wp-plugin-development
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
Best use case
wp-plugin-development is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
Teams using wp-plugin-development should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/wp-plugin-development/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How wp-plugin-development Compares
| Feature / Agent | wp-plugin-development | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# WP Plugin Development ## When to use Use this skill for plugin work such as: - creating or refactoring plugin structure (bootstrap, includes, namespaces/classes) - adding hooks/actions/filters - activation/deactivation/uninstall behavior and migrations - adding settings pages / options / admin UI (Settings API) - security fixes (nonces, capabilities, sanitization/escaping, SQL safety) - packaging a release (build artifacts, readme, assets) ## Inputs required - Repo root + target plugin(s) (path to plugin main file if known). - Where this plugin runs: single site vs multisite; WP.com conventions if applicable. - Target WordPress + PHP versions (affects available APIs and placeholder support in `$wpdb->prepare()`). ## Procedure ### 0) Triage and locate plugin entrypoints 1. Run triage: - `node skills/wp-project-triage/scripts/detect_wp_project.mjs` 2. Detect plugin headers (deterministic scan): - `node skills/wp-plugin-development/scripts/detect_plugins.mjs` If this is a full site repo, pick the specific plugin under `wp-content/plugins/` or `mu-plugins/` before changing code. ### 1) Follow a predictable architecture Guidelines: - Keep a single bootstrap (main plugin file with header). - Avoid heavy side effects at file load time; load on hooks. - Prefer a dedicated loader/class to register hooks. - Keep admin-only code behind `is_admin()` (or admin hooks) to reduce frontend overhead. See: - `references/structure.md` ### 2) Hooks and lifecycle (activation/deactivation/uninstall) Activation hooks are fragile; follow guardrails: - register activation/deactivation hooks at top-level, not inside other hooks - flush rewrite rules only when needed and only after registering CPTs/rules - uninstall should be explicit and safe (`uninstall.php` or `register_uninstall_hook`) See: - `references/lifecycle.md` ### 3) Settings and admin UI (Settings API) Prefer Settings API for options: - `register_setting()`, `add_settings_section()`, `add_settings_field()` - sanitize via `sanitize_callback` See: - `references/settings-api.md` ### 4) Security baseline (always) Before shipping: - Validate/sanitize input early; escape output late. - Use nonces to prevent CSRF *and* capability checks for authorization. - Avoid directly trusting `$_POST` / `$_GET`; use `wp_unslash()` and specific keys. - Use `$wpdb->prepare()` for SQL; avoid building SQL with string concatenation. See: - `references/security.md` ### 5) Data storage, cron, migrations (if needed) - Prefer options for small config; custom tables only if necessary. - For cron tasks, ensure idempotency and provide manual run paths (WP-CLI or admin). - For schema changes, write upgrade routines and store schema version. See: - `references/data-and-cron.md` ## Verification - Plugin activates with no fatals/notices. - Settings save and read correctly (capability + nonce enforced). - Uninstall removes intended data (and nothing else). - Run repo lint/tests (PHPUnit/PHPCS if present) and any JS build steps if the plugin ships assets. ## Failure modes / debugging - Activation hook not firing: - hook registered incorrectly (not in main file scope), wrong main file path, or plugin is network-activated - Settings not saving: - settings not registered, wrong option group, missing capability, nonce failure - Security regressions: - nonce present but missing capability checks; or sanitized input not escaped on output See: - `references/debugging.md` ## Escalation For canonical detail, consult the Plugin Handbook and security guidelines before inventing patterns.
Related Skills
wp-block-development
Use when developing WordPress (Gutenberg) blocks: block.json metadata, register_block_type(_from_metadata), attributes/serialization, supports, dynamic rendering (render.php/render_callback), deprecations/migrations, viewScript vs viewScriptModule, and @wordpress/scripts/@wordpress/create-block build and test workflows.
find-plugin
Helps users discover and install Claude Code plugins from the pleaseai marketplace. Use this skill whenever a user asks "how do I do X", "find a plugin for X", "is there a plugin that can...", "recommend a plugin", "what plugins are available", wants to extend Claude Code capabilities, or mentions a technology/framework and could benefit from a plugin they haven't installed yet. Also use when the user is stuck on a task that an available plugin could solve, even if they don't explicitly ask for a plugin.
Claude Code Plugin Builder
Creates Claude Code plugins with proper manifest structure, directory layout, and components (commands, agents, skills, hooks, MCP servers). Use when user requests creating plugins, adding slash commands, integrating MCP servers, setting up hooks, migrating Gemini extensions, or mentions "plugin.json", ".claude-plugin", or "marketplace.json". Handles plugin testing, debugging, and marketplace distribution.
plugin-creator
Create and scaffold plugin directories for Codex with a required `.codex-plugin/plugin.json`, optional plugin folders/files, valid manifest defaults, and personal-marketplace entries by default. Use when Codex needs to create a new personal plugin, add optional plugin structure, or generate or update marketplace entries for plugin ordering and availability metadata.
use-zod
Answer questions about the Zod schema validation library and help build schemas, parsers, refinements, transforms, codecs, and error formatters. Use when developers: (1) ask about Zod APIs like `z.object`, `z.string`, `z.array`, `z.union`, `z.discriminatedUnion`, `parse`, `safeParse`, `z.infer`; (2) define request/response/form schemas in TypeScript; (3) handle `ZodError` or customize error messages; (4) migrate between Zod v3 and v4 (entry-point split, `formatError` → `treeifyError`/`prettifyError`, unified `error` param replacing `message`/`errorMap`). Triggers on: "zod", "z.object", "z.string", "z.array", "z.union", "z.infer", "z.input", "z.output", "ZodError", "$ZodError", "safeParse", "parseAsync", "z.codec", "treeifyError", "prettifyError", "flattenError", "discriminatedUnion", "zod/v4", "zod/v3", "zod/mini", "z.coerce", "superRefine".
workflow
Creates durable, resumable workflows using Vercel's Workflow SDK. Use when building workflows that need to survive restarts, pause for external events, retry on failure, or coordinate multi-step operations over time. Triggers on mentions of "workflow", "durable functions", "resumable", "workflow sdk", "queue", "event", "push", "subscribe", or step-based orchestration.
wpds
Use when building UIs leveraging the WordPress Design System (WPDS) and its components, tokens, patterns, etc.
wp-wpcli-and-ops
Use when working with WP-CLI (wp) for WordPress operations: safe search-replace, db export/import, plugin/theme/user/content management, cron, cache flushing, multisite, and scripting/automation with wp-cli.yml.
wp-rest-api
Use when building, extending, or debugging WordPress REST API endpoints/routes: register_rest_route, WP_REST_Controller/controller classes, schema/argument validation, permission_callback/authentication, response shaping, register_rest_field/register_meta, or exposing CPTs/taxonomies via show_in_rest.
wp-project-triage
Use when you need a deterministic inspection of a WordPress repository (plugin/theme/block theme/WP core/Gutenberg/full site) including tooling/tests/version hints, and a structured JSON report to guide workflows and guardrails.
wp-playground
Use for WordPress Playground workflows: fast disposable WP instances in the browser or locally via @wp-playground/cli (server, run-blueprint, build-snapshot), auto-mounting plugins/themes, switching WP/PHP versions, blueprints, and debugging (Xdebug).
wp-phpstan
Use when configuring, running, or fixing PHPStan static analysis in WordPress projects (plugins/themes/sites): phpstan.neon setup, baselines, WordPress-specific typing, and handling third-party plugin classes.