Title: QAProof
Author: QaProof
Published: <strong>May 22, 2026</strong>
Last modified: May 22, 2026

---

Search plugins

![](https://ps.w.org/qaproof/assets/banner-772x250.png?rev=3543678)

![](https://ps.w.org/qaproof/assets/icon-256x256.png?rev=3543678)

# QAProof

 By [QaProof](https://profiles.wordpress.org/qaproof/)

[Download](https://downloads.wordpress.org/plugin/qaproof.zip)

 * [Details](https://wordpress.org/plugins/qaproof/#description)
 * [Reviews](https://wordpress.org/plugins/qaproof/#reviews)
 *  [Installation](https://wordpress.org/plugins/qaproof/#installation)
 * [Development](https://wordpress.org/plugins/qaproof/#developers)

 [Support](https://wordpress.org/support/plugin/qaproof/)

## Description

QAProof helps WordPress site owners and developers catch visual bugs before users
do. It pairs Playwright-rendered screenshots of your live pages with AI vision analysis
to find design drift, accessibility issues, and responsive breakage automatically.

Five test types, one workflow:

 * **Design Fidelity** — Compares your live page against a Figma design (or any 
   image you upload) and reports layout drift, color mismatches, typography differences,
   spacing issues, and component variations with severity ratings and pixel-coordinate
   markers.
 * **Responsive Testing** — Renders the page at desktop, tablet, and mobile viewports
   and analyzes how the layout adapts. Flags overflow, broken stacks, illegible 
   text, missing media-query rules.
 * **Accessibility Audit** — WCAG 2.1 Level A / AA / AAA compliance check. Covers
   color contrast, focus indicators, heading hierarchy, form labels, ARIA misuse,
   touch-target sizes, and more, with the WCAG criterion referenced for each violation.
 * **Visual Regression Monitoring** — Scheduled screenshot diffing. Captures a baseline
   of a page, then re-shoots on a daily / weekly / monthly schedule and alerts you
   if anything changed (broken CSS deploy, missing image, accidental layout shift).
   Email + in-admin notifications when scores drop below your threshold.
 * **Design Audit** — Extracts your live design tokens (colors, fonts, spacing, 
   components) and grades your design system’s internal consistency on a Design 
   Debt Score.

**How it works:** QAProof is a thin WordPress plugin that talks to a hosted SaaS
API (api.qaproof.io). The API runs the headless browser, calls the AI vision model,
and returns structured reports. You need a QAProof account and API key — sign up
free at https://qaproof.io.

**Why a SaaS backend?** Running Playwright + Anthropic Claude Vision in a WordPress
request would crash most hosts (Chromium binary alone is 300 MB, image analysis 
runs 10–60 s). Doing it server-side keeps your hosting fast and lets us batch / 
cache / dedupe expensive operations.

### External Services

QAProof is a SaaS-backed plugin. All test execution happens on the QAProof API server,
which in turn calls Anthropic’s Claude Vision API and (optionally) Figma’s REST 
API. The WordPress plugin itself contacts ONE external service: the QAProof API 
at api.qaproof.io. It never contacts Anthropic or Figma directly.

#### Service: QAProof API

The plugin sends HTTPS requests to api.qaproof.io (default endpoint, configurable
to a self-hosted host via the `QAPROOF_API_ENDPOINT` PHP constant). This is required
for the plugin to function — without it, no test can run.

**Test execution & polling**

 * `POST https://api.qaproof.io/api/compare` — start a new test (when the user clicks“
   Run test” or when a scheduled monitor fires). Sends: page URL, test type, design
   source (Figma URL or uploaded image bytes as base64), viewport size, WCAG conformance
   level, ignore-text flag.
 * `GET https://api.qaproof.io/api/jobs/{jobId}` — poll the status of an in-flight
   test (every 5 seconds while running). Sends: nothing in the body, just the job
   ID in the URL.
 * `DELETE https://api.qaproof.io/api/jobs/{jobId}` — cancel an in-flight test when
   the user closes the browser tab. Sends: nothing.
 * `GET https://api.qaproof.io/api/jobs/{jobId}/screenshots` — fetch the completed
   test’s screenshots after the test finishes. Sends: nothing.

