WordPress coding standards enforcement for AI-assisted development.
WP Coding Standards is a Spec Kit extension that enforces the official WordPress Coding Standards throughout AI-assisted development workflows.
It reviews specifications, plans, task lists, and implementations against a chosen WordPress standards profile and produces:
- standards violation reports
- structured fix tasks
- profile-aware constitution governance
- per-category rule enforcement (Security, DB, NamingConventions, WP, PHP, Docs)
It answers one question throughout delivery:
Does this code comply with the WordPress coding standards we agreed on?
AI-generated WordPress code often:
- skips nonce verification on form submissions
- uses raw
$wpdb->query()instead of$wpdb->prepare() - outputs unescaped data to HTML
- uses deprecated WordPress functions
- omits the project-specific function prefix
- misses
@sincetags and inline documentation - reads
$_GET/$_POSTdirectly without sanitization
Each issue looks small. Across a plugin or theme, they compound into security vulnerabilities, rejection from the WordPress.org Plugin Directory, and non-compliance with VIP hosting requirements.
WP Coding Standards detects these issues early and converts them into structured, prioritized fix tasks.
The extension maps directly to the official WPCS ruleset hierarchy:
| Profile | Based On | Use When |
|---|---|---|
wordpress-core |
WordPress-Core |
Formatting and PHP style only |
wordpress |
WordPress (full) |
Standard plugin/theme development |
wordpress-docs |
WordPress-Docs |
Inline documentation standards |
wordpress-vip |
Custom | WordPress VIP Go platform hosting |
wordpress-core
- PHP tags, indentation, braces, whitespace
- Array formatting and alignment
- Yoda conditions
- String concatenation
- Class and function spacing
wordpress (includes Core, plus)
EscapeOutput— all output must useesc_html(),esc_attr(),esc_url(), etc.NonceVerification— nonces required before processing$_GET/$_POSTValidatedSanitizedInput— sanitize all input at system boundariesSafeRedirect— usewp_safe_redirect()to avoid open redirectsPreparedSQL—$wpdb->prepare()required for all queriesDirectDatabaseQuery— flag direct$wpdb->query()without prepareSlowDBQuery— flagposts_per_page=-1,suppress_filters,meta_querywithout index hintsPrefixAllGlobals— all functions, hooks, classes must use the project prefixValidFunctionName/ValidHookName— enforce naming conventionsDeprecatedFunctions/DeprecatedClasses— block use of deprecated WP APIsCapabilities— verify capability checks on all privileged operationsI18n— all user-facing strings must be translation-readyYodaConditions— enforce Yoda-style comparisons
wordpress-docs (adds)
- File-level PHPDoc headers
- Function and method
@since,@param,@returntags - Class and interface documentation
- Hook documentation (
@see,@paramfor action/filter callbacks)
wordpress-vip (adds VIP Go platform rules)
- No direct database queries — use VIP helper functions
- No
$_SESSIONusage - No
file_get_contents()on remote URLs — usevip_safe_wp_remote_get() - No
sleep()orusleep()in request paths - No
switch_to_blog()withoutrestore_current_blog() - Batched write operations required for bulk data mutations
- Object cache required for repeated expensive queries
- Elasticsearch required for search — no direct
WP_Queryfull-text search
specify extension add wp-coding-standards
/speckit.wp-coding-standards.init
This creates .specify/memory/wp-standards-constitution.md with your active profile, project prefix, minimum WordPress/PHP versions, and project type.
/speckit.wp-coding-standards.review
/speckit.wp-coding-standards.apply
| Command | Phase | Output | When To Use |
|---|---|---|---|
init |
Setup | wp-standards-constitution.md |
Once at project start; rerun to change profile |
review |
Validation | Violations report with severity and fix guidance | After /plan, /tasks, or /implement |
violation-detection |
Detection | Quick violations scan | Focused check during planning or task generation |
apply |
Fix Planning | Structured fix tasks injected into tasks.md |
After violations are confirmed |
specify extension add wp-coding-standards
specify extension add wp-coding-standards --from \
https://github.com/WPBoilerplate/spec-kit-wp-coding-standards/archive/refs/tags/v1.0.0.zip
specify extension add --dev /path/to/spec-kit-wp-coding-standards
# WP Coding Standards Review
## Profile
- Active Profile: wordpress
- Project Prefix: myplugin_
- Min WordPress: 6.4
- Min PHP: 8.0
## Violations
| ID | Category | Rule | Severity | Location | Summary |
|----|----------|------|----------|----------|---------|
| V1 | Security | EscapeOutput | CRITICAL | admin/views/settings.php:42 | Unescaped output — wrap $title in esc_html() |
| V2 | Security | NonceVerification | CRITICAL | includes/ajax-handler.php:15 | $_POST read without nonce check |
| V3 | DB | PreparedSQL | CRITICAL | includes/db.php:88 | Query interpolation — use $wpdb->prepare() |
| V4 | NamingConventions | PrefixAllGlobals | HIGH | includes/helpers.php:12 | format_date() missing prefix myplugin_ |
## Summary
- Profile Compliance: 61%
- Critical Violations: 3
- High Violations: 1
- Recommended Next Step: Run /speckit.wp-coding-standards.applyArchitecture Guard — handles structural boundary enforcement. WP Coding Standards focuses on language-level and WordPress-API-level rules. Together they cover both structural governance and standards compliance.
Security Review — handles deep security analysis. WP Coding Standards flags surface-level sniffs (EscapeOutput, NonceVerification, ValidatedSanitizedInput). Security Review handles the deeper threat model.
This extension does not run PHPCS or require it to be installed. It provides AI-assisted enforcement of the same rules defined in the official WordPress Coding Standards package. It is complementary to — not a replacement for — running phpcs in CI.
MIT — see LICENSE.