PHP_CodeSniffer (PHPCS) scans that are run against WordPress application code by the VIP Code Analysis Bot—or scans that are run manually after following the instructions to install PHPCS for WordPress VIP—will run with identical standards that include the
The PHPCS scan will generate a report that itemizes identified errors and warnings categorized by severity.
Errors are issues that, if not fixed, may break due to platform incompatibility issues or open a site to serious performance and security issues. VIP strongly recommends resolving errors as soon as possible, preferably before they are committed to an environment on the VIP Platform.
Some common issues reported as errors are described below.
On the VIP Platform, web servers run in read-only mode. File operations are only allowed in the
/tmp/ directory and limited programmatic access to interact with media files stored on the VIP File System.
To avoid XSS, refrain from inserting HTML directly into the document. Instead, DOM nodes should be programmatically created and appended to the DOM. Avoid
.innerHTML(), and other related functions. Instead, use functions such as
Manipulating the timezone server-side
Functions such as
date_default_timezone_set() are not allowed as they conflict with stats and other systems. Instead, use WordPress’s internal timezone support to obtain a local time.
Order by rand
MySQL queries that use
ORDER BY RAND() are expensive and slow on large datasets. Instead, write a custom function that retrieves 100 posts and picks one at random, or use
vip_get_random_posts() which performs a similar function.
VIP strongly discourages using
ini_set() for alternating PHP settings, as well as other functions such as
error_reporting()with the ability to change the configuration at runtime of scripts. Allowed error reporting in production can lead to Full Path Disclosure.
Validation, sanitization, and escaping
When writing code for the VIP Platform environment, use validating, sanitizing, and escaping vigilantly to present data to the end user and handle data incoming to WordPress securely.
$_SERVER and other data from untrusted sources (including values from the database such as post meta and options) need to be validated and sanitized as early as possible (e.g. when assigning a
$_POST value to a local variable) and escaped as late as possible on output.
Nonces should be used to validate all form submissions.
Capability checks need to validate that users can take the requested actions.
The save/update handler for new admin pages, new sections, or existing core admin pages must:
- Do a nonce check.
- Use a nonce added to the new page or section output. For existing core admin pages, use the existing
- Check for user capability.
Escape output as late as possible, ideally as it is being outputted. This ensures that data is properly escaped and prevents ambiguity about whether the variable was previously validated.
In this example, the value of
$title is escaped earlier in the code, requiring effort to confirm that the escaping took place:
$title = esc_html( $instance['title'] ); // Logic that sets up the widget echo $before_title . $title . $after_title;
In this example, the code reads more clearly that
$title is escaped:
$title = $instance['title']; // Logic that sets up the widget echo $before_title . esc_html( $title ) . $after_title;
Last updated: November 15, 2023