Description

Aura Frontend Inspector is a professional-grade debugging tool designed for WordPress developers and agencies who need to ensure their sites are compliant, accessible, and error-free.

Unlike traditional auditors, Aura is built for the AI era. It features the ARF 1.0 (Aura Report Format), a structured data standard that allows you to copy detected issues directly into AI tools like ChatGPT or Claude to receive instant, context-aware code fixes.

Built for AI-Assisted Debugging

Every issue detected by Aura includes a “Copy AI Prompt” button. This assembles a high-signal prompt containing the exact HTML snippet, site environment, and error metadata in the ARF 1.0 format. Simply paste it into your favorite LLM for a precise solution tailored to your WordPress site.

Professional Accessibility (A11y) Auditing

Ensure your site meets WCAG 2.1 standards with real-time detection of:
* Duplicate IDs: Finds elements sharing IDs that break screen readers and ARIA landmarks.
* Missing Labels: Identifies form inputs without accessible names.
* ARIA Integrity: Detects broken aria-labelledby, aria-describedby, and hidden focusable elements.
* Semantic Structure: Validates heading levels (H1-H6), main landmarks, and page titles.
* Interactive Elements: Flags non-interactive elements with click handlers and buttons without types.

Developer-First Features

Persistent Logging: Issues are stored in a dedicated database table with rate-limiting and deduplication.
HTML Snapshots: Capture the full rendered DOM of any page for offline audit or historical reference.
Environment Aware: Configure Aura to run only in Development or Staging modes to protect production performance.
Auto-Fix Engine: Optionally allow Aura to automatically resolve common issues like duplicate IDs on the fly.
Export Options: Download professional CSV logs or ARF 1.0 JSON reports for your client audits.

Part of the Aura Plugin Series

Aura Frontend Inspector is part of the Aura Plugin Series, a suite of AI-native tools including Aura Static Security Analyzer and Aura Login. Together, they provide a unified “Security & Compliance” ecosystem for WordPress professionals.

Installation

Upload the aura-frontend-inspector folder to the /wp-content/plugins/ directory, or install directly through the WordPress plugins screen.
Activate the plugin through the ‘Plugins’ screen in WordPress.
Navigate to the Aura FI menu in your admin sidebar.
Enable the debugger and visit any page on your frontend to start detecting issues.

FAQ

Does this plugin affect my site’s speed?: Aura is highly optimized. The detection engine runs in the client’s browser, and the logging system uses a dedicated database table with rate-limiting to ensure zero impact on your server’s core performance.
What is ARF 1.0?: ARF (Aura Report Format) is a standardized JSON schema created by the Aura team. It is designed to be “AI-Readable,” allowing developers to pass complex technical issues to LLMs without manual formatting.
Can I use this for ADA/WCAG compliance?: Yes. Aura is an excellent tool for identifying Level A and AA violations. Use the ARF export to generate audit reports for your clients or legal compliance teams.
Does it work with Page Builders?: Absolutely. Aura inspects the rendered HTML, meaning it works perfectly with Elementor, Divi, Beaver Builder, and the Block Editor (Gutenberg).

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Aura Frontend Inspector” is open source software. The following people have contributed to this plugin.

Pedro Matias (FroPT)

Translate “Aura Frontend Inspector” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

2.5.8

FIX: “Scan Now” did nothing when the passive-monitoring toggle/environment heuristic considered debugging inactive — the scan engine module is now always loaded, and an explicit admin-triggered scan always runs regardless of that heuristic.
FIX: Default landing page changed from Logs to Settings, so the enable toggle is visible immediately instead of being buried in a second tab.
NEW: A “Scan Now” that finds zero issues now logs a “Scan Complete — No issues found” entry instead of silently doing nothing, so a clean scan is no longer indistinguishable from a broken one.

2.5.7

FIX: Scanner no longer reports false positives for elements inside the WP admin bar (#wpadminbar) or Query Monitor panels (#qm, [id^=”qm-“]).
COMPLIANCE: Replaced json_encode() with wp_json_encode() for inline script output.
COMPLIANCE: ABSPATH guard in RuleRegistry moved before use statements to satisfy Plugin Check.
COMPLIANCE: $_GET[‘nonce’] and $_POST[‘nonce’] in get_logs() now individually unslashed; correct NonceVerification phpcs:ignore codes added.
COMPLIANCE: $_GET[‘limit’] in export_logs_json() now unslashed before intval().
COMPLIANCE: Migration INSERT IGNORE query phpcs:ignore extended to cover DirectQuery and NoCaching sniffs.
CHANGE: Tested up to WordPress 7.0.
UI: False Positive column header widened to prevent text wrapping in Logs table.
UI: “View Code” column renamed to “Line” and now displays the detected source line number.

