How to do a review (Draft)

This page is opinionated. It should not be used in place of the requirements page.  

What we expect of themes submitted to WordPress.org

The theme must:

  • be GPL compatible.
  • be secure.
  • be free of PHP or JS notices.
  • not be in conflict with plugins e.g. prefixing.
  • be translation ready.
  • use WordPress functions, hooks, filters, and libraries.
  • not do anything illegal, dishonest, or morally offensive.

Top ↑

Preparations

This assumes that you have a testing environment set up.  If you haven’t already, please read our related handbook pages: Become a reviewer, Theme review process and Working with Trac.

Note that you need to be able to switch between PHP 7 and 5.

Install the WPThemeReview standard for PHP Codesniffer. This is a tool that checks PHP, JavaScript and CSS files against the requirements.

If you have never used PHP Codesniffer before, we encourage you to read the available documentation. It can seem complicated at first, but it is a very helpful tool that is well worth the time to learn, and we strongly recommend it.

You can use the PHP Codesniffer both as a command line tool, or together with your code editor.

PHP_CodeSniffer wiki
WPThemeReview introduction

There are plugins that can help you with the review, but you will also need to check all the files manually (yes that is correct: all the files).

You will need access to the requirements page, the developer code reference and the theme developer handbook.

If you need help with the review, you can ask other reviewers in the #themereview Slack channel.

Top ↑

Performing the review

We want to encourage you to find a flow that works fastest for you. You might find it easiest to work through the list of requirements, or you might find it easier to look at file by file. Since most themes follow a standard, so can your review.

Please remember that we do not review design, but we review usability. We only require design changes if something is broken or unusable. You may add design recommendations to the review, but it is optional.

The focus of the review should be security and license. You may need to test the theme settings but you should only need to spend a couple of minutes on each.

When writing the review, separate requirements from recommendations. This makes it easier for the author to make required changes, and for other reviewers to do follow up reviews.

The most common files to find errors in are:

  • style.css and readme.txt Missing license information or using the wrong links.
  • header.php Hard coding scripts, styles and charset. Text missing translation functions.
  • footer.php Hard coding scripts. Options such as copyright texts that are not safely escaped on output.
  • functions.php Functions that are missing prefixes, functions that do things that we consider plugin territory.
  • customizer.php Settings that are missing sanitizing. Text missing translation functions.

We recommend starting with these files, then running the plugins and finally activating the theme and viewing the different pages and settings.

How to use the results of the Theme Check scans:

  • Errors needs to be fixed before a theme can be approved.
  • Warnings, info, and notices are indications of something that needs to be manually checked.
  • Recommended Recommendations are not required to be fixed before a theme can be approved.

You may include the error report in your review.

By searching for specific phrases you can drastically reduce how long a review takes. There are tools available that can search zip files, such as grep. Editors like PHPStorm, Atom and Sublime Text also lets you search the entire theme folder.

Look for these boxes throughout this page for tips:

Search for…
tip…

Top ↑

1. License

WordPress themes are derivative of WordPress because they require WordPress code to function. Themes inherits the license that WordPress uses: GNU General Public License v2, or later.

That is why themes must be compatible with the GNU General Public License v2, or any later version, to be hosted on WordPress.org.

This is a blocker. If the theme is not compatible, you can stop the review and let the author know that you can’t continue the review until the licensing issues are resolved.

Here you will find general information about GPL, including a list of compatible licenses. The Theme Developer Handbook also has a chapter on Licensing.

In 2009, Matt Mullenweg confirmed again that while GPL only requires the PHP code to be compatible, WordPress.org will only host and promote themes that are 100% compatible with GPL. 

This means that all code, fonts and images and any other resources that are used by the theme, must be compatible with GPL. 

-The Theme Review Team does not have a mandate to change or make exceptions to this requirement, and it means that reviewers need to check both the submitted theme, and make sure that the theme author does not promote themes that are not compatible.

