Automatically Catching Bugs in Plugins

A Problem

There are times when it’s difficult for a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party developer to know the most secure way to implement something (e.g., preparing a SQL query with conditional clauses), and it can be easy to overlook bugs and bad practices when there are thousands of lines of codeLines of Code Lines of code. This is sometimes used as a poor metric for developer productivity, but can also have other uses..

That creates bad experiences for users when something breaks or their site is hacked.

A Potential Solution

Static code analysisStatic code analysis "...the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing." - Wikipedia could help to catch bugs, and inform developers how to fix them. It could also reduce the amount of time the Plugin team spends doing manual reviews.

The Coding Standards project has already built an extensive set of PHPCSPHP Code Sniffer PHP Code Sniffer, a popular tool for analyzing code quality. The WordPress Coding Standards rely on PHPCS. sniffssniff A module for PHP Code Sniffer that analyzes code for a specific problem. Multiple stiffs are combined to create a PHPCS standard. The term is named because it detects code smells, similar to how a dog would "sniff" out food., and the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team has prototyped a custom PHPCS standard for the Plugin Repository.

Would something like that be useful? If so, what exactly should it check for?


  1. At a high level, what concerns need to be addressed? e.g., security, backwards/forwards-compatibility, best practices?
  2. At a lower level, what specific things should be reported? e.g., escaped database queries & HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites. output, using CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. APIs where available, avoiding deprecated functions?
  3. What are the current gaps in documentation? e.g., piecing together complex MySQLMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. queries with multiple variables. We’ll need good documentation to help devs understand a problem in their code, and fix it the right way.
  4. What are the current gaps in functionality that Core provides to plugins? e.g., escaping table and column names, native MySQL prepared statements, an HTML templating language. It’ll be easier for plugins to meet the standard if they don’t have to create their own implementations of common functionality.
  5. What metrics should we track to determine if code quality is improving enough?
  6. What metrics should we track to determine if we’re saving the Plugin Team enough time?

If you’re interested in similar conversations, check out the #core-coding-standards channel in our Slack workspace. The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization.

cc @dingo_d, @westonruter, @jdgrimes, @jeffpaul

#coding-standards, #phpcs, #security