{"id":20834003,"url":"https://github.com/thetwopct/wp-org-submission-rules","last_synced_at":"2026-02-26T12:02:09.934Z","repository":{"id":262081185,"uuid":"868447159","full_name":"thetwopct/wp-org-submission-rules","owner":"thetwopct","description":"WordPress.org-specific plugin review code sniffs","archived":false,"fork":false,"pushed_at":"2025-10-08T11:29:11.000Z","size":50,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-20T01:07:55.061Z","etag":null,"topics":["php-codesniffer","phpcs","rulsets","wordpress","wordpress-development","wordpress-org","wordpress-plugin-development","wordpress-standards"],"latest_commit_sha":null,"homepage":"https://packagist.org/packages/thetwopct/wp-org-submission-rules","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thetwopct.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-06T12:12:28.000Z","updated_at":"2025-10-17T04:48:00.000Z","dependencies_parsed_at":"2024-11-10T12:41:30.773Z","dependency_job_id":null,"html_url":"https://github.com/thetwopct/wp-org-submission-rules","commit_stats":null,"previous_names":["thetwopct/wp-org-submission-rules"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/thetwopct/wp-org-submission-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thetwopct%2Fwp-org-submission-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thetwopct%2Fwp-org-submission-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thetwopct%2Fwp-org-submission-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thetwopct%2Fwp-org-submission-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thetwopct","download_url":"https://codeload.github.com/thetwopct/wp-org-submission-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thetwopct%2Fwp-org-submission-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29858461,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T08:51:08.701Z","status":"ssl_error","status_checked_at":"2026-02-26T08:50:19.607Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php-codesniffer","phpcs","rulsets","wordpress","wordpress-development","wordpress-org","wordpress-plugin-development","wordpress-standards"],"created_at":"2024-11-18T00:17:46.817Z","updated_at":"2026-02-26T12:02:09.911Z","avatar_url":"https://github.com/thetwopct.png","language":"PHP","funding_links":["https://opencollective.com/php_codesniffer"],"categories":[],"sub_categories":[],"readme":"# WordPress.org-specific plugin review code sniffs\n\nWhen submitting a plugin to the WordPress.org repo, there are several checks that the plugin review team apply to your plugin, but which are not fully covered by WordPress Coding Standards or included in the [Plugin Check (PCP)](https://wordpress.org/plugins/plugin-check/) plugin.\n\nThis sniff ruleset tries to bring attention to and fix some of the checks that are missed.\n\nThis is an additional ruleset you can add to [PHPCSStandards PHP_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer/). PHP CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards, and also corrects coding standard violations. PHP_CodeSniffer is an essential development tool that ensures your code remains clean and consistent.\n\nIf you use these sniffs and indeed PHP_CodeSniffer I would urge you to [donate](https://opencollective.com/php_codesniffer) _something_ to the project as without funding it will go away and all our code will be worse off.\n\n## Install\n\nThe sniffs have been released on to [Packagist](https://packagist.org/packages/thetwopct/wp-org-submission-rules), so installation should be as simple as running:\n\n```\ncomposer require thetwopct/wp-org-submission-rules --dev\n```\n\nYou can then check that the ruleset (WPOrgSubmissionRules) is now installed:\n\n```\nphpcs -i\n```\n\nYou can then add it to your custom .phpcs.xml file to include in your sniffs:\n\n```\n\u003crule ref=\"WPOrgSubmissionRules\"/\u003e\n```\n\nor access the standard directly from the command line as per other standards:\n\n```\nphpcs --standard=WPOrgSubmissionRules your-file.php\n```\n\nor to run over your whole code:\n\n```\nphpcs --standard=WPOrgSubmissionRules .