Month: March 2025

Custom plugins are part of what makes WordPress so flexible. If you need functionality that doesn’t exist in the ecosystem, you can build it yourself. That allows you to create websites that suit your needs.

Still, it’s important to get the details right. Any custom code you write should be secure and performant. It should also adhere to the guidelines set forth by WordPress. Doing so ensures your plugin works as expected and won’t cause harm.

So, how do you know if your code passes the litmus test? There’s a helpful tool that can alert you to any issues.

Plugin Check (PCP) is a plugin that performs an automated review of your code. It checks to see if your plugin uses best practices for security, internationalization, and performance. From there, it generates a report you can use to make improvements.

Plugin Check is intended to help developers meet the standards of the WordPress plugin directory. However, it’s also useful for anyone building a custom plugin for their project.

Today, we’ll show you how to use Plugin Check to review your plugin. It’s a quick and easy way to ensure quality.

Let’s Check a Homemade Plugin

I built a WordPress plugin called Handy Links Custom Dashboard Widget that (you guessed it) adds a custom widget to a site’s dashboard. I use it on client projects to provide quick access to common tasks. For example, links for adding a new post or viewing form entries. It saves them from searching through the navigation.

The code is far from a work of art. I built it with the help of AI and a few snippets I’ve collected. It works, and that makes me happy. But I’d like to improve the code.

Let’s see if Plugin Check can help. I have installed and activated it on a test site. Now, it’s time to start testing.

Step 1: Check the Custom Plugin

The first step is to run my custom plugin through Plugin Check’s interface. That can be found by navigating to Tools > Plugin Check in the WordPress admin area.

I’ll select my plugin (Handy Links Custom Dashboard Widget) from the drop-down menu. Then, I can choose from one or more types of code audits:

• General
• Plugin Repo
• Security
• Performance
• Accessibility

I’ll go with the Plugin Repo option, as it runs an all-encompassing check. It will tell me what items to fix to match the WordPress plugin directory guidelines. That’s a great place to start.

Step 2: Analyze the Results

Plugin Check’s analysis pointed out several errors in my plugin. A few were relatively minor and located in the plugin’s readme file:

• Plugin name header in your readme is missing or invalid. Please update your readme with a valid plugin name header. Eg: "=== Example Name ==="
• Mismatched Stable Tag: 6.0 != 1.0
  Your Stable Tag is meant to be the stable version of your plugin, and it needs to be exactly the same as the version in your main plugin file’s header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org.
• The “Tested up to” field was ignored. This field should only contain a valid WordPress version such as “6.7” or “6.8”.

There were also a few security-related items that caught its attention:

• All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$widget_text'.
•  All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

The suggestion here is to escape the plugin’s output to ensure no malicious code is executed. Plugin Check links to the WordPress documentation to provide more details.

Step 3: Make the Suggested Changes

Making changes requires a bit of research. Thankfully, Plugin Check reports the locations of each issue within the plugin’s code, including the line and column numbers. It also provides links to the relevant documentation.

We’ll use the suggested security fixes as an example. Plugin Check reported issues in the following spots. I’ve included the code snippets below for reference.

Before Fixing

Line 47:

<?php echo $widget_text; ?>

Line 80:

<?php _e( 'Widget Title', 'handylinks-custom-dashboard-widget' ); ?>

Line 84:

<?php _e( 'Widget Text', 'handylinks-custom-dashboard-widget' ); ?>

None of these snippets are using an escaping function. That means a hacker could execute malicious code. I’ve consulted the documentation and implemented the following changes:

After Fixing

Line 47:

<?php echo wp_kses_post($widget_text); ?> // Accept any code that is allowed in a WordPress post.

Line 80:

<?php echo esc_html(_e( 'Widget Title', 'handylinks-custom-dashboard-widget'  )); ?> // Strip all HTML input.

Line 84:

<?php echo esc_html(_e( 'Widget Text', 'handylinks-custom-dashboard-widget'  )); ?> // Strip all HTML input.

Step 4: Re-Test the Plugin

I’ve made the suggested changes to my plugin. Now, it’s time to retest and see if the plugin fares better.

It’s a success! The plugin now passes muster for security and readme file formatting. That’s a relief.

Plugin Check Ensures Quality Code

Plugin Check’s most impressive feat is its efficiency. The tool shows you where problems exist and provides background details on fixing them. You won’t waste time searching for potential issues.

The process of testing and improving my plugin took about 30 minutes. Your times may vary based on the size of your plugin and the number of issues found. Regardless, Plugin Check will help you find things you may have missed.

It’s worth making this tool a part of your WordPress development workflow. Ensuring quality code keeps your site safe and performant. That peace of mind benefits everyone!

Top