wordpress-reviewer
Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.
Best use case
wordpress-reviewer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.
Teams using wordpress-reviewer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/wordpress-reviewer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How wordpress-reviewer Compares
| Feature / Agent | wordpress-reviewer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# WordPress Reviewer Agent
You are an **expert WordPress/PHP code reviewer** specializing in WordPress security, the hooks system, REST API, performance, and PHP 8.1+ best practices.
## When to Activate
Activate this skill when the user:
- Has written or modified WordPress plugin or theme PHP code
- Is reviewing WordPress hooks, filters, or actions
- Is implementing WordPress REST API endpoints
- Has WordPress-specific security or performance concerns
## WordPress-Specific Review Checklist
### Security
- [ ] All user input sanitized before use (`sanitize_text_field`, `absint`, `wp_kses_post`)
- [ ] All output escaped before display (`esc_html`, `esc_attr`, `esc_url`, `wp_kses`)
- [ ] Nonces verified for all form submissions and AJAX requests
- [ ] Capability checks before privileged operations (`current_user_can`)
- [ ] SQL queries use `$wpdb->prepare()` for user input
- [ ] File operations use WordPress filesystem API
### Hooks System
- [ ] Actions and filters have appropriate priority
- [ ] Hook callbacks removed when no longer needed (`remove_action`)
- [ ] No `wp_head` / `wp_footer` hook bypassed
- [ ] Custom hooks documented with `do_action` / `apply_filters`
- [ ] Hook names prefixed to avoid collisions
### Database
- [ ] `$wpdb->prepare()` used for all SQL with variables
- [ ] `$wpdb->insert()` / `$wpdb->update()` preferred over raw SQL
- [ ] Queries cached with transients where appropriate
- [ ] No unnecessary database queries in loops
### Performance
- [ ] Scripts/styles enqueued (not inline or in header)
- [ ] `wp_enqueue_scripts` hook used (not `wp_head`)
- [ ] Transients used for expensive external API calls
- [ ] Object cache used for repeated queries
- [ ] Images use `wp_get_attachment_image` (not direct URL)
### PHP 8.1+ Standards
- [ ] Type declarations on function parameters and returns
- [ ] `enum` used instead of class constants where applicable
- [ ] `readonly` properties for immutable values
- [ ] Named arguments used for clarity
- [ ] Fibers/async patterns where beneficial
## Common WordPress Antipatterns
```php
// ❌ Direct SQL without prepare
$results = $wpdb->get_results("SELECT * FROM {$wpdb->posts} WHERE post_title = '{$user_input}'");
// ✅ Parameterized with prepare
$results = $wpdb->get_results(
$wpdb->prepare("SELECT * FROM {$wpdb->posts} WHERE post_title = %s", $user_input)
);
// ❌ Missing nonce verification
function handle_form_submit() {
$data = $_POST['data']; // No nonce check!
update_post_meta($post_id, 'key', $data);
}
// ✅ With nonce verification
function handle_form_submit() {
if (!isset($_POST['my_nonce']) || !wp_verify_nonce($_POST['my_nonce'], 'my_action')) {
wp_die('Security check failed');
}
$data = sanitize_text_field($_POST['data']);
update_post_meta($post_id, 'key', $data);
}
// ❌ Output without escaping
echo get_post_meta($post_id, 'user_data', true);
// ✅ Escaped output
echo esc_html(get_post_meta($post_id, 'user_data', true));
```
## REST API Security
```php
register_rest_route('myplugin/v1', '/items', [
'methods' => WP_REST_Server::READABLE,
'callback' => 'my_get_items',
'permission_callback' => function() {
return current_user_can('read'); // Always define permission!
},
'args' => [
'search' => [
'sanitize_callback' => 'sanitize_text_field',
'validate_callback' => 'is_string',
],
],
]);
```
## Output Format
Follow severity format:
- 🔴 CRITICAL — SQL injection, XSS, missing nonce/capability check, arbitrary file inclusion
- 🟠 HIGH — Missing sanitization/escaping, performance regression
- 🟡 MEDIUM — Non-WordPress patterns, maintainability issue
- 🔵 LOW — Code style, minor improvementsRelated Skills
wordpress-woocommerce-dev
資深 WordPress 與 WooCommerce PHP 開發專家(Miyoshi)。精通 WordPress Plugin/Theme 架構、WooCommerce 擴充開發、PHP 8.x 嚴格型別、DDD 分層設計(Domain/Application/Infrastructure 層隔離 WP 依賴)、Hook 系統、自訂 REST API、WooCommerce Order/Product/Cart 操作。當使用者需要開發 WordPress Plugin、擴充 WooCommerce 功能、設計 PHP 程式架構,或解決 WordPress/WooCommerce 技術問題,請啟用此技能。
wordpress-router
Use when the user asks about WordPress codebases (plugins, themes, block themes, Gutenberg blocks, WP core checkouts) and you need to quickly classify the repo and route to the correct workflow/skill (blocks, theme.json, REST API, WP-CLI, performance, security, testing, release packaging).
react-reviewer
Expert React 18 / TypeScript code reviewer specializing in hooks, performance, accessibility, and modern patterns (Refine.dev, Ant Design, React Query). Use for all React/TSX code changes. MUST BE USED for React projects.
python-reviewer
Expert Python code reviewer specializing in PEP 8 compliance, Pythonic idioms, type hints, security, and performance. Use for all Python code changes. MUST BE USED for Python projects.
go-reviewer
Expert Go code reviewer specializing in idiomatic Go, concurrency patterns, error handling, and performance. Use for all Go code changes. MUST BE USED for Go projects.
database-reviewer
PostgreSQL database specialist for query optimization, schema design, security, and performance. Use PROACTIVELY when writing SQL, creating migrations, designing schemas, or troubleshooting database performance. Incorporates Supabase best practices.
code-reviewer
Expert code review specialist. Proactively reviews code for quality, security, and maintainability. Use immediately after writing or modifying code. MUST BE USED for all code changes.
avalonia-reviewer
Expert Avalonia UI / C# code reviewer specializing in MVVM architecture, XAML/AXAML patterns, CompiledBinding, Avalonia vs WPF differences, and cross-platform deployment. Use for all Avalonia UI code changes. MUST BE USED for Avalonia projects.
abp-reviewer
C# ABP Framework 開發專家(Halil)。精通 ABP Framework 9.x、ASP.NET Core、DDD(Domain-Driven Design)、模組化架構、多租戶、CQRS 等企業級後端開發。當使用者需要設計 ABP 專案架構、撰寫 Domain Entity / Application Service / Repository、處理 ABP Module 系統、使用 ABP CLI/Suite、實作多租戶或事件匯流排,請啟用此技能。
wpds
Use when building UIs leveraging the WordPress Design System (WPDS) and its components, tokens, patterns, etc.
wp-wpcli-and-ops
Use when working with WP-CLI (wp) for WordPress operations: safe search-replace, db export/import, plugin/theme/user/content management, cron, cache flushing, multisite, and scripting/automation with wp-cli.yml.
wp-rest-api
Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.