Skip to content

Instantly share code, notes, and snippets.

@mcguffin
Last active Jul 21, 2021
Embed
What would you like to do?
PHPCS WordPress security check
{
"name": "mcguffin/wp-package-security-check",
"type": "wordpress-plugin",
"license": "GPL-2.0-or-later",
"homepage": "https://gist.github.com/mcguffin/255909d4d7fcc241fe63363012553268",
"require": {
"composer/installers": "~1.2"
},
"require-dev": {
"squizlabs/php_codesniffer": "*",
"wp-coding-standards/wpcs": "*",
"phpcompatibility/php-compatibility": "*",
"pheromone/phpcs-security-audit":"*"
},
"keywords": [
"plugin",
"wordpress",
"security"
],
"scripts": {
"post-install-cmd": [
"[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
],
"post-update-cmd": [
"[ -f vendor/bin/phpcs ] && \"vendor/bin/phpcs\" --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit || true"
]
}
}
{
"name": "wp-package-security-check",
"version": "0.0.2",
"description": "",
"private": true,
"author": "mcguffin",
"license": "GPL-3.0-or-later",
"dependencies": {},
"devDependencies": {},
"scripts": {
"postinstall": "composer install",
"audit": "./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt || exit 0",
"audit-win": "powershell ./vendor/squizlabs/php_codesniffer/bin/phpcs . --report=code --standard=./phpcs-security.ruleset.xml -n -s > ./phpcs-report.txt"
},
"repository": {},
"bugs": {}
}
<?xml version="1.0"?>
<ruleset name="WordPress Security">
<!-- Set a description for this ruleset. -->
<description>A WordPress Ruleset to check application safety.</description>
<exclude-pattern>assets/*</exclude-pattern>
<exclude-pattern>node_modules/*</exclude-pattern>
<exclude-pattern>test/*</exclude-pattern>
<exclude-pattern>vendor/*</exclude-pattern>
<exclude-pattern>*.min.js</exclude-pattern>
<exclude-pattern>js/*.js</exclude-pattern>
<exclude-pattern>css/*.css</exclude-pattern>
<rule ref="Generic.PHP.Syntax"/>
<!-- Include the WordPress ruleset, with exclusions. -->
<rule ref="WordPress.CodeAnalysis">
</rule>
<rule ref="WordPress.DB">
</rule>
<rule ref="WordPress.NamingConventions.PrefixAllGlobals"/>
<rule ref="WordPress.PHP">
<!-- omit non security sniffs -->
<exclude name="WordPress.PHP.DontExtract"/>
<exclude name="WordPress.PHP.YodaConditions"/>
</rule>
<rule ref="WordPress.Security">
</rule>
<rule ref="WordPress.Utils">
</rule>
<rule ref="WordPress.WP">
<exclude name="WordPress.WP.I18n.MixedOrderedPlaceholders"/>
<exclude name="WordPress.WP.I18n.UnorderedPlaceholders"/>
<exclude name="WordPress.WP.I18n.NonSingularStringLiteralText"/>
</rule>
</ruleset>
@mcguffin

This comment has been minimized.

Copy link
Owner Author

@mcguffin mcguffin commented Apr 6, 2020

Depedencies

You'll need node and composer

Usage

Extract the three files in your plugin or theme directory

On Linux / macOS run

npm install
npm run audit

A report is being created in file phpcs-report.txt

On WIndows open a powershell and install it:

npm install
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs,vendor/pheromone/phpcs-security-audit

Create the report by running:

npm run audit

You can ignore the error npm is giving you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment