Interpreting PHPCS feedback

When a code base is ready for automated scanning, the repository is checked by a PHPCS scan using the WordPress-VIP-Go standard. The initial scan will include a report that categorizes the scan’s results based on the severity of the errors and warnings the scan found.

Errors with severity level 6 and above

An ERROR with severity level 6 through 10 may indicate code that may not function on VIP Go as expected or pose a very high security risk. This could be due to:

• Filesystem writes
• Caching

While some may be false positives, not addressing the valid ones in this category will likely result in a loss of functionality.

We don’t recommend fixing these errors found in third-party code like plugins and themes. Instead, consider looking for an alternative that provides the same functionality. If there isn’t an alternative that meets your needs, consider whether you truly need the code and thoroughly test its functionality if you do.

Errors at severity level 5

Code that triggers an ERROR with severity level 5 may have issues such as (but not limited to):

• Incorrectly escaped output or user-provided data not sanitized
• Using an unlimited or high number of posts per page
• Using unsafe Javascript string interpretations

Especially with escaping errors, there may be false positives. The only way to know for sure is by inspecting these lines further. Errors at this level expose the site to security and performance problems.

Warnings at severity level 6 and above

Code that triggers a WARNING with severity level 6 through 10 may expose the site to performance and security problems. This includes (but is not limited to):

• Custom database tables
• Using $wpdb directly
• Using wp_mail()
• Database queries with poor performance

Warnings at severity 6 and above should be addressed to prevent poor performance and security vulnerabilities.

Warnings at severity level 5

Code that triggers a WARNING with severity level 5 may cause problems in certain circumstances, such as high traffic events. This warning level includes issues such as (but not limited to):

• Uncached functions
• Functions with poor performance
• Using strip_tags
• Tax queries

VIP recommends that warnings at severity level 5 are addressed.

Warnings at severity level 4 and under

WARNINGs with severity level 4 through 1 are triggered when the code is not adhering to VIP’s recommended best practices. This includes issues such as:

• Including files without a full path
• Using loose comparisons
• Having an undefined variable
• Not enqueuing scripts or stylesheets

These warnings will be included in the report. Addressing them will help keep the code base clean and prevent unexpected bugs or side effects.