PHP_CodeSniffer rules (sniffs) to enforce WordPress theme review coding conventions
$in_list
parameter to the PrefixAllGlobalsSniff::process_variable_assignment()
method, so that the method is compatible with the upstream WPCS method (changed in WPCS 2.2.0).WordPress.WP.TimezoneChange
with WordPress.DateTime.RestrictedFunctions.timezone_change_date_default_timezone_set
WPThemeReview.Templates.ReservedFileNamePrefix
sniff: checks if the template file is using a prefix which would cause WP to interpret it as a specialized template, meant to apply to only one page on the site.WPThemeReview.Privacy.ShortenedURLs
sniff: detects the usage of shortened URLs. Handbook rule.WPThemeReview.CoreFunctionality.PostsPerPage
sniff: adds a warning when a high pagination limit is detected, or if -1
is used in posts_per_page
setting while querying posts, due to detrimental effects it has on the query speed.WPThemeReview.CoreFunctionality.PrefixAllGlobals
sniff, which extends the WordPress.NamingConventions.PrefixAllGlobals
. The new sniff overloads the prefix check for variables only and will bow out if the file being scanned has a typical theme template file name. For all other files, it will fall through to the WPCS native sniff.
Notes:
$allowed_folders
property to whitelist files in specific folders of a theme as template files.
The ruleset.xml
file sets this property to a limited set of folders whitelisted by default.FileNameSniff
, this sniff does not currently allow for mimetype sublevel only theme template file names, such as plain.php
.editor-blocks
and cron-functionality
in the WPThemeReview.PluginTerritory.ForbiddenFunctions
sniff, which will check against core editor blocks being registered in the themes, and against the usage of cron functions in the theme respectively.WordPress.PHP.IniSet
rule was added to the ruleset to check against themes setting ini configuration during runtime.WordPress.WP.DeprecatedParameterValues
rule was added to the ruleset about usage of deprecated parameter values in WP functions. The sniff will suggest an alternative based on the parameter passed.WPThemeReview
codebase, where relevant, for compatibility with WPCS 2.0+.encoding
from the ruleset. The default encoding
as of PHPCS 3.0.0 is utf-8
, so we don't actually need to set this.WPThemeReview.PluginTerritory.NoAddAdminPages
sniff.WPThemeReview.CoreFunctionality.FileInclude
: checks if a theme uses include(_once)
or require(_once)
when get_template_part()
should be used. Handbook rule.WPThemeReview.CoreFunctionality.NoDeregisterCoreScript
: checks if a theme deregisters core scripts (javascript). Handbook rule.WPThemeReview.CoreFunctionality.NoFavicon
: checks if a theme is hard coding favicons instead of using core implementation. Handbook rule.WPThemeReview.CoreFunctionality.NoTitleTag
: checks if a theme is using a <title>
tag instead of add_theme_support( 'title-tag' )
. <svg>
tag can use a <title>
tag. Handbook rule.WPThemeReview.PluginTerritory.AdminBarRemoval
: checks if a theme is removing the WP admin bar. This sniff was originally part of WordPressCS
. Handbook rule.WPThemeReview.PluginTerritory.ForbiddenFunctions
: checks if a theme is using functions that fall under plugin territory. Handbook rule.WPThemeReview.PluginTerritory.NoAddAdminPages
: checks if a theme is using add_..._page()
functions, with the exception of add_theme_page()
. Handbook rule.WPThemeReview.PluginTerritory.SessionFunctionsUsage
: Prevents the usage of the session functions in themes. This sniff was originally part of WordPressCS
.WPThemeReview.PluginTerritory.SessionVariableUsage
: Prevents the usage of the session variables in themes. This sniff was originally part of WordPressCS
.WPThemeReview.Plugins.CorrectTGMPAVersion
: verifies that if the TGM Plugin Activation library is included, the correct version is used. Handbook rule.WPThemeReview.ThouShallNotUse.ForbiddenIframe
: checks if a theme is using <iframe>
. Handbook rule.WPThemeReview.ThouShallNotUse.NoAutoGenerate
: checks if a theme has been generated using theme generators.PHPCompatibilityWP
: added as an entire ruleset, checking that the theme is compatible with PHP 5.2 and above.Generic.PHP.DisallowShortOpenTag
: prohibits the usage of the PHP short open tags. Handbook rule.Generic.PHP.DisallowAlternativePHPTags
: disallows the usage of alternative PHP open tags (<%
and similar).Squiz.WhiteSpace.SuperfluousWhitespace.StartFile
: files starting with a PHP open tag shouldn't have a whitespace preceding it, to prevent possible headers already sent
errors.PSR2.Files.ClosingTag.NotAllowed
: files should omit the closing PHP tag at the end of a file, to prevent possible headers already sent
errors.Internal.LineEndings.Mixed
: mixed line endings are not allowed. Handbook rule.Internal.Tokenizer.Exception
: minified scripts or files should have original files included. Handbook rule.Generic.Files.ByteOrderMark
: no ByteOrderMark allowed - important to prevent issues with content being sent before headers.Generic.CodeAnalysis.EmptyStatement
: prohibits empty statements in the code (empty conditionals for instance).WordPress.CodeAnalysis.EmptyStatement
: prohibits empty PHP statements (empty PHP tags with no content or double semi-colons).WordPress.WP.I18n
: check that the I18N functions are used correctly. This sniff can also check the text domain, provided it's passed to PHPCS
. See the documentation for more details.WordPress.WP.EnqueuedResources
: hard coding of scripts and styles is prohibited. They should be enqueued.WordPress.Security.PluginMenuSlug
: prevent path disclosure when using add_theme_page().Generic.PHP.NoSilencedErrors
: usage of Error Control Operator @
is forbidden in a theme.WordPress.DB.RestrictedClasses
: the WP abstraction layer should be used to query database if needed.WordPress.DB.RestrictedFunctions
: the WP abstraction layer should be used to query database if needed.WordPress.DB.PreparedSQL
: all SQL queries should be prepared as close to the time of querying the database as possible.WordPress.DB.PreparedSQLPlaceholders
: verify that placeholders in prepared queries are used correctly.WordPress.Security.ValidatedSanitizedInput
: validate and/or sanitize untrusted data before using it.WordPress.Security.EscapeOutput
: all untrusted data should be escaped before output - warning, since translations don't have to be escaped.Generic.PHP.BacktickOperator
: prohibit the use of the backtick operator.WordPress.WP.GlobalVariablesOverride
: prohibit overwriting of WordPress global variables.Squiz.PHP.Eval.Discouraged
: prohibit the use of the eval() PHP language construct.Generic.PHP.DiscourageGoto.Found
: prohibit the use of the goto
PHP language construct.WordPress.WP.DeprecatedClasses
: check for use of deprecated WordPress classes.WordPress.WP.DeprecatedFunctions
: check for use of deprecated WordPress functions.WordPress.WP.DeprecatedParameters
: check for use of deprecated WordPress function parameters.WordPress.WP.DiscouragedConstants
: check for deprecated WordPress constants.WordPress.NamingConventions.PrefixAllGlobals
: verify that everything in the global namespace is prefixed. Handbook rule. This rule will only work if a prefix is passed. See the documentation for more details.WordPress.WP.CapitalPDangit
: check for correct spelling of WordPress. Handbook rule
WordPress.WP.TimezoneChange
: themes should never touch the timezone.