WordPress’ Performance team is kickstarting a proposal for developing a plugin checker tool similar to the theme check plugin, which ensures themes are meeting the latest standards and best practices.

In 2021, WordPress’ Meta team built a code scanner that detects potential security risks, such as unescaped SQL queries in plugin code, with the goal of reducing the Plugin Team’s load through automation. That particular tool wasn’t developed to encourage best practices but rather to ensure plugins entering the directory meet the bare minimum standards necessary for security.

The Performance team is proposing building a different kind of plugin that would flag any violations of the plugin development requirements and suggest best practices with errors or warnings.

“It should cover various aspects of plugin development, from basic requirements like correct usage of internationalization functions to accessibility, performance, and security best practices,” Google-sponsored contributor Felix Arntz said. He identified three main goals for the plugin:

  • Provide plugin developers with feedback on requirements and best practices during development.
  • Provide the wordpress.org plugin review team with an additional automated tool to identify certain problems or weaknesses in a plugin ahead of a manual review.
  • Provide technical site owners with a tool to assess plugins based on those requirements and best practices.

The Performance team recommends the plugin also work from the command line (using WP-CLI) and that it go beyond static code analysis to include runtime checks that execute code.

The proposal has received mixed feedback so far. Several participants in the discussion welcome development on such a tool and would be eager to use it with their own plugins. Others are worried about the checks becoming too heavy-handed and negatively impacting the plugin ecosystem.

“Having a plugin to automate these checks sounds great,” WordPress developer Michael Nelson said. “I worry though that eventually this will mean WP plugin author devs will need to adopt WP’s code style too, which would be pretty annoying.”

WordPress developer Josh Pollock commented that he shares these concerns and is worried about how these standards may be applied towards plugins that were not created to support PHP5, use composer for dependency management and automation, and share PHP code with other frameworks.

“If this HELPS plugin developers, then fine, but if it is used as a weapon to insist on standards, then I suspect it will be a nail in WP’s coffin,” plugin developer Robin W said.

“If you want to insist on stuff that is not security critical, then the current documentation is far from useful to rookies.

“Now if the tool rewrote the code to standard, so the dev got a ‘this is a better version’ then I would be on board.

“But one that just says ‘you are not escaping your code correctly’ and then makes the plugin dev try and find what and where it is wrong will just drive less innovation.”

The Performance team is requesting feedback from the community, particularly plugin developers, plugin reviewers, and the meta team. If they are able to reach a consensus, Arntz said the next step is to design the infrastructure for the plugin checker in a GitHub repository.

“The performance team would be excited to take the lead on this project, but it is vital that additional contributors from other teams help with its development, especially when it comes to defining and implementing the different checks,” Arntz said.

“This is certainly an ambitious project, and it is not the first time that a plugin checker has come up. It also needs to be clarified that it will likely take a few months at least to get to a first version. However, we are optimistic that with a solid foundation and collaboration from the start, we can create a tool that will meet the requirements for reliable automated plugin checks.”