Top ↑

Checking the license of the submitted theme

For the reviewer to be able to confirm that the submitted theme is compatible, authors need to include license and copyright for the theme itself and a list of all resources used in the theme.

Themes are required to include the license in the header of the style.css file.
Open style.css and make sure that these lines are in the header and that they are not blank.
Examples:

License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
License: GNU General Public License v2 or later
License URI: LICENSE

Where license.txt is included and contains a copy of the license.

The remaining license and copyright information should be included in the readme.txt file or in the license.txt file.

Make sure that the author has included a copyright notice for the theme.
Example:

Twenty Seventeen WordPress Theme, Copyright 2016 WordPress.org

Themes need to include license and copyright information for all assets including stylesheets, scripts, fonts and images (even images used in the screenshot and images that the author has created).

-It is not enough to only keep the information in the file header of the third party script, it would simply take too long to review, so we ask that authors write a list of all the assets.

Where possible, a link to the source should be included
Example:

normalize.css, Copyright 2012-2016 Nicolas Gallagher and Jonathan Neal
License: MIT Source: https://necolas.github.io/normalize.css/

If a theme incorporates code from other themes or plugins, these must also be attributed.
Example:

Theme name is based on Underscores http://underscores.me/,
(C) 2012-2017 Automattic, Inc.
License: GNU General Public License v2 or later

Validate the themes readme file with this tool.

Top ↑

Checking the license of other themes

This step is cause for a lot of confusion and frustration for both theme authors and reviewers. 

The reason why reviewers need to know the license of the authors other themes, -themes that are not even submitted to the theme directory, is that WordPress.org may not be used to promote themes that are not 100% GPL compatible.

Authors who provide themes in other places than WordPress.org, -whether it is on their own website or a marketplace, need to show that all their themes are 100% compatible with GPL.

The easiest way for authors to do this, is to add license information to their website. This can be included for example in the footer, or in a terms of use page. That way, the reviewer can quickly find the information and can continue the review. 

The easiest way for reviewers to check this, is to visit the Author and Theme URI, and look for the information. 
If the author has added the information correctly, this step only takes a few seconds. If the information cannot be found, you can request the theme author to add it.

Terms of use can be difficult to read.  If you are not sure, you can always ask the theme author and other reviewers. Terms that limit the theme usage in a way that is not compatible with GPL is not allowed, for example:

  • Stating that the user cannot remove or edit a footer credit link.
  • Stating that the theme can only be used on one website.
  • Stating that the user is not allowed to sell or distribute the theme.

If the author or theme URI has links to marketplaces, follow the links and make sure that all themes sold from the authors account are 100% compatible with GPL.

Related requirements can be found here.

To illustrate this and to hopefully reduce some of this confusion, here are some examples:

Authors cannot submit a free theme, that is 100% GPL compatible, and use the traffic and the links in that theme, to sell a premium version of that theme, which is not 100% GPL compatible.

Authors can submit a free theme, that is 100% GPL compatible, and use the traffic and the links in that theme, to sell a premium version of that theme, which is also 100% GPL compatible.

Authors cannot submit a free theme, that is 100% GPL compatible, and use the traffic and the links in that theme, to give away or sell other themes they have created, which are not 100% GPL compatible.

Authors can submit a free theme, that is 100% GPL compatible, and use the traffic and the links in that theme, to give away or sell other themes they have created, which are also 100% GPL compatible.

It does not make a difference if a theme is sold or given away on the authors website, or on a different marketplace. Authors are allowed to sell themes on marketplaces as long as these themes are 100% GPL compatible, not sold under a split license or similar.

Authors are allowed to write blog posts, articles, and in other way present themes from other authors and theme shops, regardless of the themes license.

If the author sells themes on Theme Forest, we expect the license information to be included in the price and license information area:

If you need to ask an author who sells themes on Theme Forest to change their license information, this link explains the difference between the license options and how to change it: https://help.market.envato.com/hc/en-us/articles/202501194-Theme-Plugin-Licensing-Options

Changing the license may take some time. If the author has assured you that they are working on changing the license, please consider keeping their ticket open while you wait.

