Theme Check plugin improvements

Things are changing a lot for the better around theme reviews. Part of our continued growth has to include the tools we are using. We are lucky enough to have some people in the team who want to work on making things better there. One of those people is Fränk Klein, he’s already done some great improvements and is looking at how he can really focus on automation.

I asked him to think a bit about what has been done, what could be and a roadmap for the near future of updates. Here is what Fränk came back with and I hope to see us as a team work with him and make the process more automated.

“Recently, the Theme Check plugin (version 20140929.1) shipped with a number of new checks and updates to existing tests.

Here is an overview of the changes that went in:

  • Code Quality: Updated checks deprecated functions.
  • Security: All add_settings calls in the Customizer must use sanitization callbacks.
  • Plugin territory checks: Themes must not register post types or taxonomies or add shortcodes for post content.
  • Widgets: Calls to register_sidebar must be called from the widgets_init action hook.
  • Title: tags must exist and not have anything in them other than a call to wp_title().
  • CDN: Checks for use of common CDNs (recommended only).

Automation is an important factor for reducing review times. There are a number of additional checks that can be performed by the plugin:

Code Quality

  • Verify that the call to body_class() is placed in thetag.
  • Check that the body_class filter is used instead of the $class parameter of body_class().
  • Check that the post_class filter should be used instead of the $class parameter of post_class().
  • Verify that checkboxes and select options use the checked() and selected() functions.
  • Warn about custom functions that are not prefixed with the theme slug. This is a warning because in certain cases, other prefixes can be used.
  • Check for the use of deprecated function parameters, like using get_bloginfo( 'home' ) instead of home_url().
  • Add .sass-cache and .DS_Store to the list of unwanted files.
  • Look for Google fonts being included directly in stylesheets instead of being enqueued.
  • Warn about themes unregistering widgets.
  • Verify that rtl.css exists if the theme has the rtl-language-support tag set.
  • Check if the global $wpdb object is accessed in the theme.

Javascript

  • Warn about themes using Masonry V2.
  • Detect themes that dequeue the Core bundled version of jQuery.
  • Look for the deprecated .live() method and uses of $(document).on( "ready", handler )
  • Look for// tags inside template files.

Licensing

  • Look for the use of jQuery Isotope, which is not GPL compatible.

Internationalization

  • Check for no arguments or empty strings being passed to translation functions.
  • Check for variables or function return values placed in strings passed to translation functions.
  • Check for correct call to load_theme_textdomain() in themes that indicate being translation ready.

Security

  • Look for variables that are not escaped before output in template files.
  • Look for uses of print, echo and printf inside esc_attr(), as this will result in unescaped output.

Theme Name

  • Look for the following terms in theme names, that are not allowed: WordPress, Theme, HTML5, CSS3, Blog, Template, Skin, Design, Development, Framework.

The goal is to ship a new version of the plugin with some of these added checks before the end of the year.

I would love to have more people work on this plugin. So if you are interested, please join us at the meeting at the weekly meeting that will focus on this, which will be Tuesday 17:00 UTC #wordpress-themes November 11th.”

– @frank-klein

I’d like to also add that if anyone can think of other things to add, please bring that to the meeting also and comment here. I’d love to see how far we can push automation.