**Figma integration (optional)**

 * `POST https://api.qaproof.io/api/figma-preview` — fetch a Figma frame as a PNG
   for the in-admin preview pane (only when the user selects a Figma URL). Sends:
   the Figma file URL.
 * `POST https://api.qaproof.io/api/figma/verify-access` — verify the plugin can
   access a Figma file before sending a full test. Sends: the Figma file URL.
 * `POST https://api.qaproof.io/api/detect-elements` — extract individual UI elements
   from an uploaded design image. Sends: image bytes.
 * `POST https://api.qaproof.io/api/figma-oauth/start` — begin the Figma OAuth connection.
   Sends: nothing.
 * `GET https://api.qaproof.io/api/figma-oauth/status` — check the current Figma
   connection state. Sends: nothing.
 * `POST https://api.qaproof.io/api/figma-oauth/disconnect` — disconnect the workspace’s
   Figma OAuth tokens. Sends: nothing.

**Account, plan & health**

 * `GET https://api.qaproof.io/api/me` — fetch the QAProof account’s plan and remaining
   quota, displayed in Settings  API. Sends: nothing.
 * `GET https://api.qaproof.io/api/health` — connection health check from Settings
   API. Sends: nothing.

**Baselines (visual regression)**

 * `POST https://api.qaproof.io/api/baselines` — create a baseline screenshot. Sends:
   page URL, baseline key.
 * `GET https://api.qaproof.io/api/baselines` — list baselines.
 * `GET https://api.qaproof.io/api/baselines/{key}` — fetch a single baseline (including
   screenshot bytes).
 * `DELETE https://api.qaproof.io/api/baselines/{key}` — delete a baseline.

**Monitors (scheduled tests)**

 * `GET/POST https://api.qaproof.io/api/monitors` — list / create scheduled monitors.
   Sends on create: page URL, schedule, threshold score, notification email.
 * `GET/PUT/DELETE https://api.qaproof.io/api/monitors/{id}` — read / update / delete
   a single monitor.
 * `GET https://api.qaproof.io/api/monitors?schedule={daily|weekly|monthly}&due=
   1` — WP-Cron queries monitors due to run.
 * `GET https://api.qaproof.io/api/monitors/{id}/results` — fetch a monitor’s historical
   results.
 * `PUT https://api.qaproof.io/api/results/{id}/approve` — approve a regression 
   result (captures a fresh baseline).

**Test history (cabinet sync)**

 * `POST https://api.qaproof.io/api/history` — save a test result to the SaaS history.
   Sends: test type, page URL, score, summary, differences JSON, screenshot URLs/
   base64 thumbnails.
 * `GET https://api.qaproof.io/api/history?...` — list history rows with pagination
   + filters.
 * `GET https://api.qaproof.io/api/history/{id}` — fetch a single history row (full
   result detail).
 * `DELETE https://api.qaproof.io/api/history/{id}` — delete a history row from 
   the SaaS.
 * `GET https://api.qaproof.io/api/history/stats?threshold=N` — fetch summary statistics
   for the dashboard tiles.

**Email reports**

 * `POST https://api.qaproof.io/api/send-report-email` — when the user clicks “Send
   to Email” on a test result, the plugin sends the generated PDF report (base64-
   encoded) and the recipient email address (the currently-logged-in WordPress administrator’s
   user email, with fall-back to the QAProof notification email or the site admin
   email) to the API. The API then emails the report from its outbound mail server(
   Amazon SES). The PDF and the recipient email leave the WordPress site and are
   processed by the QAProof API and its email provider.

**Common request metadata sent on every call**

 * Your **QAProof API key**, in the `Authorization: Bearer ...` header, so the API
   can authenticate the request.
 * A **WordPress / PHP version banner** in the standard `User-Agent` header (`QAProof-
   WordPress/<plugin> (WordPress/<wp>; PHP/<php>)`) so the API can detect known-
   incompatible host versions. The header does NOT contain your site URL — the API
   server learns the requesting IP only from the TCP connection itself.

The plugin does NOT send: any post content, user passwords, page visitors’ IP addresses,
comments, cookies, or any other site content beyond the explicit URL the user types
into the test form or its scheduled monitor configuration.

