The WordPress Performance Team offers to develop a new plugin verification tool – WP Tavern

The WordPress Performance team is launching a proposal to develop a plugin verification tool similar to the theme verification plugin, which ensures themes meet the latest standards and best practices.

In 2021, the WordPress Meta team built a code scanner that detects potential security risks, such as unescaped SQL queries in plugin code, with the aim of reducing the load on the plugin team through to automation. This particular tool was not developed to encourage best practices, but rather to ensure that plugins entering the directory meet the minimum standards necessary for security.

The Performance team proposes to create another type of plugin that would flag any violation of plugin development requirements and suggest best practices with errors or warnings.

“It should cover various aspects of plugin development, from basic requirements such as the correct use of internationalization features, to best practices for accessibility, performance, and security,” said sponsored contributor Felix Arntz. Google. He identified three main goals for the plugin:

  • Provide plugin developers with feedback on requirements and best practices during development.
  • Provide the wordpress.org plugin review team with an additional automated tool to identify certain issues or weaknesses in a plugin before a manual review.
  • Provide technical site owners with a tool to evaluate plugins against these requirements and best practices.

The Performance team recommends that the plugin also works from the command line (using WP-CLI) and goes beyond static code analysis to include checks for execution that execute code.

The proposal has received mixed feedback so far. Several discussion participants welcome the development of such a tool and would be eager to use it with their own plugins. Others worry that the checks will become too cumbersome and negatively impact the plugin ecosystem.

“Having a plugin to automate these checks sounds awesome,” said WordPress developer Michael Nelson. “I’m afraid, however, that this will ultimately mean that WP plugin author developers will also have to adopt WP’s style of code, which would be quite boring.”

WordPress developer Josh Pollock said he shares these concerns and is concerned about how these standards might be applied to plugins that weren’t created to support PHP5, use the composer for management and automating dependencies and sharing PHP code with other frameworks.

“If it HELPS plugin developers, then great, but if it’s used as a weapon to push standards, then I suspect it will be a nail in WP’s coffin,” said plugin developer Robin W.

“If you want to stress things that aren’t security-critical, then the current documentation is far from helpful for beginners.

“Now if the tool rewrote the code to standard, so the developer got a ‘this is a better version’, then I’d be on board.

“But one that just says ‘you’re not escaping your code properly’ and then has the plugin developer try to figure out what’s wrong and where it’s wrong will just result in less innovation.”

The Performance team is asking for feedback from the community, especially plugin developers, plugin reviewers, and the meta team. If they reach a consensus, Arntz said the next step is to build the plugin checker infrastructure into a GitHub repository.

“The Performance team would be happy to take the lead on this project, but it’s essential that additional contributors from other teams help with its development, especially when it comes to defining and implementing the various controls,” Arntz said.

“It is certainly an ambitious project, and it is not the first time that a plugin checker has been implemented. It must also be said that it will probably take at least a few months to arrive at a first version. However , we’re optimistic that with a solid foundation and collaboration from the start, we can build a tool that will meet the demands of reliable automated plugin checks.

Virginia C. Taylor