Interpreting a PHPCS report

PHP_CodeSniffer (PHPCS) scans that are run against WordPress application code will return a report of any identified errors and warnings and categorizes them by severity.

PHPCS scans that are performed on pull requests by the VIP Code Analysis Bot—and scans that are run manually after following the instructions to install PHPCS for WordPress VIP—will run with identical standards. These standards include the WordPress-VIP-Go standard, which is a ruleset designed to reinforce the VIP coding best practices for writing secure, performant, and future-friendly code.

Refer to the PHP_CodeSniffer Wiki for more detailed guidance on formatting and output options for PHPCS reports.

Errors with severity level 6 and above

Code that triggers a PHPCS error with severity level 6 through 10 might have a very high security risk or might not function as expected on the VIP Platform. This could be code related to:

• Filesystem writes
• Caching

Though some reported errors may be false positives, if the valid errors in this category are not addressed it will likely result in a loss of site functionality.

Attempts to address errors found in third-party code like plugins and themes is not recommended. Instead, consider looking for a plugin with similar functionality and higher code quality.

Errors at severity level 5

Code that triggers a PHPCS error with severity level 5 expose the site to security and performance problems. Some issues include:

• Incorrectly escaped output or user-provided data not sanitized
• Using an unlimited or high number of posts per page
• Using unsafe Javascript string interpretations

Some reported errors may be false positives, especially those related to escaping. Inspect the code related to the errors line by line and resolve all issues where the reported errors are valid.

Warnings at severity level 6 and above

Code that triggers a PHPCS warning with severity level 6 through 10 might expose a site to performance and security problems. Some issues include:

• Custom database tables
• Using $wpdb directly
• Using wp_mail()
• Database queries with poor performance

Warnings at severity 6 and above should be addressed to prevent poor performance and security vulnerabilities.

Warnings at severity level 5

Code that triggers a PHPCS warning with severity level 5 might cause issues in certain circumstances, such as high traffic events. Some issues include:

• Uncached functions
• Functions with poor performance
• Using strip_tags
• Tax queries

VIP recommends that all warnings at severity level 5 are addressed.

Warnings at severity level 4 and below

Code that triggers a PHPCS warning up to severity level 4 (i.e. 1 through 4) does not adhere to VIP’s recommended best practices. Some issues include:

• Including files without a full path
• Using loose comparisons
• Having an undefined variable
• Not enqueuing scripts or stylesheets

Warnings up to severity level 4 should be addressed to maintain a clean code base and prevent unexpected bugs or side effects.