WP Tuner Security & Risk Analysis
wordpress.org/plugins/wptunerEasily, powerfully, discover why your blog or plugin is slow or cranky. Comprehensive time and database access analyzer. WPmu. multi-lingual.
Is WP Tuner Safe to Use in 2026?
Generally Safe
Score 100/100WP Tuner has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The plugin "wptuner" v0.9.6 exhibits a mixed security posture. On the positive side, there are no reported vulnerabilities in its history, and all SQL queries are properly prepared, suggesting a foundational understanding of secure database interactions. The absence of external HTTP requests also reduces the risk of supply chain attacks or data exfiltration through external services. However, several concerning signals are present in the static analysis.
The primary concern is the use of the deprecated `create_function()` which can lead to arbitrary code execution if not handled with extreme care, especially if any part of its arguments are influenced by user input. Furthermore, a significant portion of the plugin's output (89%) is not properly escaped, posing a substantial risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis revealed one flow with an unsanitized path, which, although not classified as critical or high, warrants attention as it indicates a potential avenue for path traversal or file manipulation vulnerabilities. The lack of nonce checks across any of its entry points is also a significant weakness, leaving any potential future AJAX or other handler vulnerable to Cross-Site Request Forgery (CSRF) attacks. The low number of capability checks further compounds this risk.
While the lack of a vulnerability history is a good sign, it doesn't negate the inherent risks identified in the code. The static analysis reveals weaknesses that could be exploited to create vulnerabilities, especially the unescaped output and the presence of `create_function()`. Therefore, while the plugin has some strengths, the identified code signals and taint flow create significant security concerns that need to be addressed.
Key Concerns
- Use of deprecated create_function()
- High percentage of unescaped output
- Taint flow with unsanitized path
- No nonce checks on entry points
- Limited capability checks
WP Tuner Security Vulnerabilities
WP Tuner Code Analysis
Dangerous Functions Found
Output Escaping
Data Flow Analysis
WP Tuner Attack Surface
WordPress Hooks 22
Maintenance & Trust
WP Tuner Maintenance & Trust
Maintenance Signals
Community Trust
WP Tuner Alternatives
Templ Optimizer
templ-optimizer
Optimize your site and improve its performance with a few clicks.
WP Admin Cache
wp-admin-cache
The first cache plugin for the WordPress admin area.
MySQL query cache stats
mysql-query-cache-stats
Admin dashboard widget measuring MySQL database performance & query cache
DebugHawk – WordPress Performance Monitoring & Debugging
debughawk
Monitor WordPress performance, debug slow sites, track Core Web Vitals, database queries, memory usage, and cache effectiveness.
Retina Stripper
retina-stripper
For now only occurrences of the retina.js script are dequeue + deregister.
WP Tuner Developer Profile
1 plugin · 10 total installs
How We Detect WP Tuner
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/wptuner/js/wptuner-admin.js/wp-content/plugins/wptuner/js/wptuner.js/wp-content/plugins/wptuner/css/wptuner.css/wp-content/plugins/wptuner/js/wptuner-admin.js/wp-content/plugins/wptuner/js/wptuner.jswptuner/js/wptuner-admin.js?ver=wptuner/js/wptuner.js?ver=wptuner/css/wptuner.css?ver=HTML / DOM Fingerprints
wptuner-debug-info<!-- wptuner-->wptuner_admin