Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Leveraging the WordPress Coding Standards to review plugins and themes

Leveraging the WordPress Coding Standards to review plugins and themes

Presented on March 24, 2018 at WordCamp Rotterdam, The Netherlands.
https://2018.rotterdam.wordcamp.org/
---------------------------------------------------------------
Ever been hesitant to upgrade to a newer WP version as you weren’t sure whether the theme and the plugins you use would be compatible ?
Or wondered whether installing a certain plugin would open your site up to security risks ?
Or maybe whether you would be able to present your customer with an interface in their language for a certain plugin ?

No matter whether you are a developer or you can’t tell divs from eval’s, PHP Codesniffer and the WordPress Coding Standards can help you. Let me tell you how…

------------------------------------
Relevant links:

* https://github.com/jrfnl/QA-WP-Projects/
* https://github.com/squizlabs/PHP_CodeSniffer
* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
* https://github.com/wimg/PHPCompatibility/

* http://php.net/download
* http://getcomposer.org/
* https://packagist.org/packages/jrfnl/qawpprojects

* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/1157
* https://github.com/squizlabs/PHP_CodeSniffer/pull/1948

Juliette Reinders Folmer

March 24, 2018
Tweet

More Decks by Juliette Reinders Folmer

Other Decks in Programming

Transcript

  1. Leveraging the WordPress
    Coding Standards to Review
    Plugins and Themes

    View Slide

  2. Hello!
    Juliette
    Reinders Folmer
    @jrf_nl @jrfnl

    View Slide

  3. Coding Standards ?

    View Slide

  4. Code Style
    Documentation
    Code Smells
    Code Metrics
    Best
    Practices
    Code
    Compatibility

    View Slide

  5. QA WP Projects
    PHP
    Compatibility
    Standard
    WordPress
    Coding
    Standards
    PHP
    Codesniffer

    View Slide

  6. nerminhuski
    Before you start

    View Slide

  7. Choosing a plugin/theme
    Plugin A
    Plugin B Plugin C
    Plugin D
    Plugin E

    View Slide

  8. Before Running the
    QA Analysis [1]
     Download a copy of the
    plugin/theme

    View Slide

  9. Before Running the
    QA Analysis [1]
     Download a copy of the
    plugin/theme
     Check the minimum supported
    WP version

    View Slide

  10. Before Running the
    QA Analysis [1]
     Download a copy of the
    plugin/theme
     Check the minimum supported
    WP version
     Check the PHP version of the
    deployment environment
    Jack Moreh

    View Slide

  11. Before Running the
    QA Analysis [2]
     Check main plugin/theme file
    for the text-domain

    View Slide

  12. Before Running the
    QA Analysis [2]
     Check main plugin/theme file
    for the text-domain
     "Guess" the plugin/theme
    prefixes

    View Slide

  13. svklimkin
    Reviewing with
    PHP_CodeSniffer

    View Slide

  14. PHP
    • http://php.net/download
    Composer
    • https://getcomposer.org/download/
    QA-WP-
    Projects
    • Install via Composer:
    composer global require
    jrfnl/qawpprojects
    Install
    https://github.com/squizlabs/PHP_CodeSniffer/pull/1948

    View Slide

  15. Choose Your Standard
    WP-QA-Basic
    95 checks
    WP-QA-Strict
    118 checks

    View Slide

  16. Running the checks
    > phpcs
    ./path/to/project-root/
    --standard=WP-QA-Basic
    --runtime-set testVersion 5.6-
    --runtime-set minimum_supported_wp_version 4.5
    --runtime-set prefixes plugin_prefix,theme_acronym
    --runtime-set text_domain slug
    WP-QA-Strict

    View Slide

  17. View Slide

  18. ainsliejoon
    Interpreting the
    Results

    View Slide

  19. Hard Errors

    View Slide

  20. Dawn Armfield
    Dangerous Code

    View Slide

  21. Dangerous
    Code
     Use of eval()
     Use of PCRE /e modifier
     Use of backtick operator

    View Slide

  22. pelican
    Untestable Code

    View Slide

  23. Untestable
    Code
     High Code Complexity
     Deep Code Nesting

    View Slide

  24. Outdated Code Benjamin Earwicker

    View Slide

  25. Outdated
    Code
     Globals Functions instead of OO
     Use of PHP 4 Style code

    View Slide

  26. Ashim D'Silva
    Messy Code

    View Slide

  27. Messy
    Code
     Use of extract()
     Duplicate classes
     Duplicate function arguments
     Assignments in conditions
     Jumbled incrementors

    View Slide

  28. Incompatible Code – PHP

    View Slide

  29. Incompatible
    Code - PHP
     Use of Deprecated Syntaxes
     Use of Deprecated or Removed
    Functions / Classes / Extensions
    etc
     Use of (too) new Syntaxes

    View Slide

  30. Jenn Vargas
    Incompatible Code - WP

    View Slide

  31. Incompatible
    Code - WP
    Use of Deprecated:
     WP Functions
     WP Function Parameters
     WP Classes

    View Slide

  32. Play4smee
    Conflicting Code (Strict)

    View Slide

  33. Conflicting
    Code
     Overwriting WP Global Variables
     Non-enqueued Scripts & Styles
     Non-prefixed code

    View Slide

  34. Lyn Belisle
    Potentially Insecure Code (Strict)

    View Slide

  35. Insecure
    Code
     Input not Validated/Sanitized
     Output not Escaped
     Using User Input without Nonce
    Verification
     Open to SQL Injection

    View Slide

  36. Vera Kratochvil
    Internationalization Issues (Strict)

    View Slide

  37. Baydog64
    Potentially Buggy Code (Strict)

    View Slide

  38. Potentially
    Buggy Code
     Non-strict Comparisons
     WP SQL best practices

    View Slide

  39. jschumacher
    Sloppy Code (Strict)

    View Slide

  40. Sloppy Code
     Empty Statements
     Unconditional If statements
     Function calls in loop condition

    View Slide

  41. Discouraged Code (Strict)

    View Slide

  42. Discouraged
    Code
     PHP Functions for which WP has a
    Better Alternative
     Debug code

    View Slide

  43. StuartMiles

    View Slide

  44. No issues found ?
    --ignore-annotations

    View Slide

  45. What About
    Tide ?

    View Slide

  46. https://github.com/
    WordPress-Coding-Standards/
    WordPress-Coding-Standards/
    issues/1157
    WPCS native support

    View Slide

  47. Thanks!
    Any
    questions ?
    Slides: https://speakerdeck.com/jrf
    Code: https://github.com/jrfnl/
    qa-wp-projects
    @jrf_nl @jrfnl @jrf

    View Slide