Top ↑

2. Security

The theme needs to be as secure as possible. To be able to review this, you need a basic understanding of escaping, validating and sanitizing.

Please read and refer to the Theme Security chapter in the Theme Developer Handbook and the WordPress.com VIP security overview.

All untrusted data should be escaped before output. Untrusted data includes user input, for example theme options.

A common mistake is echoing get_theme_mod(), get_option() or get_post_meta() without escaping.

A rough rule of thumb is that

  • When a WordPress function begins with “get_”, such functions generally need to be escaped.
  • When WordPress functions begin with “the_”, generally these are already escaped prior to output.

Examples
get_permalink() needs to be escaped with esc_url(): esc_url( get_permalink() )
While the link in the_permalink() is already escaped.

get_the_title() is not normally escaped since we want to allow html in titles.
To use a post title in a title attribute, the_title_attribute() should be used instead. This content is escaped.

In this example, the link to the image in header_image() is already escaped with esc_url(), but the width and height attributes need to be escaped.

<img src="<?php header_image(); ?>"
width="<?php echo esc_attr( get_custom_header()->width ); ?>"
height="<?php echo esc_attr( get_custom_header()->height ); ?>" />

get_the_category_list() is an example of a commonly used function that starts with get_ that does not need to be escaped. The links to the categories in the function are already escaped with esc_url().

To determine if a WordPress function needs to be escaped, you can look it up in the developer reference.

You can also double check content inside html attributes. A common mistake in themes is forgetting to escape the placeholders for the comment- and search forms.

Example:
placeholder="Search..." would need to be both escaped and translation ready:
placeholder="<?php esc_attr_e( 'Search...', 'textdomain' ); ?>"

Search for:
echo get_, echo $
href=, source=, placeholder=, value=, alt=, title=, name=

See a list of all html attributes

Validate and/or sanitize untrusted data before entering into the database.

There are basically 3 places where we allow user input to be saved: the Customizer, in meta fields, and in custom widgets. Separate option pages are no longer allowed.

Top ↑

The customizer

Look for the customizer file(s) and make sure that all options are sanitized and/or validated using the correct functions and methods. All settings in the customizer needs a sanitize_callback or sanitize_js_callback.

Common mistakes include:

Another problem is when a custom function is added as a sanitize_callback, but the value is returned without being sanitized.

Search for:

  • $wp_customize->add_setting
  • sanitize_

Customizer settings with checkboxes, radio buttons, multiple options (select and choice) and settings that require a specific format (for example numbers only) should be validated before saving.

The Theme Review Team has a managed GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ repo which provides useful examples of various customizerCustomizer Tool built into WordPress core that hooks into most modern themes. You can use it to preview and modify many of your site’s appearance settings. features, including sanitization. This repo can be found here.

Top ↑

Custom meta boxes

Theme authors are allowed to add custom fields for design related options to posts and pages. Non design related options are not allowed, nor is adding fields to other screens than posts and pages.

Search for:
add_meta_box

Submitting and saving the user input

  • Make sure that a nonce is used. wp_verify_nonce should be used rather than check_admin_referer(). See Using Nonces to learn more about nonces.
  • Make sure that a capability check is used; look for current_user_can() in combination with edit_pages or edit_posts respectively. Capabilities should be used rather than roles.
  • The data needs to be sanitized and or validated with the correct functions or methods before saving.
  • Post meta-data needs to be escaped on output, whether it is displayed in the admin or on the front.

The Plugin Developer Handbook has a chapter on managing Metadata and adding custom meta boxes.

Top ↑

Custom widgets

Theme authors are allowed to add custom widgets that uses existing content, but also widgets that create minor content.

Search for: WP_Widget

A custom widget can be very varied, but can have the same security issues as metaboxes.
The data needs to be sanitized and or validated with the correct functions or methods before saving. Widget data needs to be escaped on output, whether it is displayed in the admin or on the front.

