This plugin follows the WordPress Coding Standards with additional rules required for WordPress.org plugin directory submission.
# Run all PHPCS checks (includes heredoc check)
./vendor/bin/phpcs --standard=phpcs.xml.dist
# Run with full report
./vendor/bin/phpcs --standard=phpcs.xml.dist --report=full
# Auto-fix what can be fixed
./vendor/bin/phpcbf --standard=phpcs.xml.dist
# Check PHP compatibility (7.4+)
./vendor/bin/phpcs --standard=PHPCompatibilityWP --runtime-set testVersion 7.4-8.4 --extensions=php includes/ pressprimer-quiz.php
# Lint JavaScript (checks for console statements)
npm run lint:js -- assets/js/*.js
# Lint CSS
npm run lint:cssThe following rules are enforced by the WordPress.org plugin scanner. Violations will cause automatic rejection.
-
No Heredoc/Nowdoc Syntax
The
<<<syntax is not allowed. Use string concatenation instead.// WRONG - Will be rejected $script = <<<'JS' jQuery(document).ready(function($) { console.log('test'); }); JS; // CORRECT $script = 'jQuery(document).ready(function($) {' . 'console.log("test");' . '});';
-
Escape All Output
All output must be escaped using appropriate functions:
esc_html()for text contentesc_attr()for HTML attributesesc_url()for URLswp_kses()orwp_kses_post()for HTML contentwp_json_encode()for JSON data
-
Sanitize All Input
All user input must be sanitized:
sanitize_text_field()for textabsint()orintval()for integerssanitize_email()for emailswp_kses()for HTML content
-
Verify Nonces
All form submissions and AJAX requests must verify nonces:
if ( ! wp_verify_nonce( $_POST['nonce'], 'action_name' ) ) { wp_die( 'Security check failed' ); }
-
Check Capabilities
Always verify user capabilities before performing actions:
if ( ! current_user_can( 'manage_options' ) ) { wp_die( 'Unauthorized' ); }
-
Use Prepared Statements
All database queries with user data must use
$wpdb->prepare():$wpdb->get_results( $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}table WHERE id = %d", $id ) );
-
No Console Statements in Production
Remove all
console.log(),console.error(),console.warn(), andconsole.debug()statements before submission. -
No Debug Code
Remove any DEBUG flags, logging systems, or development-only code.
-
Proper jQuery Usage
Use the jQuery wrapper pattern to avoid conflicts:
jQuery(document).ready(function($) { // Your code here using $ });
-
No External Resources
All CSS, JavaScript, and other assets must be included locally. Do not load resources from external CDNs.
-
No Minified Files Without Source
If including minified files, the unminified source must also be included.
-
Prefix Everything
All functions, classes, constants, and global variables must be prefixed:
- Functions:
ppq_orpressprimer_quiz_ - Classes:
PPQ_orPressPrimer_Quiz_ - Constants:
PPQ_ - Hooks:
ppq/orpressprimer_quiz_
- Functions:
Before submitting to WordPress.org, run these checks:
# 1. PHPCS with project config (includes heredoc check)
./vendor/bin/phpcs --standard=phpcs.xml.dist --report=summary
# 2. Security-focused checks
./vendor/bin/phpcs --standard=WordPress-Extra \
--sniffs=WordPress.Security.EscapeOutput,WordPress.Security.ValidatedSanitizedInput,WordPress.Security.NonceVerification \
--report=summary includes/ pressprimer-quiz.php
# 3. PHP compatibility
./vendor/bin/phpcs --standard=PHPCompatibilityWP \
--runtime-set testVersion 7.4-8.4 \
--extensions=php --report=summary includes/ pressprimer-quiz.php
# 4. JavaScript linting (catches console statements, debugger, etc.)
npm run lint:js -- assets/js/*.js
# 5. Search for heredoc syntax (should return nothing)
grep -r "<<<" includes/All checks must pass with zero errors before submission.
- Clone the repository
- Install PHP dependencies:
composer install
- Install JavaScript dependencies:
npm install
- Build assets:
npm run build
main- Production-ready codedevelop- Development branchfeature/*- New featuresfix/*- Bug fixesrelease/*- Release preparation
Use clear, descriptive commit messages:
Add feature descriptionFix bug descriptionUpdate component for reasonRemove deprecated functionality