Skip to content

Interpreting PHPCS feedback

When a code base is ready for automated scanning, the repository is checked by a PHPCS scan using the WordPress-VIP-Go standard. The initial scan will include a report that categorizes the scan’s results based on the severity of the errors and warnings the scan found.

Errors with severity level 6 and above

An ERROR with severity level 6 through 10 may indicate code that may not function on VIP Go as expected or pose a very high security risk. This could be due to:

While some may be false positives, not addressing the valid ones in this category will likely result in a loss of functionality.

We don’t recommend fixing these errors found in third-party code like plugins and themes. Instead, consider looking for an alternative that provides the same functionality. If there isn’t an alternative that meets your needs, consider whether you truly need the code and thoroughly test its functionality if you do.

Errors at severity level 5

Code that triggers an ERROR with severity level 5 may have issues such as (but not limited to):

Especially with escaping errors, there may be false positives. The only way to know for sure is by inspecting these lines further. Errors at this level expose the site to security and performance problems.

Warnings at severity level 6 and above

Code that triggers a WARNING with severity level 6 through 10 may expose the site to performance and security problems. This includes (but is not limited to):

  • Custom database tables
  • Using $wpdb directly
  • Using wp_mail()
  • Database queries with poor performance

Warnings at severity 6 and above should be addressed to prevent poor performance and security vulnerabilities.

Warnings at severity level 5

Code that triggers a WARNING with severity level 5 may cause problems in certain circumstances, such as high traffic events. This warning level includes issues such as (but not limited to):

  • Uncached functions
  • Functions with poor performance
  • Using strip_tags
  • Tax queries

VIP recommends that warnings at severity level 5 are addressed.

Warnings at severity level 4 and under

WARNINGs with severity level 4 through 1 are triggered when the code is not adhering to VIP’s recommended best practices. This includes issues such as:

  • Including files without a full path
  • Using loose comparisons
  • Having an undefined variable
  • Not enqueuing scripts or stylesheets

These warnings will be included in the report. Addressing them will help keep the code base clean and prevent unexpected bugs or side effects.

Last updated: March 24, 2023