PHPackages thetwopct/wp-org-submission-rules - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Testing & Quality](/categories/testing) 4. / 5. thetwopct/wp-org-submission-rules ActivePhpcodesniffer-standard[Testing & Quality](/categories/testing) thetwopct/wp-org-submission-rules ================================= PHP\_CodeSniffer rules (sniffs) to enforce rules required when submitting to WordPress.org Plugin Repository v1.0.2(7mo ago)0104[3 issues](https://github.com/thetwopct/wp-org-submission-rules/issues)GPL-3.0-or-laterPHPPHP >=5.4 Since Oct 6Pushed 7mo ago1 watchersCompare [ Source](https://github.com/thetwopct/wp-org-submission-rules)[ Packagist](https://packagist.org/packages/thetwopct/wp-org-submission-rules)[ RSS](/packages/thetwopct-wp-org-submission-rules/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)Dependencies (1)Versions (4)Used By (0) WordPress.org-specific plugin review code sniffs ================================================ [](#wordpressorg-specific-plugin-review-code-sniffs) When submitting a plugin to the WordPress.org repo, there are several checks that the plugin review team apply to your plugin, but which are not fully covered by WordPress Coding Standards or included in the [Plugin Check (PCP)](https://wordpress.org/plugins/plugin-check/) plugin. This sniff ruleset tries to bring attention to and fix some of the checks that are missed. This is an additional ruleset you can add to [PHPCSStandards PHP\_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer/). PHP CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards, and also corrects coding standard violations. PHP\_CodeSniffer is an essential development tool that ensures your code remains clean and consistent. If you use these sniffs and indeed PHP\_CodeSniffer I would urge you to [donate](https://opencollective.com/php_codesniffer) *something* to the project as without funding it will go away and all our code will be worse off. Install ------- [](#install) The sniffs have been released on to [Packagist](https://packagist.org/packages/thetwopct/wp-org-submission-rules), so installation should be as simple as running: ``` composer require thetwopct/wp-org-submission-rules --dev ``` You can then check that the ruleset (WPOrgSubmissionRules) is now installed: ``` phpcs -i ``` You can then add it to your custom .phpcs.xml file to include in your sniffs: ``` ``` or access the standard directly from the command line as per other standards: ``` phpcs --standard=WPOrgSubmissionRules your-file.php ``` or to run over your whole code: ``` phpcs --standard=WPOrgSubmissionRules . ``` One of the rules looks for unique names of variables, and you can add a prefix in your custom rules: ``` ``` What the sniffs detect: ----------------------- [](#what-the-sniffs-detect) Here are some of the review issues from WordPress.org that these sniffs try to make sure you avoid: ### 1) Use wp\_enqueue commands [](#1-use-wp_enqueue-commands) Any inline CSS or JS is flagged via `` or `` tags. **Sniff**: `WPOrgSubmissionRules.ForbiddenTags.ForbiddenInlineTags` ### 2) Generic function/class/define/namespace/option names [](#2-generic-functionclassdefinenamespaceoption-names) All plugins must have unique function names, namespaces, defines, class and option names. This prevents your plugin from conflicting with other plugins or themes. WordPress.org expect your plugin to use unique and distinct names. **Sniff**: `WPOrgSubmissionRules.Naming.UniqueName` ### 3) Options and Transients must be prefixed [](#3-options-and-transients-must-be-prefixed) This is really important because the options are stored in a shared location and under the name you have set. If two plugins use the same name for options, they will find an interesting conflict when trying to read information introduced by the other plugin. **Sniff**: `WPOrgSubmissionRules.Naming.UniqueName` ### 4) Internationalization: Don't use variables or defines as text, context or text domain parameters [](#4-internationalization-dont-use-variables-or-defines-as-text-context-or-text-domain-parameters) In order to make a string translatable in your plugin you are using a set of special functions. These functions collectively are known as "gettext". There is a dedicated team in the WordPress community to translate and help other translating strings of WordPress