging directory and .htaccess requirements.<\/li>\n<li>Added PreFlight Pro upsell in the admin UI.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Use <code>wp_handle_upload()<\/code> for file uploads instead of <code>move_uploaded_file()<\/code>.<\/li>\n<li>Use <code>Plugin_Upgrader<\/code> (WordPress standard API) for plugin installation instead of direct filesystem copy.<\/li>\n<li>Use <code>wp_upload_dir()<\/code> for staging directory path to respect custom upload locations.<\/li>\n<li>Remove <code>load_plugin_textdomain()<\/code> call \u2014 handled automatically by WordPress since 4.6.<\/li>\n<li>Installation no longer auto-activates the plugin; user activates from the Plugins page.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>13 checks across version compatibility, collision detection, security, and best practices.<\/li>\n<li>Pre-install ZIP upload pipeline with static analysis and one-click installation.<\/li>\n<li>Hook priority conflict detection against the live active-plugin environment.<\/li>\n<li>PHP namespace check for global function and class declarations.<\/li>\n<\/ul>","raw_excerpt":"Scan any plugin ZIP for PHP conflicts, class\/function collisions, hook priority conflicts, and malicious code \u2014 before installing.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/327615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=327615"}],"author":[{"embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/tboulley"}],"wp:attachment":[{"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=327615"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=327615"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=327615"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=327615"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=327615"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/fuc.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=327615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}