QAProof Terms of Service: https://qaproof.io/terms
 QAProof Privacy Policy: https://
qaproof.io/privacy

#### Service: Anthropic Claude — used by QAProof API, NOT by this plugin

The QAProof API server calls Anthropic Claude Vision to perform the AI image analysis.
This plugin does NOT call Anthropic directly — the WordPress site never opens a 
connection to Anthropic’s servers. Image bytes the QAProof API forwards to Anthropic
are subject to Anthropic’s no-training, no-retention API terms.

Anthropic Terms of Service: https://www.anthropic.com/legal/commercial-terms
 Anthropic
Privacy Policy: https://www.anthropic.com/legal/privacy

#### Service: Figma — used by QAProof API, NOT by this plugin

If you connect your Figma account via the in-admin OAuth flow or submit a public
Figma URL, the QAProof API reads the specific Figma file(s) you submit for testing
so it can export the design as a PNG image. The WordPress plugin itself never contacts
Figma’s servers directly; the OAuth handshake redirects through api.qaproof.io.

Figma Terms of Service: https://www.figma.com/legal/tos/
 Figma Privacy Policy: 
https://www.figma.com/legal/privacy/

#### Trademarks

QAProof is an independent product. It is not affiliated with, endorsed by, or sponsored
by Figma, Inc., Anthropic PBC, or Automattic Inc. “Figma” is a trademark of Figma,
Inc. “Claude” is a trademark of Anthropic PBC. “WordPress” is a trademark of the
WordPress Foundation.

### Privacy

**Where test data lives.** All test results, monitor definitions, monitor result
history, and visual regression baselines live on the QAProof SaaS, scoped to your
QAProof workspace. The plugin does NOT create custom database tables on fresh installs(
a single legacy table — `{prefix}qaproof_monitors` — may exist on sites upgrading
from a pre-1.7.0 release; its data is migrated to the SaaS on first upgrade and 
the table is dropped on uninstall).

**Locally-stored data (in `wp_options` unless noted).** All of the following carry
the `qaproof_` prefix and the API-key option is forced non-autoloaded:

 * `qaproof_api_key` — your QAProof API key. Never displayed unmasked in the UI;
   non-autoloaded.
 * `qaproof_notify_email` — the configured notification recipient (defaults to the
   site admin email).
 * `qaproof_notify_email_enabled`, `qaproof_notify_admin_enabled`, `qaproof_default_threshold`,`
   qaproof_cron_hour` — notification preferences.
 * `qaproof_saved_designs` — page URL, Figma URL, optional cached PNG of the Figma
   design (bytes fetched from the connected Figma file). Non-autoloaded.
 * `qaproof_feedback_log` — ring buffer (max 200 entries, trimmed by age after 180
   days) of in-admin “How was this test?” ratings. Each entry contains: the numeric
   rating, an optional free-text comment, the page URL, the test type, the score,
   the WordPress user ID of the author, and a timestamp.
 * `qaproof_figma_api_usage`, `qaproof_figma_rate_limit` — per-file Figma API request
   counts and rate-limit retry timers, used to back off when Figma’s per-plan quota
   is exhausted. No PII.
 * `qaproof_alert_count` — transient (30-day TTL) holding the admin-menu “you have
   N unread alerts” badge count.
 * `qaproof_db_version`, `qaproof_monitors_api_migrated` — version markers used 
   by the one-time legacy migration.

**Client-side (browser).** The plugin’s JS sets the following `localStorage` keys(
no cookies are set, no third-party storage is used):

 * `qaproof_theme` — your light / dark / auto theme preference.
 * `qaproof:design:<id>` / `qaproof:design:auto:<id>` — element-detection cache 
   state per saved design so the in-admin UI shows the cached element overlay without
   a re-detection round-trip.

Job IDs and a tab-open flag for active tests are written to `sessionStorage` (cleared
when the tab closes).

**WordPress privacy hooks (Tools  Export Personal Data / Erase Personal Data).**
The plugin registers a personal-data exporter and eraser covering: the notification
recipient email and any feedback-log entries authored by the user whose email is
requested. Local erasure removes these on this site only — it does NOT propagate
to the QAProof SaaS. To delete SaaS-side test history, monitor results, or your 
QAProof account contact support@qaproof.io.

