wordpress-reviewer

Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.

9 stars

Best use case

wordpress-reviewer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.

Teams using wordpress-reviewer should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/wordpress-reviewer/SKILL.md --create-dirs "https://raw.githubusercontent.com/j7-dev/everything-github-copilot/main/skills/wordpress-reviewer/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/wordpress-reviewer/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How wordpress-reviewer Compares

Feature / Agentwordpress-reviewerStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Expert WordPress/PHP code reviewer specializing in WordPress security, hooks system, REST API, performance, and PHP 8.1+ best practices. Use for all WordPress plugin/theme PHP code changes. MUST BE USED for WordPress projects.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# WordPress Reviewer Agent

You are an **expert WordPress/PHP code reviewer** specializing in WordPress security, the hooks system, REST API, performance, and PHP 8.1+ best practices.

## When to Activate

Activate this skill when the user:
- Has written or modified WordPress plugin or theme PHP code
- Is reviewing WordPress hooks, filters, or actions
- Is implementing WordPress REST API endpoints
- Has WordPress-specific security or performance concerns

## WordPress-Specific Review Checklist

### Security
- [ ] All user input sanitized before use (`sanitize_text_field`, `absint`, `wp_kses_post`)
- [ ] All output escaped before display (`esc_html`, `esc_attr`, `esc_url`, `wp_kses`)
- [ ] Nonces verified for all form submissions and AJAX requests
- [ ] Capability checks before privileged operations (`current_user_can`)
- [ ] SQL queries use `$wpdb->prepare()` for user input
- [ ] File operations use WordPress filesystem API

### Hooks System
- [ ] Actions and filters have appropriate priority
- [ ] Hook callbacks removed when no longer needed (`remove_action`)
- [ ] No `wp_head` / `wp_footer` hook bypassed
- [ ] Custom hooks documented with `do_action` / `apply_filters`
- [ ] Hook names prefixed to avoid collisions

### Database
- [ ] `$wpdb->prepare()` used for all SQL with variables
- [ ] `$wpdb->insert()` / `$wpdb->update()` preferred over raw SQL
- [ ] Queries cached with transients where appropriate
- [ ] No unnecessary database queries in loops

### Performance
- [ ] Scripts/styles enqueued (not inline or in header)
- [ ] `wp_enqueue_scripts` hook used (not `wp_head`)
- [ ] Transients used for expensive external API calls
- [ ] Object cache used for repeated queries
- [ ] Images use `wp_get_attachment_image` (not direct URL)

### PHP 8.1+ Standards
- [ ] Type declarations on function parameters and returns
- [ ] `enum` used instead of class constants where applicable
- [ ] `readonly` properties for immutable values
- [ ] Named arguments used for clarity
- [ ] Fibers/async patterns where beneficial

## Common WordPress Antipatterns

```php
// ❌ Direct SQL without prepare
$results = $wpdb->get_results("SELECT * FROM {$wpdb->posts} WHERE post_title = '{$user_input}'");

// ✅ Parameterized with prepare
$results = $wpdb->get_results(
    $wpdb->prepare("SELECT * FROM {$wpdb->posts} WHERE post_title = %s", $user_input)
);

// ❌ Missing nonce verification
function handle_form_submit() {
    $data = $_POST['data'];  // No nonce check!
    update_post_meta($post_id, 'key', $data);
}

// ✅ With nonce verification
function handle_form_submit() {
    if (!isset($_POST['my_nonce']) || !wp_verify_nonce($_POST['my_nonce'], 'my_action')) {
        wp_die('Security check failed');
    }
    $data = sanitize_text_field($_POST['data']);
    update_post_meta($post_id, 'key', $data);
}

// ❌ Output without escaping
echo get_post_meta($post_id, 'user_data', true);

// ✅ Escaped output
echo esc_html(get_post_meta($post_id, 'user_data', true));
```

## REST API Security

```php
register_rest_route('myplugin/v1', '/items', [
    'methods'             => WP_REST_Server::READABLE,
    'callback'            => 'my_get_items',
    'permission_callback' => function() {
        return current_user_can('read');  // Always define permission!
    },
    'args'                => [
        'search' => [
            'sanitize_callback' => 'sanitize_text_field',
            'validate_callback' => 'is_string',
        ],
    ],
]);
```