Even options that are only available if a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is installed needs to be secure.

Recommended reading
WordPress.com VIP Best practices: validating, sanitizing, escaping

Codex: Escaping: Securing Output

A guide to writing secure themes
Part 1 -introduction/
Part 2 -validation/
Part 3 -sanitization/
Part 4 -securing-post-meta/

Top ↑

3. Code

Check the theme to make sure that there are no errors, warnings or notices.

  • After activating the theme, check for PHP notices, errors and warnings as well as JavaScript issues and missing files.
  • View archives, single post and pages. Perform a search and test the 404 page.
  • Add custom widgets, test them in both the admin and on the front.
  • Test custom page templates.

You do not need to validate HTML or CSS.

Top ↑

PHP version compatibility

Themes are required to support PHP7. This means there must be no PHP errors or notices when running on PHP7.
Themes are allowed to use newer PHP features that are not included in PHP 5.2 or PHP 5.5, but there must not be any PHP errors when the theme is installed on a site using a lower than supported PHP version, e.g. PHP 5.x.

The Theme Sniffer plugin allows you to select a minimum PHP version, and will print an error if a theme uses features not available in that version. In those cases, you should test the theme on both PHP versions.

Theme authors can choose whether or not to allow the theme to be activated on sites using a lower PHP version.

Top ↑

Admin pointers and private functions

Themes should not use features/APIs that are meant for WP Core use only. This is not very common, so you don’t need to memorize these functions; if you look them up in the developer reference, you will see that there is a notice at the top of the page, explaining that is is not intended to be used in themes or plugins.
List of admin pointers
List of private functions.


Search for:
pointer

Themes may not modify or remove non-presentational hooks (This also include removing the emojis).


Search for:
remove_action(
Specifically:
remove_action( 'wp_head', 'wp_generator' );
remove_action( 'wp_head', 'feed_links_extra', 3);
remove_action( 'wp_head', 'feed_links', 2 );
remove_action( 'wp_head', 'rsd_link' );
remove_action( 'wp_head', 'index_rel_link' );
remove_action( 'wp_head', 'wlwmanifest_link' );
remove_action( 'wp_head', 'start_post_rel_link', 10, 0 );
remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 );
remove_action( 'wp_head', 'adjacent_posts_rel_link', 10, 0 );
remove_action( 'admin_notices', 'update_nag', 3 );
remove_action( 'network_admin_notices', 'update_nag', 3 );

remove_filter( 'the_content','wpautop' );

Top ↑

Required files

Parent themes are required to include:

Please see the child theme section for information about reviewing child themes.

Top ↑

File specific code requirements

This can be detected using Theme Check.

Open header.php.
Make sure that the theme has a valid DOCTYPE declaration and that it includes language_attributes.
Examples:
<!DOCTYPE html>
<html <?php language_attributes(); ?>>

Using conditional comments is also allowed:
<!DOCTYPE html>
<!--[if IE 7]>
<html class="ie ie7" <?php language_attributes(); ?>>
<![endif]-->

Make sure that wp_head() is included immediately before the closing head tag.

Open footer.php.
Make sure that wp_footer() is included immediately before the closing body tag.

Top ↑

Backwards compatibility

Themes may be backwards compatible, but only for 3 major WordPress versions (version 4.5 if 4.8 is latest).

  • Themes do not need to wrap older WordPress functions in function_exists.
  • Themes should not provide fallbacks for WordPress functions added more than 3 versions ago, since we want to encourage users to upgrade their WordPress installation. This is a fairly common problem when theme authors has used an older version of underscores as a base for their theme.

Search for:
function_exists

Top ↑

Deprecated functions

The theme should not use any deprecated functions. When WP_DEBUG is enabled in wp-config.php, it will turn on the notices that deprecated functions were used. List of deprecated functions.

Recommended tools:
Query Monitor.
Your browser’s developer tools (Console) can help you find JS errors.