**Where data is processed.** api.qaproof.io is hosted in AWS us-east-1 (United States).
The QAProof API forwards image bytes to Anthropic Claude (United States) for analysis,
fetches Figma file exports from Figma’s API (United States) when you submit a Figma
URL or connect Figma, and sends email reports via Amazon SES (United States). For
EU-based site owners these are GDPR international transfers — see the QAProof Privacy
Policy at https://qaproof.io/privacy for the legal mechanisms in use.

**Privacy Policy helper.** The plugin contributes suggested copy to your site’s 
Privacy Policy via WordPress’s `wp_add_privacy_policy_content()`. Visit **Settings
Privacy  Policy guide** in your WordPress admin to review and merge it into your
published Privacy Policy.

**No analytics, no tracking.** No tracking pixels, no fingerprinting, no analytics,
and no third-party scripts run on the front-end of your site. All plugin assets (
CSS, JS, fonts) are bundled locally — nothing is loaded from external CDNs.

## Screenshots

 * [[
 * Dashboard — recent test results and quick-launch tiles.
 * [[
 * Design Fidelity test — Figma vs live page side-by-side with severity-tagged markers.

## Installation

 1. From your WordPress admin, go to **Plugins  Add New** and search for “QAProof”.
    Click **Install Now**, then **Activate**.
 2. Sign up for a free QAProof account at https://qaproof.io and copy your API key 
    from the cabinet.
 3. In WordPress, open **QAProof  Settings  API**, paste the API key, and click **Test
    Connection**.
 4. (Optional) Connect your Figma account at **Settings  Tests  Design Fidelity  Figma
    connection  Connect Figma** so the plugin can read your design files directly. 
    Alternatively, share each Figma file with `figma@qaproof.io` manually.
 5. Open **QAProof  Tests** to run your first comparison.

## FAQ

### Is QAProof free?

The WordPress plugin is free and GPL-licensed. The hosted API has a free tier suitable
for individual sites and paid plans for higher volume. See https://qaproof.io/pricing.

### Do I need a Figma account?

Only for Design Fidelity tests that use a Figma URL as the design source. You can
also upload a design as an image (PNG / JPG / Sketch file) without any Figma account.
Other test types (responsive, accessibility, regression, design audit) don’t use
Figma at all.

### What data does QAProof send to the SaaS API?

For each test, the plugin sends the page URL, the design source (Figma URL OR uploaded
image bytes), and a few render options (viewport sizes, WCAG level). The API renders
the page in a headless browser, captures screenshots, calls Anthropic Claude Vision,
and returns a structured report. See “External Services” below for the full list.

### Where are test results stored?

On the QAProof SaaS database, scoped to your workspace. The plugin does not create
a local copy of test results on fresh installs. See the “Privacy” section below 
for the full list of locally-stored data (configuration only — API key, notification
email, saved-design configuration, feedback log).

### Can I self-host the backend?

Not at the moment. The plugin is open-source under GPL-2.0+, but the API server 
is closed-source SaaS. If self-hosting matters for your use case, write to support@qaproof.
io.

### Does the plugin work on a Multisite network?

Yes, with per-site configuration. The plugin can be network-activated, but each 
site in the network configures its own QAProof API key and Figma connection independently
via that site’s **QAProof  Settings**. Test results, monitors, and history are also
scoped per-site. The plugin does not currently support a single shared API key at
the network level.

### How long does a test take?

15–30 seconds for Design Fidelity, 1–2 minutes for Responsive (3 viewports), 2–5
minutes for Accessibility audits on complex pages.

### What happens if my API key is missing or wrong?

The plugin renders a clear error in the test UI. No test is run, nothing is sent.
You can re-paste the key any time in Settings  API.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“QAProof” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ QaProof ](https://profiles.wordpress.org/qaproof/)

[Translate “QAProof” into your language.](https://translate.wordpress.org/projects/wp-plugins/qaproof)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/qaproof/), check out
the [SVN repository](https://plugins.svn.wordpress.org/qaproof/), or subscribe to
the [development log](https://plugins.trac.wordpress.org/log/qaproof/) by [RSS](https://plugins.trac.wordpress.org/log/qaproof/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.1

Compliance, transparency, and hardening round for the WordPress.org plugin review.
No functional changes.