2.5.6

COMPLIANCE: register_setting() updated to array form with explicit type and sanitize_callback.
COMPLIANCE: exclude_wp_core_elements option now correctly sanitized in sanitizeOptions() — was silently dropped on save.
COMPLIANCE: HTML capture feature removed from free build; unsanitized full-page HTML cannot be adequately sanitized with WordPress built-ins without breaking the feature.
SECURITY: json_last_error() validation added after JSON decode in LogHandler and ValidationHandler.

2.5.5

COMPLIANCE: wp_die() calls in LogHandler now wrapped with esc_html__() for proper escaping and i18n compatibility.

2.5.4

CHANGE: AJAX handler modularised — Handler.php split into AbstractHandler, CaptureHandler, ValidationHandler, and LogHandler.
UI: Removed non-functional light/dark theme toggle from Captures page; stripped all emoji characters from Captures admin page.
BUILD: openspec/ directory excluded from distribution zip.

2.5.3

FIX: validate_html() fatal HTTP 500 — Aura_FI_HTML_Validator class reference prefixed with \ to resolve from global namespace.

2.5.2

SECURITY: Rate-limit directory now uses wp_upload_dir() for compatibility with custom upload paths.
SECURITY: HTML captures directory protected with deny-from-all .htaccess on creation.
SECURITY: capture_html() rejects payloads exceeding 5 MB.
FIX: JSON validation_options boolean flags and max_issues explicitly cast after array_merge().

2.5.1

COMPLIANCE: Removed remaining inline blocks from Captures and LogsTable pages; JS now served via properly enqueued files.
COMPLIANCE: Added sanitize_text_field(wp_unslash()) before wp_verify_nonce() for all three nonce checks in Captures page (delete_file, delete_all, force_update_config).
COMPLIANCE: Assets class extended to register and enqueue split admin JS files (admin-dashboard, admin-settings, admin-logs-table, admin-captures).

2.5.0

UI: Separated Settings & Logs into two distinct pages.
UI: New tab order — Logs, HTML Captures, Settings, About.
UI: Dashboard statistics cards and log table now live exclusively in the Logs tab.
UI: Settings tab contains only plugin configuration options.
UI: Added (i) info icon to every setting with contextual tooltips; Debug Mode tooltip explains when to choose each environment.
UI: Debug Mode header now shows the active mode name (Development / Staging / Production) instead of the word “SELECT”.
UI: Debug Mode label updates live when the user changes the select, before saving.
UI: Maximum Log Entries and Maximum HTML Captures now show the current value in the header; value updates live as you type.
UI: URLs to Exclude shows an “Edit ›” hint in the header that highlights on hover.
CHANGE: Detect Duplicate IDs and Detect Missing Labels are now always enabled and no longer appear as user-configurable toggles.
SECURITY: Added capability check (aura_fi_current_user_can_access) to log_issue, capture_html, and validate_html AJAX handlers; previously these relied solely on nonce verification.

2.4.8

SECURITY: Added sanitize_text_field() before wp_verify_nonce() in Captures.php (3 remaining call sites).
SECURITY: json_decode() on $_POST[‘issues’] now uses explicit unslash-then-decode pattern with is_array() guard.
COMPLIANCE: Contributors field in readme.txt corrected to match WordPress.org account username.

2.4.7

SECURITY: All nonce verifications now use sanitize_text_field() before wp_verify_nonce() (7 call sites).
SECURITY: json_decode() result on validation_options now validated as array before use.
COMPLIANCE: Removed all inline blocks from admin pages; JS extracted to separate enqueued files.
COMPLIANCE: Chart.js bundled locally (assets/vendor/chartjs/); CDN dependency removed.
COMPLIANCE: Rate-limit transient keys prefixed with aurafrin_ instead of generic ajax_.
COMPLIANCE: Debug-active admin notice now scoped to plugin pages only.
COMPLIANCE: Removed Plugin URI pointing to a 404 page.

2.4.0

NEW: Full support for ARF 1.0 (Aura Report Format).
NEW: “Copy AI Prompt” button for instant AI-assisted fixes.
IMPROVED: Enhanced heuristics for mapping DOM elements to source line numbers.
FIX: Performance optimizations for sites with large DOM trees.

2.1.0

PSR-4 Migration: Core architecture refactored for better performance and extensibility.
New modular rule engine: Easily toggle specific detection rules.
Added support for ARIA attribute validation and interactive element checks.

2.0.0

Major Rebrand: Plugin renamed to Aura Frontend Inspector.
New top-level admin menu and unified UI.
Added persistence layer: Issues are now stored in a custom DB table.

1.0.0

Initial release with basic HTML and duplicate ID detection.