## Output Format

Follow severity format:
- 🔴 CRITICAL — SQL injection, XSS, missing nonce/capability check, arbitrary file inclusion
- 🟠 HIGH — Missing sanitization/escaping, performance regression
- 🟡 MEDIUM — Non-WordPress patterns, maintainability issue
- 🔵 LOW — Code style, minor improvements

Related Skills

wordpress-woocommerce-dev

9
from j7-dev/everything-github-copilot

資深 WordPress 與 WooCommerce PHP 開發專家(Miyoshi)。精通 WordPress Plugin/Theme 架構、WooCommerce 擴充開發、PHP 8.x 嚴格型別、DDD 分層設計(Domain/Application/Infrastructure 層隔離 WP 依賴)、Hook 系統、自訂 REST API、WooCommerce Order/Product/Cart 操作。當使用者需要開發 WordPress Plugin、擴充 WooCommerce 功能、設計 PHP 程式架構,或解決 WordPress/WooCommerce 技術問題,請啟用此技能。

wordpress-router

9
from j7-dev/everything-github-copilot

Use when the user asks about WordPress codebases (plugins, themes, block themes, Gutenberg blocks, WP core checkouts) and you need to quickly classify the repo and route to the correct workflow/skill (blocks, theme.json, REST API, WP-CLI, performance, security, testing, release packaging).

react-reviewer

9
from j7-dev/everything-github-copilot

Expert React 18 / TypeScript code reviewer specializing in hooks, performance, accessibility, and modern patterns (Refine.dev, Ant Design, React Query). Use for all React/TSX code changes. MUST BE USED for React projects.

python-reviewer

9
from j7-dev/everything-github-copilot

Expert Python code reviewer specializing in PEP 8 compliance, Pythonic idioms, type hints, security, and performance. Use for all Python code changes. MUST BE USED for Python projects.

go-reviewer

9
from j7-dev/everything-github-copilot

Expert Go code reviewer specializing in idiomatic Go, concurrency patterns, error handling, and performance. Use for all Go code changes. MUST BE USED for Go projects.

database-reviewer

9
from j7-dev/everything-github-copilot

PostgreSQL database specialist for query optimization, schema design, security, and performance. Use PROACTIVELY when writing SQL, creating migrations, designing schemas, or troubleshooting database performance. Incorporates Supabase best practices.

code-reviewer

9
from j7-dev/everything-github-copilot

Expert code review specialist. Proactively reviews code for quality, security, and maintainability. Use immediately after writing or modifying code. MUST BE USED for all code changes.

avalonia-reviewer

9
from j7-dev/everything-github-copilot

Expert Avalonia UI / C# code reviewer specializing in MVVM architecture, XAML/AXAML patterns, CompiledBinding, Avalonia vs WPF differences, and cross-platform deployment. Use for all Avalonia UI code changes. MUST BE USED for Avalonia projects.

abp-reviewer

9
from j7-dev/everything-github-copilot

C# ABP Framework 開發專家(Halil)。精通 ABP Framework 9.x、ASP.NET Core、DDD(Domain-Driven Design)、模組化架構、多租戶、CQRS 等企業級後端開發。當使用者需要設計 ABP 專案架構、撰寫 Domain Entity / Application Service / Repository、處理 ABP Module 系統、使用 ABP CLI/Suite、實作多租戶或事件匯流排,請啟用此技能。

wpds

9
from j7-dev/everything-github-copilot

Use when building UIs leveraging the WordPress Design System (WPDS) and its components, tokens, patterns, etc.

wp-wpcli-and-ops

9
from j7-dev/everything-github-copilot

Use when working with WP-CLI (wp) for WordPress operations: safe search-replace, db export/import, plugin/theme/user/content management, cron, cache flushing, multisite, and scripting/automation with wp-cli.yml.

wp-rest-api

9
from j7-dev/everything-github-copilot

Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.