Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Leveraging the WordPress Coding Standards to review plugins and themes

Leveraging the WordPress Coding Standards to review plugins and themes

Presented on March 24, 2018 at WordCamp Rotterdam, The Netherlands.
Ever been hesitant to upgrade to a newer WP version as you weren’t sure whether the theme and the plugins you use would be compatible ?
Or wondered whether installing a certain plugin would open your site up to security risks ?
Or maybe whether you would be able to present your customer with an interface in their language for a certain plugin ?

No matter whether you are a developer or you can’t tell divs from eval’s, PHP Codesniffer and the WordPress Coding Standards can help you. Let me tell you how…

Relevant links:

* https://github.com/jrfnl/QA-WP-Projects/
* https://github.com/squizlabs/PHP_CodeSniffer
* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
* https://github.com/wimg/PHPCompatibility/

* http://php.net/download
* http://getcomposer.org/
* https://packagist.org/packages/jrfnl/qawpprojects

* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/1157
* https://github.com/squizlabs/PHP_CodeSniffer/pull/1948

Juliette Reinders Folmer

March 24, 2018

More Decks by Juliette Reinders Folmer

Other Decks in Programming


  1. Before Running the QA Analysis [1]  Download a copy

    of the plugin/theme  Check the minimum supported WP version
  2. Before Running the QA Analysis [1]  Download a copy

    of the plugin/theme  Check the minimum supported WP version  Check the PHP version of the deployment environment Jack Moreh
  3. Before Running the QA Analysis [2]  Check main plugin/theme

    file for the text-domain  "Guess" the plugin/theme prefixes
  4. PHP • http://php.net/download Composer • https://getcomposer.org/download/ QA-WP- Projects • Install

    via Composer: composer global require jrfnl/qawpprojects Install https://github.com/squizlabs/PHP_CodeSniffer/pull/1948
  5. Running the checks > phpcs ./path/to/project-root/ --standard=WP-QA-Basic --runtime-set testVersion 5.6-

    --runtime-set minimum_supported_wp_version 4.5 --runtime-set prefixes plugin_prefix,theme_acronym --runtime-set text_domain slug WP-QA-Strict
  6. Dangerous Code  Use of eval()  Use of PCRE

    /e modifier  Use of backtick operator
  7. Messy Code  Use of extract()  Duplicate classes 

    Duplicate function arguments  Assignments in conditions  Jumbled incrementors
  8. Incompatible Code - PHP  Use of Deprecated Syntaxes 

    Use of Deprecated or Removed Functions / Classes / Extensions etc  Use of (too) new Syntaxes
  9. Incompatible Code - WP Use of Deprecated:  WP Functions

     WP Function Parameters  WP Classes
  10. Insecure Code  Input not Validated/Sanitized  Output not Escaped

     Using User Input without Nonce Verification  Open to SQL Injection
  11. Discouraged Code  PHP Functions for which WP has a

    Better Alternative  Debug code