Skills
skills/wpacademy/wordpress-dev-skills/wp-plugin-review

wp-plugin-review

SKILL.md

WordPress Plugin Review Skill

Review WordPress plugins for security, coding standards, repository guidelines, unit tests, and accessibility. Produces a comprehensive Markdown report with findings, severity levels, and fix recommendations.

Overview

This skill performs a two-phase review:

  1. Automated Analysis — Install and run PHPCS (with WPCS rules), PHPStan, and PHPUnit
  2. Manual Code Review — Deep inspection of security patterns, repo compliance, accessibility, and architecture

The final output is a structured Markdown report saved to /mnt/user-data/outputs/.

Workflow

Phase 0: Setup Environment

Run the setup script to install required tools:

bash scripts/setup_tools.sh

This installs PHPCS, WordPress Coding Standards, PHPStan, and PHPUnit if not already present.

Phase 1: Locate the Plugin

  1. Check /mnt/user-data/uploads/ for uploaded plugin files (zip or folder)
  2. If a zip file is found, extract it to /home/claude/plugin-under-review/
  3. If a folder is found, copy it to /home/claude/plugin-under-review/
  4. Identify the main plugin file (the one with the Plugin Name: header)

Phase 2: Automated Analysis

Run the following tools and capture output:

PHPCS with WordPress Coding Standards

phpcs --standard=WordPress --extensions=php --report=json \
  /home/claude/plugin-under-review/ > /home/claude/phpcs-report.json 2>&1

Also run with security-focused sniffs:

phpcs --standard=WordPress-Extra --extensions=php \
  /home/claude/plugin-under-review/ 2>&1 | head -200

PHPStan (Static Analysis)

phpstan analyse --level=5 --no-progress \
  /home/claude/plugin-under-review/ 2>&1 | head -200

PHPUnit (if tests exist)

Check for tests/ directory or phpunit.xml. If found:

cd /home/claude/plugin-under-review && phpunit 2>&1 | head -100

If no tests exist, note this as a finding in the report.

Phase 3: Manual Code Review

Read references/security-checklist.md and references/repo-guidelines-checklist.md BEFORE starting the manual review.

For each PHP file in the plugin, review against ALL categories:

A. Security Review

Consult references/security-checklist.md for the full checklist. Key areas:

  1. Input Sanitization — Every $_GET, $_POST, $_REQUEST, $_SERVER, $_FILES must be sanitized
  2. Output Escaping — Every echo/print of dynamic data must use appropriate esc_*() functions
  3. SQL Injection — All database queries must use $wpdb->prepare()
  4. Nonce Verification — All form submissions and AJAX handlers must verify nonces
  5. Capability Checks — All privileged actions must check current_user_can()
  6. File Operations — File uploads must validate type/size and use WP filesystem API
  7. CSRF Protection — State-changing requests must have nonce + referer checks
  8. Data Validation — All data must be validated before processing
  9. Direct File Access — All PHP files must prevent direct access (defined('ABSPATH') || exit)
  10. Secure API Calls — External HTTP requests must use wp_remote_get/post()

B. WordPress Coding Standards

  1. Naming Conventions — Functions, classes, hooks follow WP naming patterns
  2. File Organization — Proper directory structure and file naming
  3. Hook Usage — Correct use of actions and filters
  4. Enqueue Scripts/Styles — Must use wp_enqueue_script/style() with proper deps
  5. Internationalization — All user-facing strings must use translation functions
  6. PHP Compatibility — Must work with PHP 7.4+
  7. WordPress API Usage — Use WP functions instead of raw PHP where available
  8. No Bundled Core Libraries — Must not include jQuery, PHPMailer, etc.

C. Repository Guidelines

Consult references/repo-guidelines-checklist.md for full details. Key areas:

  1. readme.txt — Proper format, required headers, changelog, FAQ
  2. Plugin Headers — All required headers present and accurate
  3. License — GPL-2.0-or-later compatible
  4. No Tracking/Phoning Home — No unauthorized external calls
  5. No Obfuscated Code — All code must be human-readable
  6. Stable Tag — Must match the latest tagged version
  7. Tested Up To — Must reference a current WordPress version

D. Unit Test Coverage

  1. Test Existence — Does a tests/ directory exist?
  2. Test Quality — Do tests assert meaningful behavior?
  3. Coverage Areas — Are critical functions tested?
  4. WP Test Framework — Uses WP_UnitTestCase or equivalent?
  5. CI/CD Ready — Is there a phpunit.xml or phpunit.xml.dist?

E. Accessibility

  1. ARIA Attributes — Admin UI elements have proper ARIA labels
  2. Keyboard Navigation — Interactive elements are keyboard accessible
  3. Color Contrast — UI meets WCAG 2.1 AA standards
  4. Screen Reader Support — Dynamic content announces changes
  5. Form Labels — All inputs have associated labels
  6. Focus Management — Focus is managed in modals/dialogs
  7. Semantic HTML — Proper use of headings, landmarks, roles

Phase 4: Generate Report

Use severity levels:

Severity Meaning
🔴 CRITICAL Security vulnerability or blocking issue — must fix
🟠 HIGH Significant issue — may cause repository rejection
🟡 MEDIUM Best practice violation — recommended fix
🟢 LOW Minor improvement — nice to have
✅ PASS Area passes review

Use the report template in references/report-template.md for structure.

Save the final report to: /mnt/user-data/outputs/[plugin-name]-review-report.md

Important Notes

  • Always read BOTH reference checklist files before starting manual review
  • Provide actual code fixes with before/after snippets, not just descriptions
  • Reference specific file names and line numbers for every finding
  • If the plugin has no unit tests, provide a sample test file as a bonus deliverable
  • Be thorough but fair — acknowledge good practices alongside issues
  • The report should be fully actionable: a developer should fix all issues from reading it
  • Score each category and provide an overall score out of 100
Weekly Installs
1
Repository
wpacademy/wordp…v-skills
GitHub Stars
23
First Seen
8 days ago
Security Audits
Gen Agent Trust HubWarn
SocketPass
SnykFail
Installed on
claude-code1