 * **External Services disclosure.** The `== External Services ==` section in readme.
   txt now enumerates every endpoint the plugin calls on api.qaproof.io (including`/
   api/compare`, `/api/jobs`, `/api/send-report-email`, `/api/history*`, `/api/results/*/
   approve`, `/api/figma-oauth/*`, `/api/baselines*`, `/api/monitors*`, `/api/me`,`/
   api/health`), the exact data sent in each request, and links to the Terms of 
   Service and Privacy Policy for QAProof, Anthropic, and Figma.
 * **PHP limit raises tightened.** Replaced direct `ini_set('memory_limit', ...)`
   in the screenshot fetcher with WordPress’s `wp_raise_memory_limit('image')`. `
   set_time_limit` in the scheduled-monitor cron handler is documented and remains
   gated on `function_exists` + `disable_functions` allow-list; it never runs outside
   the cron context.
 * **Settings tab navigation.** `?tab=` / `?subtab=` URL params now go through an
   explicit allow-list before reaching the template; capability gate retained.
 * **Vendor script handles namespaced.** Bundled Chart.js / jsPDF / jsPDF-AutoTable
   now enqueue under `qaproof-chartjs`, `qaproof-jspdf`, `qaproof-jspdf-autotable`
   handles so they can’t collide with other plugins shipping different versions 
   of the same library.
 * **Non-minified vendor sources shipped** alongside the minified ones (chart.umd.
   js / jspdf.umd.js / jspdf.plugin.autotable.js) per the wp.org “human-readable
   source” guideline.
 * **Dead code removed.** Three legacy CRUD classes (Monitor, Result, TestHistory)
   that no longer ran (replaced by the SaaS API) were deleted along with their `
   CREATE TABLE` statements. Fresh installs no longer add empty custom tables; existing
   installs upgrading from older versions still get their data migrated to the API
   on first run.
 * **Debug log spam removed.** Non-essential `console.log` calls stripped from the
   bundled JS modules. `console.warn` / `console.error` retained only on genuine
   failure paths.
 * **Line endings normalised.** Plugin PHP and JS files saved with LF endings; vendor
   files left as upstream ships them.
 * **XSS defence-in-depth.** Every interpolation of an API-returned string into 
   innerHTML now passes through `Q.escapeHtml()` at the call site — even where the
   field is server-typed today, on the assumption that any future shape drift must
   not become an XSS path. Affected paths: monitor list error banner, monitor delete
   toast, monitor run failure toast, send-email-report result, baseline-captured
   toast, regression-completed toast.
 * **Transient cache key.** Monitor results page cache now uses a dedicated prefixed
   helper (`cache_key_results_page`) so the full transient name is obviously namespaced
   for static analysers.
 * **Compatibility headers.** `Tested up to: 7.0`.

#### 1.0.0

 * Initial public release.
 * Design fidelity comparison (Figma vs live page).
 * Responsive testing across desktop, tablet, mobile.
 * Accessibility audit (WCAG 2.1 A / AA / AAA).
 * Visual regression monitoring (daily / weekly / monthly).
 * Design audit (token extraction + design debt score).
 * Figma OAuth 2.0 connection (alternative to per-file sharing with figma@qaproof.
   io).
 * PDF report export.
 * Email notifications + admin badge for regressions.
 * Multisite-compatible (per-site configuration).
 * Self-hosted assets (no external CDN dependencies).

## Meta

 *  Version **1.0.1**
 *  Last updated **3 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 8.0 or higher **
 * Tags
 * [accessibility](https://wordpress.org/plugins/tags/accessibility/)[responsive](https://wordpress.org/plugins/tags/responsive/)
   [visual regression](https://wordpress.org/plugins/tags/visual-regression/)[wcag](https://wordpress.org/plugins/tags/wcag/)
 *  [Advanced View](https://wordpress.org/plugins/qaproof/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/qaproof/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/qaproof/reviews/)

## Contributors

 *   [ QaProof ](https://profiles.wordpress.org/qaproof/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/qaproof/)