core, plugins and themes to other languages. To make them be able to translate this plugin, please do not use variables or function calls for the text, context or text domain parameters of any gettext function, all of them NEED to be strings. Note that the translation parser reads the code without executing it, so it won't be able to read anything that is not a string within these functions. **Sniff**: `WPOrgSubmissionRules.Internationalization.TranslationFunctionStringLiteral` ### 5) Prefix length requirements [](#5-prefix-length-requirements) WordPress.org requires prefixes to be **at least 4 characters long**. The sniff detects short prefixes by extracting the part before the first underscore (this is dumb, but we need to play by their rules): - `ABC_For_ACF` → prefix is `ABC` (3 chars, too short ❌) - `abcfacf_save_post` → prefix is `abcfacf` (8 chars, OK ✅) **Sniff**: `WPOrgSubmissionRules.Naming.PrefixLength` ### 6) Reserved prefixes (wp\_, \_, \_\_) [](#6-reserved-prefixes-wp_-_-__) WordPress reserves certain prefixes for core functionality: - `wp_` - Reserved for WordPress core - `_` (single underscore) - Reserved for WordPress internal use - `__` (double underscore at start) - Reserved for magic methods **Sniff**: `WPOrgSubmissionRules.Naming.PrefixLength` ### 7) Security: Nonce checks required [](#7-security-nonce-checks-required) Any usage of `$_POST`, `$_GET`, or `$_REQUEST` must be accompanied by proper nonce verification using: - `wp_verify_nonce()` - `check_ajax_referer()` - `check_admin_referer()` Also warns about using these superglobals outside of functions (performance issue). **Sniff**: `WPOrgSubmissionRules.Security.NonceCheck` ### 8) Anti-pattern: function\_exists() wrapper [](#8-anti-pattern-function_exists-wrapper) Using `if (!function_exists('name')) { function name() {...} }` is an anti-pattern. If another plugin has a function with the same name and loads first, your plugin will silently fail. Use unique prefixes instead. **Sniff**: `WPOrgSubmissionRules.Naming.FunctionExistsWrapper` Active development ------------------ [](#active-development) This package is under constant development and will be updated to reflect new checks that the Plugin Team review process throws at us. If you have feedback on these sniffs and want us to add new custom sniffs, [please open an issue](https://github.com/thetwopct/wp-org-submission-rules/issues). This file can be found in our [GitHub](https://github.com/thetwopct/wp-org-submission-rules) repo. ### Health Score 31 — LowBetter than 68% of packages Maintenance64 Regular maintenance activity Popularity9 Limited adoption so far Community7 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~183 days Total 3 Last Release 216d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/9106eb37f5fcf352f006287833966f01d3d3926d0da0f43abfa30d340cab75f6?d=identicon)[thetwopct](/maintainers/thetwopct) --- Top Contributors [![thetwopct](https://avatars.githubusercontent.com/u/10615884?v=4)](https://github.com/thetwopct "thetwopct (22 commits)") --- Tags php-codesnifferphpcsrulsetswordpresswordpress-developmentwordpress-orgwordpress-plugin-developmentwordpress-standardsphpcswordpress ### Embed Badge ![Health badge](/badges/thetwopct-wp-org-submission-rules/health.svg) ``` [![Health](https://phpackages.com/badges/thetwopct-wp-org-submission-rules/health.svg)](https://phpackages.com/packages/thetwopct-wp-org-submission-rules) ``` ### Alternatives [wp-coding-standards/wpcs PHP\_CodeSniffer rules (sniffs) to enforce WordPress coding conventions 2.7k42.5M1.6k](/packages/wp-coding-standards-wpcs)[slevomat/coding-standard Slevomat Coding Standard for PHP\_CodeSniffer complements Consistence Coding Standard by providing sniffs with additional checks. 1.5k123.5M1.8k](/packages/slevomat-coding-standard)[phpcompatibility/phpcompatibility-wp A ruleset for PHP\_CodeSniffer to check for PHP cross-version compatibility issues in projects, while accounting for polyfills provided by WordPress. 21830.6M587](/packages/phpcompatibility-phpcompatibility-wp)[phpmyadmin/coding-standard phpMyAdmin PHP\_CodeSniffer Coding Standard 201.2M7](/packages/phpmyadmin-coding-standard)[axepress/wp-graphql-cs PHP\_CodeSniffer rules (sniffs) for the WPGraphQL ecosystem. 1060.9k7](/packages/axepress-wp-graphql-cs) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)