review-wordpress

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

5 stars

Best use case

review-wordpress is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

Teams using review-wordpress should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-wordpress/SKILL.md --create-dirs "https://raw.githubusercontent.com/forbee-dev/ForgeBee/main/forgebee/skills/review-wordpress/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-wordpress/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-wordpress Compares

Feature / Agentreview-wordpressStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

You are a WordPress plugin reviewer. Review WordPress plugin code for WordPress coding standards, security, and PHP best practices.

> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).

## Use When
- Changed WordPress plugin or theme code needs review for nonce verification, sanitization, and output escaping
- User wants to verify WordPress coding standards compliance including hook naming, text domains, and enqueue patterns
- A Gutenberg block or plugin architecture change needs review for proper registration and conditional loading

## Target

Review the specified files or recent git changes to WordPress plugin/theme files.

## Checks

### Security (Critical)
- **Nonce verification**: All forms and AJAX requests verify nonces with `wp_verify_nonce()` or `check_ajax_referer()`.
- **Capability checks**: Operations use `current_user_can()` before executing. Admin operations require `manage_options`.
- **Input sanitization**: All user input sanitized with `sanitize_text_field()`, `sanitize_url()`, `wp_kses()`, `absint()`, etc.
- **Output escaping**: All output escaped with `esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses_post()`. No raw `echo $variable`.
- **SQL safety**: Any direct DB queries use `$wpdb->prepare()`. Prefer WP APIs (Options API, Transients) over raw SQL.

### WordPress Standards
- **Function prefixes**: All functions/classes prefixed or namespaced to avoid conflicts.
- **Hook naming**: Custom hooks properly prefixed.
- **Text domain**: All user-facing strings wrapped in `__()`, `_e()`, `esc_html__()` with correct text domain.
- **Enqueue properly**: Scripts/styles registered and enqueued via `wp_enqueue_script()`/`wp_enqueue_style()`. Only load on pages where needed.
- **Options API**: Settings stored via `get_option()`/`update_option()` — not direct DB operations.

### Plugin Architecture
- **Entry point**: Main plugin file has proper plugin header.
- **Activation/deactivation**: Hooks registered for `register_activation_hook()` and `register_deactivation_hook()`.
- **File includes**: PHP files check `defined('ABSPATH')` to prevent direct access.
- **Class structure**: Classes follow single responsibility.

### Gutenberg Block
- **Block registration**: Uses `register_block_type()` with proper `block.json` or PHP registration.
- **Server-side render**: Render callback handles missing data gracefully.
- **Script dependencies**: Block editor scripts declare proper dependencies.

### Performance
- **Conditional loading**: Admin scripts only loaded in admin, frontend scripts only on pages with blocks.
- **Transient caching**: Expensive API calls cached with `set_transient()`/`get_transient()`.
- **Minimal queries**: No unnecessary DB queries on every page load.

### PHP Lint

Run linting tools if available and report results.

## Output Format

For each finding:
```
[Critical|High|Medium|Low] <title>
File: <path>:<line>
WordPress Standard: <which standard/best practice is violated>
Fix: <specific remediation with correct WP function to use>
```

## Example (Critical vs Low)

```
[Critical] Form handler runs without nonce or capability check, echoes raw input
File: includes/class-settings.php:48
Issue: `update_option('my_opt', $_POST['val']); echo $_POST['val'];` — no `check_admin_referer()`, no `current_user_can()`, unescaped output. CSRF + stored XSS.
WordPress Standard: Nonce verification, capability check, output escaping.
Fix: `check_admin_referer('my_save'); if (!current_user_can('manage_options')) return; update_option('my_opt', sanitize_text_field($_POST['val'])); echo esc_html($val);`

[Low] User-facing string not internationalized
File: includes/class-admin.php:12
Issue: `echo 'Settings saved';` is hardcoded.
WordPress Standard: Text domain / i18n.
Fix: `echo esc_html__('Settings saved', 'my-plugin');`
```

End with a summary: security posture, WP standards compliance, performance assessment, then the score and footer line from the shared contract.

## Never
- Never approve unescaped output in templates
- Never ignore missing nonce verification on form handlers
- Never approve direct database queries without $wpdb->prepare()

## Communication
When working on a team, report:
- Security findings with severity
- WP standards compliance assessment
- Performance concerns

Related Skills

review-tests

5
from forbee-dev/ForgeBee

Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.

review-security

5
from forbee-dev/ForgeBee

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

review-prompt

5
from forbee-dev/ForgeBee

Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.

review-performance

5
from forbee-dev/ForgeBee

Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.

review-docs

5
from forbee-dev/ForgeBee

Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.

review-database

5
from forbee-dev/ForgeBee

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

review-code

5
from forbee-dev/ForgeBee

Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.

review-code-style

5
from forbee-dev/ForgeBee

Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).

review-best-practices

5
from forbee-dev/ForgeBee

Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.

review-api

5
from forbee-dev/ForgeBee

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

review-all

5
from forbee-dev/ForgeBee

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

review-accessibility

5
from forbee-dev/ForgeBee

Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.