Top ↑

4. Prefix

Make sure that a unique prefix is used for everything the theme defines in the public namespace, including options, functions, global variables, constants, image sizes etc.

Prefixes prevent other themes and plugins from overwriting your variables and accidentally calling your functions and classes. It will also prevent the theme from doing the same.

The prefix should be at least 3 characters long, and the recommended prefix is the theme slug.
When enqueuing files, It is recommended that authors do not prefix third party scripts and style handles unless they have made changes to the files.

Instead of:
add_image_size( 'a-small-thumbnail', 100, 100, true );
We should use:
add_image_size( 'theme-slug-small-thumbnail', 100, 100, true );
instead of
function is_woocommerce_active()
We should use a prefixed function:
function theme_slug_is_woocommerce_active()

Search for:

  • function (remember the space afterwards)
  • $global
  • class(remember the space afterwards)

As an author, remember to always update the prefix if you use code from the WordPress Developer Reference or Codex, or other guides and tutorials!

Recommended reading
Plugin developer handbook: prefix everything
In WordPress, prefix everything
Prefix all the things

Top ↑

5. Core Functionality and Features

Themes should use WordPress functionality and features first if available and not duplicate existing features.

When there is more than one way to achieve something, we ask that authors use the functions, filters, hooks and methods that are created specifically for this purpose.

Common problems that we need to look out for includes:

  • Custom excerpt lengths without using the correct filters.
  • Custom background or header image, video or logo functionality.
  • Custom theme updates (Updates need to be served from WordPress.org).
  • Custom favicon. Open the header.php file and make sure that there is no hard coded favicon.
  • Custom navigation (Using custom nav menu walkers are allowed but they must pass the requirements).
  • Hard coding search forms instead of using get_search_form(), searchform.php or filters.


Search for:

  • function (remember the space afterwards)
  • class (remember the space afterwards)

Top ↑

Child themes

Themes must be able to have child themes made from them.

We are working on this section.

Top ↑

The admin interface

Changes to the admin interface like moving menus and changing color or fonts, is not allowed outside the customizer.

Nor is adding extra menu items to the Toolbar or removing, hiding or otherwise blocking the Toolbar from appearing. Test the themes responsive version to make sure that no items like custom menus are overlapping the toolbar.


Search for:

  • admin_bar_menu
  • add_node, add_menu
  • remove_node, remove_menu
  • add_filter( 'show_admin_bar', '__return_false' );

Themes are not allowed to add or remove fields from the post or page list views, tags, comments, or menu interfaces.

Top ↑

6. Including scripts, styles and other files

This requirement is partly covered by the plugins, but you need to manually check any warnings related to external links, as well as checking the files that are included in the theme folder.

Scripts and styles need to be enqueued and not hard coded.
They also need to be included in the folder and not hot linked or served via a CDN (The exception is google fonts).

Please refer to the chapter Including CSS & JavaScript in the Theme Developer Handbook.
Images must also be included with the theme and not hot linked.


Search for:

  • script src=
  • <link
  • @import

Open and review included script files. Sometimes authors include several third-party scripts in one file.

The theme should make use of WordPress’ default libraries. If a library is already included with WordPress, the theme should not include it’s own version of that script.

Common scripts that authors include in the theme folder by mistake are jQuery, Masonry and imagesloaded.

For a list of all JavaScript libraries included in WordPress, please see Default Scripts Included and Registered by WordPress.

Minified files may be used, however a human readable version should also be included.

The Theme SnifferTheme Sniffer Theme Sniffer is a plugin utilizing custom sniffs for PHP_CodeSniffer that statically analyzes your theme and ensures that it adheres to WordPress coding conventions, as well as checking your code against PHP version compatibility. The plugin is available from GitHub. Themes are not required to pass the Theme Sniffer scan without warnings or errors to be included in the theme directory. pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party will print a warning if minified files are used, so that you can check if the non minified version is included.

