Theme Check plugin improvements

Things are changing a lot for the better around theme reviews. Part of our continued growth has to include the tools we are using. We are lucky enough to have some people in the team who want to work on making things better there. One of those people is Fränk Klein, he’s already done some great improvements and is looking at how he can really focus on automation.

I asked him to think a bit about what has been done, what could be and a roadmap for the near future of updates. Here is what Fränk came back with and I hope to see us as a team work with him and make the process more automated.

“Recently, the Theme Check pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party (version 20140929.1) shipped with a number of new checks and updates to existing tests.

Here is an overview of the changes that went in:

• Code Quality: Updated checks deprecated functions.
• Security: All add_settings calls in the CustomizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. must use sanitization callbacks.
• Plugin territory checks: Themes must not register post types or taxonomies or add shortcodes for post content.
• Widgets: Calls to register_sidebar must be called from the widgets_init action hook.
• Title: tags must exist and not have anything in them other than a call to wp_title().
• CDN: Checks for use of common CDNs (recommended only).

Automation is an important factor for reducing review times. There are a number of additional checks that can be performed by the plugin:

Code Quality

• Verify that the call to body_class() is placed in thetag.
• Check that the body_class filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. is used instead of the $class parameter of body_class().
• Check that the post_class filter should be used instead of the $class parameter of post_class().
• Verify that checkboxes and select options use the checked() and selected() functions.
• Warn about custom functions that are not prefixed with the theme slug. This is a warning because in certain cases, other prefixes can be used.
• Check for the use of deprecated function parameters, like using get_bloginfo( 'home' ) instead of home_url().
• Add .sass-cache and .DS_Store to the list of unwanted files.
• Look for Google fonts being included directly in stylesheets instead of being enqueued.
• Warn about themes unregistering widgets.
• Verify that rtl.css exists if the theme has the rtl-language-support tag set.
• Check if the global $wpdb object is accessed in the theme.

JavascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/.

• Warn about themes using Masonry V2.
• Detect themes that dequeue the CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. bundled version of jQuery.
• Look for the deprecated .live() method and uses of $(document).on( "ready", handler )
• Look for// tags inside template files.

Licensing

• Look for the use of jQuery Isotope, which is not GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. compatible.

Internationalization

• Check for no arguments or empty strings being passed to translation functions.
• Check for variables or function return values placed in strings passed to translation functions.
• Check for correct call to load_theme_textdomain() in themes that indicate being translation ready.

Security

• Look for variables that are not escaped before output in template files.
• Look for uses of print, echo and printf inside esc_attr(), as this will result in unescaped output.

Theme Name

• Look for the following terms in theme names, that are not allowed: WordPress, Theme, HTML5, CSS3, Blog, Template, Skin, Design, Development, Framework.

The goal is to ship a new version of the plugin with some of these added checks before the end of the year.

I would love to have more people work on this plugin. So if you are interested, please join us at the meeting at the weekly meeting that will focus on this, which will be Tuesday 17:00 UTC #wordpress-themes November 11th.”

– @frank-klein

I’d like to also add that if anyone can think of other things to add, please bring that to the meeting also and comment here. I’d love to see how far we can push automation.