SonarQube: analyze the quality of your plugin or theme

Although WordPress has its security guides for plugins and themes, with its functions, many times meanwhile you can get lost. And that’s where SonarQube comes in.

SonarQube is a tool that analyzes the quality of the code and its security and that can be a very useful tool to improve that plugin that you may have done without much control and that, before going into production, you can improve slightly.

SonarQube as such is a platform in which to integrate all the projects you want and that has quite different requirements from those of WordPress, so it is more than advisable to have a system completely independent of others.

Note that it works with Java, PostgreSQL, and nginx.

Server Configuration

To install and manage SonarQube correctly, we will mount a machine of at least 1 CPU and 2 GB of RAM, with at least 10 GB of disk. In this example, we will use Ubuntu 20.

This tutorial has been created on a VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.


We’ll start with the server timer.

timedatectl set-timezone 'UTC'
timedatectl set-ntp on

And we will do an update of the entire server.

lsb_release -a
apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove

Later we will install some useful tools.

apt -y install software-properties-common curl vim zip unzip apt-transport-https

And finally we will leave the system to apply security updates automatically.

apt -y install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Installing Java

For it to work we will need Java 11, so we will opt for OpenJDK.

apt -y install openjdk-11-jdk openjdk-11-jre

We can check that it is installed to see its version.

java -version

That will return a message similar to:

openjdk version "11.0.10" 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)

Installing PortgreSQL

We will download the keys.

wget --quiet -O - | apt-key add -
echo "deb `lsb_release -cs`-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list

We install PostgreSQL

apt -y update
apt -y install postgresql-12 postgresql-client-12

We will configure the system to activate the server when the machine starts.

systemctl enable postgresql.service
systemctl restart postgresql.service
systemctl status postgresql.service

Let’s set the service password as root, and create a database for later use.

su - postgres
psql -c "alter user postgres with password 'contraseña_de_root'"

And we create the database, with your username and password.

CREATE USER sonarqube WITH ENCRYPTED PASSWORD 'contraseña_de_sonarqube';

Installing fonts

We will configure the font and typography system for the service.

apt -y install fontconfig-config libfreetype6

Installing SonarQube

We will visit the website with the list of downloads and look for the link to the latest version. In this case we will use version 8.8.


Unzip the file.


And we leave the software in the usage folder.

mv ./sonarqube- /opt/sonarqube/
cd /opt/sonarqube/

There we will configure the access data to the database.

vim /opt/sonarqube/conf/

And we modify the configuration lines (by default they are com,entadas).


To finish we will create a user of execution of the software.

useradd -M -d /opt/sonarqube/ -r -s /bin/bash sonarqube
chown -R sonarqube: /opt/sonarqube

To run it, we will create it in service mode. In this way, when the machine is started it will run automatically.

vim /etc/systemd/system/sonarqube.service

In the file we will include the boot of the system.

Description=SonarQube service

ExecStart=/bin/nohup java -Xms32m -Xmx32m -jar /opt/sonarqube/lib/sonar-application-


IMPORTANT: we must adjust the file of the version corresponding to the system that we have in the line of ExecStart.

ll /opt/sonarqube/lib/

There we must find a file called sonar-application-, which will have to be adjusted according to the downloaded version.

We will tell the system to find this new configuration.

systemctl daemon-reload

Before launching it, we will modify the system configuration.

echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

Now, we will load the system and validate it.

systemctl enable --now sonarqube
systemctl status sonarqube.service

We can validate that there are log files.

ll /opt/sonarqube/logs

Installing nginx

We will install an nginx.

apt -y install nginx

And, for simple operation, we will launch it without HTTPS (it can be configured, but for this example it would not be necessary).

vim /etc/nginx/sites-available/sonarqube

And we load the configuration.

server {
  listen 80;

  access_log  /var/log/nginx/sonarqube.access.log;
  error_log   /var/log/nginx/sonarqube.error.log;

  proxy_buffers 16 64k;
  proxy_buffer_size 128k;

  location / {
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_redirect off;

    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto http;

To avoid problems, we will configure the nginx itself somewhat more optimally.

cd /etc/nginx/
rm nginx.conf
vim nginx.conf

And we will add our custom settings.

user www-data;
pid /run/;
worker_processes auto;
worker_rlimit_nofile 65535;
include /etc/nginx/modules-enabled/*.conf;
events {
  multi_accept on;
  worker_connections 65535;
  use epoll;
http {
  charset utf-8;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  server_tokens off;
  more_clear_headers Server;
  log_not_found off;
  types_hash_max_size 2048;
  client_max_body_size 64m;
  keepalive_timeout 10;
  server_names_hash_bucket_size 128;
  server_names_hash_max_size 1024;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  # logging
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  # TLS
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  # gzip
  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 9;
  gzip_disable "msie6";
  gzip_buffers 16 8k;
  gzip_min_length 1100;
  gzip_types application/atom+xml application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml text/css text/javascript text/plain text/xml;
  # more
  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;

We will validate the configuration and restart nginx.

ln -s /etc/nginx/sites-available/sonarqube /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx

And we have everything ready to start working.

We will visit the URL of our site, we will access, the first time, with the username admin and password admin.

Creating a project

Although it is not the intention of this tutorial to explain the operation of SonarQube and all its options, we will do a quick review of how a plugin can be analyzed.

The first thing will be to create a project. This gives us some instructions to follow. In this case we are going to use the Linux version.

We can find the latest version of the CLI to download. In this case we are going to use version 4.6 for Linux.

We are going to download and unzip it.

mv sonar-scanner- sonar-scanner/

We will access the folder of the plugin that we want to analyze and we will create a configuration file.

cd /webs/

And we will incorporate some data, which comes from what we have configured in the panel.

sonar.projectName=Minimal Analytics

And we’ll run the scanner.


At the end of the execution we can return to the panel and we will see the results.

And, from here, improve your code and security!

And, by the way, if you use Github or a similar tool, the integration will be very simple.

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.