Top ↑

Including template files

The theme should include template files and use template tags correctly. Please refer to the Template files section of the theme developer handbook.
Examples:
Use get_header() to include header.php.
Use get_footer() to include footer.php.

A more common problem is when themes do not follow the template hierarchy.
Home.php and front-page.php are reserved file names in the hierarchy and should not be used for page or post templates.
Authors are recommended to name their template files clearly, for example ‘template-*.php’.

Top ↑

7. Options

Reviewing the options needs manual testing of the active theme’s customizer page and the front end.

  • We expect all options to be in the customizer or available in widgets or meta fields.
  • Make sure that there are no separate settings pages in the admin.
  • We expect all available options to work.

Themes must respect the user settings, including:

  • Showing the latest posts if the setting Front page displays: your latest posts is selected.
  • Showing the content of the page selected as static front page, unless a page template is selected.
  • The number of posts on the blog should match the setting under Settings > Reading > Blog pages show at most.
  • Image alt texts must match the alt text in the media library.
  • Comment visibility must match the posts or pages individual settings, or the Discussion Settings.

There must be no pay wall restricting any WordPress feature.

  • Themes may not contain functionality that is crippled or locked, only to be unlockable by payment or upgrade.
  • Themes may promote additional, premium features inside the customizer, but there should not be visible options, sections or panels that are not working in the free version of the theme.
  • Examples includes themes that asks the user to buy a premium version to be able to use a logo; this is not allowed since logos are now available using WordPress functionality.

Top ↑

The customizer

Settings, panels and sections added to the customizer must be added with the customizer API, not by javascript injection. Settings may use either theme_mod or option.

Themes may optionally rename and move customizer settings, sections and panels, but are not allowed to remove panels like the active theme, front page settings or menus.

Common problems include:

  • Adding theme_support for specific features and then removing the setting from the customizer.
  • Removing customizer sections and then re-register them, when the author really meant to rename or move them.

Search for:
remove_ to find remove_setting, remove_control and remove_section.
Renaming sections:
$wp_customize->get_section( 'title_tagline' )->title = __( 'Title, Tagline & Logo', 'textdomain' );
Renaming controls:
$wp_customize->get_control( 'header_textcolor' )->label = __( 'Site Title Color', 'textdomain' );
Moving sections to a different panel:
$wp_customize->get_section( 'custom_css' )->panel = 'header_options';

One of the most common options that authors forget to check is the Display Site Title and Tagline option in the customizer. Make sure that the text is hidden when this box is unchecked.

Top ↑

Default values

Default values should not be saved to the database. Instead, the theme author can use the second parameter
of get_theme_mod($name, $default) or get_option($option,$default)

Top ↑

Save options in a single array

We are working on this content.

Top ↑

Content creation

This page is opinionated. It should not be used in place of the requirements page.

As a general rule, only minor content creation is allowed. Themes should use existing content where possible.

We discourage content creation in themes if the content is lost on theme switch. 

If something is theme specific, does not fall under plugin territory, and is not possible to create using existing content, exceptions may be granted on case-by-case basis, for example for niche themes.

Themes that creates and saves content should always be reviewed by a moderator or team lead before approval. Please contact a team lead before continuing the review or before submitting your theme.

The moderators and team leads may also request that the content is saved in a specific way.

Top ↑

Types of content creation that is allowed

  • One off text areas in the customizer are allowed, but large numbers of repetitive fields are not.
  • One off text fields, for example section titles, copyright information or a call to action, is allowed.
  • Using text fields for social links is common practice and allowed.

Even trivial content creation like small text fields can become non-trivial if there are many of them.

For large visual items such as slideshows, using existing post or pages is preferred. These normally present an image, a title or excerpt and a link: all of this is available in posts or pages.

Top ↑

Non-design related functionality is not allowed.
Functionality that we sometimes need to ask authors to remove includes:

  • Analytics or tracking support
  • SEO options
  • Contact forms
  • Resource caching
  • Dashboard widgets in the admin area
  • Social media “like”, “follow” and “share” buttons
  • Making changes to the Tiny MCE editor

Adding shortcodes is not allowed in themes.

