WordPress Performance Team Proposes Developing a New Plugin … – WP Tavern

Sarah Gooding
WordPress’ Performance team is kickstarting a proposal for developing a plugin checker tool similar to the theme check plugin, which ensures themes are meeting the latest standards and best practices.
In 2021, WordPress’ Meta team built a code scanner that detects potential security risks, such as unescaped SQL queries in plugin code, with the goal of reducing the Plugin Team’s load through automation. That particular tool wasn’t developed to encourage best practices but rather to ensure plugins entering the directory meet the bare minimum standards necessary for security.
The Performance team is proposing building a different kind of plugin that would flag any violations of the plugin development requirements and suggest best practices with errors or warnings.
“It should cover various aspects of plugin development, from basic requirements like correct usage of internationalization functions to accessibility, performance, and security best practices,” Google-sponsored contributor Felix Arntz said. He identified three main goals for the plugin:
The Performance team recommends the plugin also work from the command line (using WP-CLI) and that it go beyond static code analysis to include runtime checks that execute code.
The proposal has received mixed feedback so far. Several participants in the discussion welcome development on such a tool and would be eager to use it with their own plugins. Others are worried about the checks becoming too heavy-handed and negatively impacting the plugin ecosystem.
“Having a plugin to automate these checks sounds great,” WordPress developer Michael Nelson said. “I worry though that eventually this will mean WP plugin author devs will need to adopt WP’s code style too, which would be pretty annoying.”
WordPress developer Josh Pollock commented that he shares these concerns and is worried about how these standards may be applied towards plugins that were not created to support PHP5, use composer for dependency management and automation, and share PHP code with other frameworks.
“If this HELPS plugin developers, then fine, but if it is used as a weapon to insist on standards, then I suspect it will be a nail in WP’s coffin,” plugin developer Robin W said.
“If you want to insist on stuff that is not security critical, then the current documentation is far from useful to rookies.
“Now if the tool rewrote the code to standard, so the dev got a ‘this is a better version’ then I would be on board.
“But one that just says ‘you are not escaping your code correctly’ and then makes the plugin dev try and find what and where it is wrong will just drive less innovation.”
The Performance team is requesting feedback from the community, particularly plugin developers, plugin reviewers, and the meta team. If they are able to reach a consensus, Arntz said the next step is to design the infrastructure for the plugin checker in a GitHub repository.
“The performance team would be excited to take the lead on this project, but it is vital that additional contributors from other teams help with its development, especially when it comes to defining and implementing the different checks,” Arntz said.
“This is certainly an ambitious project, and it is not the first time that a plugin checker has come up. It also needs to be clarified that it will likely take a few months at least to get to a first version. However, we are optimistic that with a solid foundation and collaboration from the start, we can create a tool that will meet the requirements for reliable automated plugin checks.”
Maybe this means we’ll finally be rid of Hello Dolly!
I tend to worry about such centralized and automated efforts. I am a lowly user, so the only way it would affect me would be if it removed a plug-in that I already use (and not all of us use just the newest, though updating old ones when possible is a routine for me).
Regarding the above, absolutely it should not just identify that there is a problem and not let the developer know what and if possible how to fix; I could see that discouraging people from submitting a plug-in, and consequently from even developing one.
I believe it’s about time for such a tool, with shared usage between plugin review team and plugin authors, as it will bring clear guides on what are best security and coding practices. It should reduce time, efforts and amount of money invested in developing and reviewing the plugins, and eventually contribute to better user experience.
Thumbs up!
I hope that if this plugin is actually developed it will cut down on review time when developers create new plugins or update old ones.
I’ve submitted a plugin on wordpress.org it took a few days to review. After doing several revisions finally accepted.
I think the WordPress review team really needs this plugin to make their work easier. I really support the making of this plugin.
I am not sure if best approach would be a plugin. Maybe an WP-CLI tool launched on demand will get better results with no overhead.
If you launch a phpcs with the right rules you already have this.
The problem is, what are you going to enforce?
Seems to me it’s just more work just to seems busy.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.

WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable


Post Your Comment