Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Leveraging the WordPress Coding Standards to review plugins and themes

Leveraging the WordPress Coding Standards to review plugins and themes

Presented on March 24, 2018 at WordCamp Rotterdam, The Netherlands.
Ever been hesitant to upgrade to a newer WP version as you weren’t sure whether the theme and the plugins you use would be compatible ?
Or wondered whether installing a certain plugin would open your site up to security risks ?
Or maybe whether you would be able to present your customer with an interface in their language for a certain plugin ?

No matter whether you are a developer or you can’t tell divs from eval’s, PHP Codesniffer and the WordPress Coding Standards can help you. Let me tell you how…

Relevant links:

* https://github.com/jrfnl/QA-WP-Projects/
* https://github.com/squizlabs/PHP_CodeSniffer
* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
* https://github.com/wimg/PHPCompatibility/

* http://php.net/download
* http://getcomposer.org/
* https://packagist.org/packages/jrfnl/qawpprojects

* https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/1157
* https://github.com/squizlabs/PHP_CodeSniffer/pull/1948

Juliette Reinders Folmer

March 24, 2018

More Decks by Juliette Reinders Folmer

Other Decks in Programming


  1. Leveraging the WordPress Coding Standards to Review Plugins and Themes

  2. Hello! Juliette Reinders Folmer @jrf_nl @jrfnl

  3. Coding Standards ?

  4. Code Style Documentation Code Smells Code Metrics Best Practices Code

  5. QA WP Projects PHP Compatibility Standard WordPress Coding Standards PHP

  6. nerminhuski Before you start

  7. Choosing a plugin/theme Plugin A Plugin B Plugin C Plugin

    D Plugin E
  8. Before Running the QA Analysis [1]  Download a copy

    of the plugin/theme
  9. Before Running the QA Analysis [1]  Download a copy

    of the plugin/theme  Check the minimum supported WP version
  10. Before Running the QA Analysis [1]  Download a copy

    of the plugin/theme  Check the minimum supported WP version  Check the PHP version of the deployment environment Jack Moreh
  11. Before Running the QA Analysis [2]  Check main plugin/theme

    file for the text-domain
  12. Before Running the QA Analysis [2]  Check main plugin/theme

    file for the text-domain  "Guess" the plugin/theme prefixes
  13. svklimkin Reviewing with PHP_CodeSniffer

  14. PHP • http://php.net/download Composer • https://getcomposer.org/download/ QA-WP- Projects • Install

    via Composer: composer global require jrfnl/qawpprojects Install https://github.com/squizlabs/PHP_CodeSniffer/pull/1948
  15. Choose Your Standard WP-QA-Basic 95 checks WP-QA-Strict 118 checks

  16. Running the checks > phpcs ./path/to/project-root/ --standard=WP-QA-Basic --runtime-set testVersion 5.6-

    --runtime-set minimum_supported_wp_version 4.5 --runtime-set prefixes plugin_prefix,theme_acronym --runtime-set text_domain slug WP-QA-Strict
  17. None
  18. ainsliejoon Interpreting the Results

  19. Hard Errors

  20. Dawn Armfield Dangerous Code

  21. Dangerous Code  Use of eval()  Use of PCRE

    /e modifier  Use of backtick operator
  22. pelican Untestable Code

  23. Untestable Code  High Code Complexity  Deep Code Nesting

  24. Outdated Code Benjamin Earwicker

  25. Outdated Code  Globals Functions instead of OO  Use

    of PHP 4 Style code
  26. Ashim D'Silva Messy Code

  27. Messy Code  Use of extract()  Duplicate classes 

    Duplicate function arguments  Assignments in conditions  Jumbled incrementors
  28. Incompatible Code – PHP

  29. Incompatible Code - PHP  Use of Deprecated Syntaxes 

    Use of Deprecated or Removed Functions / Classes / Extensions etc  Use of (too) new Syntaxes
  30. Jenn Vargas Incompatible Code - WP

  31. Incompatible Code - WP Use of Deprecated:  WP Functions

     WP Function Parameters  WP Classes
  32. Play4smee Conflicting Code (Strict)

  33. Conflicting Code  Overwriting WP Global Variables  Non-enqueued Scripts

    & Styles  Non-prefixed code
  34. Lyn Belisle Potentially Insecure Code (Strict)

  35. Insecure Code  Input not Validated/Sanitized  Output not Escaped

     Using User Input without Nonce Verification  Open to SQL Injection
  36. Vera Kratochvil Internationalization Issues (Strict)

  37. Baydog64 Potentially Buggy Code (Strict)

  38. Potentially Buggy Code  Non-strict Comparisons  WP SQL best

  39. jschumacher Sloppy Code (Strict)

  40. Sloppy Code  Empty Statements  Unconditional If statements 

    Function calls in loop condition
  41. Discouraged Code (Strict)

  42. Discouraged Code  PHP Functions for which WP has a

    Better Alternative  Debug code
  43. StuartMiles

  44. No issues found ? --ignore-annotations

  45. What About Tide ?

  46. https://github.com/ WordPress-Coding-Standards/ WordPress-Coding-Standards/ issues/1157 WPCS native support

  47. Thanks! Any questions ? Slides: https://speakerdeck.com/jrf Code: https://github.com/jrfnl/ qa-wp-projects @jrf_nl

    @jrfnl @jrf