\n```\n\nOne of the rules looks for unique names of variables, and you can add a prefix in your custom rules:\n\n```\n\u003crule ref=\"WPOrgSubmissionRules.Naming.UniqueName\"\u003e\n\t\u003cproperties\u003e\n\t\t\u003cproperty name=\"requiredPrefix\" value=\"my_unique_name_\" /\u003e\n\t\u003c/properties\u003e\n\u003c/rule\u003e\n```\n\n## What the sniffs detect:\n\nHere are some of the review issues from WordPress.org that these sniffs try to make sure you avoid:\n\n### 1) Use wp_enqueue commands\n\nAny inline CSS or JS is flagged via `\u003cscript\u003e` or `\u003cstyle\u003e` tags.\n\n**Sniff**: `WPOrgSubmissionRules.ForbiddenTags.ForbiddenInlineTags`\n\n### 2) Generic function/class/define/namespace/option names\n\nAll plugins must have unique function names, namespaces, defines, class and option names. This prevents your plugin from conflicting with other plugins or themes. WordPress.org expect your plugin to use unique and distinct names.\n\n**Sniff**: `WPOrgSubmissionRules.Naming.UniqueName`\n\n### 3) Options and Transients must be prefixed\n\nThis is really important because the options are stored in a shared location and under the name you have set. If two plugins use the same name for options, they will find an interesting conflict when trying to read information introduced by the other plugin.\n\n**Sniff**: `WPOrgSubmissionRules.Naming.UniqueName`\n\n### 4) Internationalization: Don't use variables or defines as text, context or text domain parameters\n\nIn order to make a string translatable in your plugin you are using a set of special functions. These functions collectively are known as \"gettext\". There is a dedicated team in the WordPress community to translate and help other translating strings of WordPress core, plugins and themes to other languages.\n\nTo make them be able to translate this plugin, please do not use variables or function calls for the text, context or text domain parameters of any gettext function, all of them NEED to be strings. Note that the translation parser reads the code without executing it, so it won't be able to read anything that is not a string within these functions.\n\n**Sniff**: `WPOrgSubmissionRules.Internationalization.TranslationFunctionStringLiteral`\n\n### 5) Prefix length requirements\n\nWordPress.org requires prefixes to be **at least 4 characters long**. The sniff detects short prefixes by extracting the part before the first underscore (this is dumb, but we need to play by their rules):\n\n- `ABC_For_ACF` → prefix is `ABC` (3 chars, too short ❌)\n- `abcfacf_save_post` → prefix is `abcfacf` (8 chars, OK ✅)\n\n**Sniff**: `WPOrgSubmissionRules.Naming.PrefixLength`\n\n### 6) Reserved prefixes (wp_, _, __)\n\nWordPress reserves certain prefixes for core functionality:\n\n- `wp_` - Reserved for WordPress core\n- `_` (single underscore) - Reserved for WordPress internal use\n- `__` (double underscore at start) - Reserved for magic methods\n\n**Sniff**: `WPOrgSubmissionRules.Naming.PrefixLength`\n\n### 7) Security: Nonce checks required\n\nAny usage of `$_POST`, `$_GET`, or `$_REQUEST` must be accompanied by proper nonce verification using:\n\n- `wp_verify_nonce()`\n- `check_ajax_referer()`\n- `check_admin_referer()`\n\nAlso warns about using these superglobals outside of functions (performance issue).\n\n**Sniff**: `WPOrgSubmissionRules.Security.NonceCheck`\n\n### 8) Anti-pattern: function_exists() wrapper\n\nUsing `if (!function_exists('name')) { function name() {...} }` is an anti-pattern. If another plugin has a function with the same name and loads first, your plugin will silently fail. Use unique prefixes instead.\n\n**Sniff**: `WPOrgSubmissionRules.Naming.FunctionExistsWrapper`\n\n## Active development\n\nThis package is under constant development and will be updated to reflect new checks that the Plugin Team review process throws at us. If you have feedback on these sniffs and want us to add new custom sniffs, [please open an issue](https://github.com/thetwopct/wp-org-submission-rules/issues). This file can be found in our [GitHub](https://github.com/thetwopct/wp-org-submission-rules) repo.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthetwopct%2Fwp-org-submission-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthetwopct%2Fwp-org-submission-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthetwopct%2Fwp-org-submission-rules/lists"}