Search for: add_shortcode

Adding custom post types is not allowed in themes. Themes may include templates for custom post types that are added by plugins.

Search for: register_post_type

Meta fields may only be used for design related functionality like for example sidebar visibility, image visibility, background color and so on. It should not be used to save content since this information would not be available when the user changes themes.

Top ↑

8. Documentation and presentation

Open the readme file and style.css.
Is there enough documentation provided to set up the theme?
Are limitations documented?
Does the description and the tags in style.css match the theme?
Make sure that there are no more than 3 subject tags.
Does the screenshot match the theme?

Top ↑

9. Plugins and Libraries

Make sure that there are no plugins added as zip files or copied to the theme folders.
If you find code that looks like it may belong in a plugin -for example if a file has a header with information referring to a plugin, -it can be difficult to determine if this is an allowed library or a plugin that has just been added to the folder without proper integration with the theme. You can read the plugin documentation or ask another reviewer if you are not sure.

Some common libraries that are allowed includes Kirki, Hybrid and custom menu walkers.
However, be aware of that the theme author might have made changes to the libraries.
The framework/libraries need to pass the same requirements as the theme.

Some of the more common menu walkers are not translation ready out of the box and needs to be edited by the author to pass the requirements.

Themes can not require plugins to work.
If TGM Plugin Activation is used to ask users to install plugins, make sure that the text says that the plugin is recommended, not required. In TGM’s prefix_register_required_plugins function, the required parameter should be set to false.
Example:
array( 'name' => 'Breadcrumb NavXT', // The plugin name.
'slug' => 'breadcrumb-navxt', // The plugin slug (typically the folder name).
'required' => false, // If false, the plugin is only 'recommended' instead of required.
),

The recommended plugins needs to be in the WordPress.org plugin directory, they cannot be downloaded from external sources.

Top ↑

10. Language

All theme text strings are to be translatable.
Please refer to this chapter in the Theme Developer handbook: Internationalization.
The plugin developer handbook also has a chapter about Internationalization security.

How to find text that is not translation ready:
Manually check any warnings from the plugins related to translation.
Open the PHP and JavaScript files and look for text that is missing translation functions.

If the theme includes .po or .pot files, open the file and make sure that the file is for the correct theme.

You may optionally use the Pig Latin pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party to help you identify strings that are not translatable.
Theme authors can use wp_localize_script to make content in .js files translatable.

Top ↑

11. Privacy

Make sure that any collection of user data is opt-in only and disabled by default.
No URL shorteners should be used.

Top ↑

12. Illegal, dishonest, or morally offensive.

We are working on this content.

Themes should not include obfuscated code, or in any other way attempt to make the theme more difficult to edit or review on purpose. This does not include properly minified code, but for example attempts to hide links: a href="ht'+'tp:'+'//w

If you find code written in a way that makes automated searching difficult, please contact a moderator or team lead.

Top ↑

Theme copies

We are working on this content.

Cloning of design is not acceptable.
If an author is submitting a theme that is very similar to an existing theme, you can request that they submit it as a child theme instead.
The theme must always include attribution such as the theme name, license and copyright information of the theme they borrowed code or design from.

Top ↑

13. Reviewing Child themes

We are working on this content.

There are several things that we need to consider while reviewing child themes.

  • Child themes are subject to the same requirements as parent themes, if they are applicable to the files included in the child theme.
  • The version of Theme Check that publishes an error report on Trac does not take into consideration that the theme is a child theme, so in most cases, this report can be ignored.
  • Child theme names should not include the name of the parent theme..
  • If you are reviewing a child theme and find problems with the parent theme, these problems should be fixed before the child theme goes live.

Make sure that:

  • The child theme uses its own slug for the text domain, and not the parent themes text domain.
  • The Template name in the header of style.css is correct. This should be the theme slug of the parent theme.

Last updated: