You should check the Plugin Security section in the plugin developer’s handbook.
1) Data Must be Sanitized, Escaped, and Validated
Validation – These are the checks that are run to ensure the data you have is
what it should be. For instance, an e-mail looks like an e-mail
address, that a date is a date, and that a number is (or is cast as)
an integer.
Sanitization / Escaping – These are the filters that are applied to data to make it ‘safe’ in a specific context. For instance, to display HTML code in a text area it would be necessary to replace all the HTML tags by their entity equivalents
Before : $ua = $_SERVER['HTTP_USER_AGENT'];
After : $ua = isset( $_SERVER['HTTP_USER_AGENT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ) : '';
2) Variables and options must be escaped when echoing
When you are going to print any content as output and if you did not properly escape it then will generate an error and will say Output should be run through an escaping function. Check out more functions here
Before: echo $query_today;
After : echo esc_html( $query_today );
3) Generic function/class/define/namespace names
All plugins must have unique function names, namespaces, defines, and class names. This prevents your plugin from conflicting with other plugins or themes. You can add your unique prefix or suffix to every function and class name.
Before: class PostViewsStats
After: class GunviperPostViewsStats