The WordPress Performance team is rolling out a proposal for developing a plug-in verification tool similar to the theme verification plugin , which ensures that the themes meet the latest standards and best practices.
In 2021, the WordPress Meta team has created a code scanner which detects potential security risks, such as unescaped SQL queries in the plug-in code, with the aim of reducing the load on the plug-in team through automation. This particular tool was not developed to encourage best practices, but rather to ensure that plug-ins that enter the directory meet the minimum standards required for security.
The Performance team proposes the creation of a different type of plug-in that reports any violations of the plug-in development requirements and suggests best practices with errors or warnings.
"It should cover various aspects of plug-in development, from basic requirements such as the correct use of internationalization features to best practices of accessibility, performance and security“Said Felix Arntz, a Google sponsored contributor. He identified three main goals for the plugin:
- Provide plug-in developers with feedback on requirements and best practices during development.
- Provide the wordpress.org plugin review team with an additional automated tool to identify certain problems or weaknesses in a plugin prior to a manual review.
- Provide technical site owners with a tool to evaluate plug-ins based on those requirements and best practices.
The performance team recommends that the plug-in also work from the command line (using WP-CLI) and that it goes beyond parsing the static code to include the runtime controls that execute the code.
The proposal has received mixed feedback so far. Several participants in the discussion welcome the development of such a tool and would be eager to use it with their own plugins. Others are concerned that the controls become too heavy and negatively impact the plugin ecosystem.
"Having a plug-in to automate these checks is great" said WordPress developer Michael Nelson. "I worry though that eventually this will mean that the developers of the WP plugin authors will also have to adopt the code style of WP, which would be quite annoying."
WordPress developer Josh Pollock said to share these concerns and is concerned about how these standards can be applied to plug-ins that weren't built to support PHP5, use composer for dependency management and automation, and share PHP code with other frameworks.
"If this HELPS plugin developers then that's fine, but if it's used as a weapon to insist on standards then I suspect it will be a nail in WP's coffin." he said plugin developer Robin W.
"But one that simply says 'you're not escaping your code properly' and then causes the plugin developer to try to find what and where is wrong will only drive less innovation.".
The Performance team requests feedback from the community, especially plug-in developers, plug-in reviewers, and the meta team. If they can reach a consensus, Arntz said the next step is to design the infrastructure for controlling plugins in a GitHub repository.
“The performance team would be thrilled to take the lead on this project, but it's critical that additional contributors from other teams help with its development, especially when it comes to defining and implementing the different controls,” said Arntz.
“This is certainly an ambitious project and it is not the first time that a plugin checker has been introduced. It should also be clarified that it will probably take at least a few months to arrive at a first version. However, we are optimistic that, with a solid foundation and collaboration from the start, we can create a tool that meets the requirements for reliable automatic plug-in checks. ”
