Skip to content

Instantly share code, notes, and snippets.

Last active Jul 21, 2021
What would you like to do?
PHPCS WordPress security check
"name": "mcguffin/wp-package-security-check",
"type": "wordpress-plugin",
"license": "GPL-2.0-or-later",
"homepage": "",
"require": {
"composer/installers": "~1.2"
"require-dev": {
"squizlabs/php_codesniffer": "*",
"wp-coding-standards/wpcs": "*",
"phpcompatibility/php-compatibility": "*",
"keywords": [
"scripts": {
"post-install-cmd": [
"[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
"post-update-cmd": [
"[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
"name": "wp-package-security-check",
"version": "0.0.2",
"description": "",
"private": true,
"author": "mcguffin",
"license": "GPL-3.0-or-later",
"dependencies": {},
"devDependencies": {},
"scripts": {
"postinstall": "composer install",
"audit": "./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt || exit 0",
"audit-win": "powershell ./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt"
"repository": {},
"bugs": {}
<?xml version="1.0"?>
<ruleset name="WordPress Security">
<!-- Set a description for this ruleset. -->
<description>A WordPress Ruleset to check application safety.</description>
<rule ref="Generic.PHP.Syntax"/>
<!-- Include the WordPress ruleset, with exclusions. -->
<rule ref="WordPress.CodeAnalysis">
<rule ref="WordPress.DB">
<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
<rule ref="WordPress.PHP">
<!-- omit non security sniffs -->
<exclude name="WordPress.PHP.DontExtract"/>
<exclude name="WordPress.PHP.YodaConditions"/>
<rule ref="WordPress.Security">
<rule ref="WordPress.Utils">
<rule ref="WordPress.WP">
<exclude name="WordPress.WP.I18n.MixedOrderedPlaceholders"/>
<exclude name="WordPress.WP.I18n.UnorderedPlaceholders"/>
<exclude name="WordPress.WP.I18n.NonSingularStringLiteralText"/>

This comment has been minimized.

Copy link
Owner Author

@mcguffin mcguffin commented Apr 6, 2020


You'll need node and composer


Extract the three files in your plugin or theme directory

On Linux / macOS run

npm install
npm run audit

A report is being created in file phpcs-report.txt

On WIndows open a powershell and install it:

npm install
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit

Create the report by running:

npm run audit

You can ignore the error npm is giving you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment