Plugin Check (PCP)

外掛說明

Plugin Check 是測試你所開發的外掛是否符合 WordPress.org 外掛目錄需求標準的工具。使用這個外掛,你便能執行大多數用於全新提交外掛的檢查工作,並檢查你所開發的外掛是否符合相關需求。

此外,這個工具會依據開發最佳做法標示違規或發生問題的項目,例如國際化函式的正確使用方式及無障礙工具、效能及安全性最佳做法等基本需求都會進行檢查。

這些項目可使用 WordPress 管理後台使用者介面或 WP-CLI 進行檢查:

  • 如果要在 WordPress 管理後台檢查外掛,請前往 [工具]→[Plugin Check] 選單,必須具備在網站上管理外掛的權限,才能存取這個畫面。
  • To check a plugin using WP-CLI, please use the wp plugin check command. For example, to check the “Hello Dolly” plugin: wp plugin check hello.php
    • 請注意,在預設的狀況下使用 WP-CLI,僅能執行靜態檢查;為了同時納入執行階段檢查,目前的因應措施必須使用 WP-CLI 的 --require 引數,以便在載入 WordPress 前手動載入外掛檢查目錄中的 cli.php 檔案。命令範例:wp plugin check hello.php --require=./wp-content/plugins/plugin-check/cli.php
    • 你可以使用任意路徑或網址以檢查外掛。舉例來說,使用網址檢查外掛:wp plugin check https://example.com/plugin.zip 或使用路徑檢查外掛:wp plugin check /path/to/plugin

檢查項目區分為幾個類型,使用者可以依據需求為外掛自訂要進行檢查的類型。

請注意,這個外掛不會取代人工審閱流程,但可以協助開發者加快在 WordPress.org 外掛目錄核准上架的流程,並協助開發者避免某些常見錯誤。

即使並沒有要將外掛交由 WordPress.org 外掛目錄代管,一樣推薦開發者使用 Plugin Check,以便讓外掛掛遵循 WordPress 外掛的基本要求及最佳做法。

安裝方式

自動安裝

  1. 前往 [外掛]→[安裝外掛]
  2. 搜尋「Plugin Check」
  3. 安裝並啟用 Plugin Check 外掛。

手動安裝

  1. 將外掛安裝壓縮檔解壓縮所得的 plugin-check 資料夾上傳至網站的 /wp-content/plugins/ 目錄中。
  2. 前往 [外掛] 頁面。
  3. 啟用 Plugin Check 外掛。

常見問題集

在何處可以為這個專案做出貢獻?

這個外掛的全部開發工作均在 GitHub 存放庫上處理,如有任何問題或提取要求,請發佈在外掛的 GitHub 存放庫。

如果這個外掛的正確結果卻在報告中列為「錯誤」或「警告」,該如何處理?

我們開發這個外掛時已經極力避免這種誤判狀況,如果你發現這種問題,請在外掛的 GitHub 存放庫中提出。對於某些誤判狀況,例如 PHPCodeSniffer 偵測到的誤判狀況,開發者可以為程式碼進行註解,以忽略特定行號程式碼所產生的特定錯誤。

為什麼這個外掛會將某些項目標示為「不良」?

這個外掛並沒有將任何項目標示為「不良」。Plugin Check 旨在成為測試外掛的一種仍在持續改進的方式,測試外掛是否符合外掛審閱規範,例如是否符合無障礙工具、效能、安全性及其他方面的開發最佳做法,但並非全部外掛都必須遵守這些規範。檢查工具的目的在於確保上傳至 WordPress.org 外掛集中存放庫的外掛符合 WordPress 外掛的最新標準,並可以在各種類型的網站上執行。

許多網站會使用自訂外掛,這完全沒有問題;但是作為公開、且提供大量不同類型網站使用的外掛,必須具備最低程度的功能性,以確保在不同的環境中可以順利執行。外掛審閱規範便是因此而生。

這個外掛檢查程式仍未臻完善,也可能永遠無法完善,因為它只是協助外掛開發者或任何想要讓其外掛更強大的人的工具。提交至 WordPress.org 的全部外掛都必須交由專家團隊進行人工審閱,自動化外掛檢查程式只代表它是實用的工具,而非絕對的測量系統。

外掛是否需要通過全部檢查項目,才能在 WordPress.org 外掛目錄核准上架?

如果外掛要在 WordPress.org 外掛目錄核准上架,必須要通過 [外掛存放庫] 類型的全部檢查項目。其他檢查項目為額外檢查項目,視情況可以不需全部通過。

無論如何,能通過這個工具提供的檢查項目,有助於順利完成審閱程序,但並不保證外掛能在 WordPress.org 外掛目錄核准上架。

使用者評論

2024 年 11 月 15 日
Run it on any plugin, including popular ones like Woo and you’ll see tons of nonsense “Error” messages about inescaped output. This doesn’t help anyone. These so-called error messages appear even for static text or well trusted data. Just a random example from Woo:The plugin reports “WordPress.Security.EscapeOutput.ExceptionNotEscaped” for this:throw new \Exception( sprintf( __( ‘Could not find classname for order ID %d’, ‘woocommerce’ ), $order_id ) );$order_id is already int, ensured by the function, and additionally %d ensures it cannot output anything dangerous. You have to either make this smart enough to find real issues or remove these nonsense messages entirely.How is this helping anyone?
2024 年 10 月 25 日 1 則留言
István Márton probably has a high opinion of himself. But this is my user experience, which I’m sharing. I’m wondering, how did we live without this plugin before?
2024 年 10 月 3 日 1 則留言
I am very impressed with this plugin. I am in the final steps of submitting a new plugin and through the approval process this has helped speed up the process. I am developing a script that will install this plugin if not already installed then run the cli tool to create a report. Eventually this will be a step in the CI/CD pipeline. cli usage can be found on the project’s GitHub project under docs/CLI.md I got some ideas for this plugin to make it more friendly for GitHub, starting that convo with the contributors next.
2024 年 9 月 18 日
Thanks, it is useful to find security issues like missed escape function or sanitization even if you do not plan on submitting the plugin to wordpress.org.
閱讀全部 20 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈Plugin Check (PCP)〉的開發相關工作。

參與者

〈Plugin Check (PCP)〉外掛目前已有 11 個本地化語言版本。 感謝全部譯者為這個外掛做出的貢獻。

將〈Plugin Check (PCP)〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣?

任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄

變更記錄

1.3.0

  • Enhancement – Update disallowed domains for Plugin URI check.
  • Enhancement – Added new checks for Plugin Header fields: missing plugin description, missing plugin version and invalid plugin version.
  • Enhancement – New check for validation of donate link in the readme file.
  • Enhancement – Increased severity for wrong Plugin Requires.
  • Enhancement – Added check Restrict parse_str() without second argument.
  • Enhancement – New check for Disallow usage of HEREDOC and NOWDOC.
  • Enhancement – Added acronyms allowed in Trademark checks.
  • Enhancement – Added option in CLI to add low severity errors and warnings.
  • Enhancement – Change error type for License check error codes.
  • Enhancement – Always use prefixed tables during runtime check requests.
  • Enhancement – Created a new class for checking licenses.
  • Enhancement – Added support for MPL-2.0 license.
  • Enhancement – Implement gherkin linter in GH action.
  • Enhancement – Update check for Contributors in markdown readme files.
  • Enhancement – CLI: Fix confusing runtime environment setup order.
  • Enhancement – Allow custom checks to provide installed_paths.
  • Enhancement – Improved the use of localhost URLs in the Plugin.
  • Enhancement – Documented checks in the plugin.
  • Enhancement – Increased severity for Code obfuscation checks.
  • Enhancement – Diffentiate between no existent readme and default readme file.
  • Enhancement – Encourage developers to use native functions for loading images in templates.
  • Enhancement – Added a check for not allowing include libraries already in WordPress core.
  • Enhancement – Warning for usage of query_posts() in favor of WP_Query.
  • Fix – Fix for the local environment is set up before testing.
  • Fix – Fix addon checks not being executed when running runtime checks.
  • Fix – Allow default as a text domain in the text domain check.
  • Fix – Allow GitHub URLs in the Plugin URI field.
  • Fix – Don’t flag Apache license. It’s allowed in the WordPress.org plugin repository.
  • Fix – Removes the path before the plugin, so it won’t affect to badly named files.

1.2.0

  • Enhacement – Added a check for badly used names in files.
  • Enhancement – Increased severity for BacktickOperator, DisallowShortOpenTag, DisallowAlternativePHPTags, RestrictedClasses, and RestrictedFunctions.
  • Enhancement – Added security checks to the Plugin repository category.
  • Enhancement – Allowed runtime-set in code sniffer checks.
  • Enhancement – Changed warnings to errors in plugin header checks.
  • Enhancement – Detect forbidden plugin headers such as repository URIs in the Directory.
  • Enhancement – Added a new check for development functions that are not allowed in final plugins.
  • Enhancement – Created new images and icons for the plugin.
  • Enhancement – Introduced a slug argument in the CLI.
  • Enhancement – Added a check for discouraged PHP functions.
  • Enhancement – Added validation for Contributors in the readme file.
  • Enhancement – Added a warning for mismatched plugin names in the plugin header and readme file.
  • Enhancement – Checked for validation of Plugin Header fields: Name, Plugin URI, Description, Author URI, Requires at least, Requires PHP, and Requires Plugins.
  • Enhancement – Added a warning if the “Tested up to” value in the readme file exceeds the released version of WordPress.
  • Fix – Display a success message if no errors or warnings are found.
  • Fix – Made table results responsive.
  • Fix – Prevent proceeding to the next check if the Stable Tag value is set to trunk.
  • Fix – Allow runtime initialization even when only add-on checks are requested.
  • Fix – Fixed an SPDX warning for the GPL version 3 license.
  • Fix – Prevent runtime checks in the CLI context when they cannot be used.

1.1.0

  • Feature – New Non_Blocking_Scripts_Check (non_blocking_scripts) runtime check to warn about enqueued scripts that use neither defer nor async.
  • Enhancement – Changed the namespace of included checks.
  • Enhancement – Introduced severity levels for all errors and warnings.
  • Enhancement – CLI: Support checking a plugin from a path or URL.
  • Enhancement – Added short descriptions and URLs for each check.
  • Enhancement – Improved messaging in check results.
  • Enhancement – Updated code obfuscation check with more accurate results.
  • Enhancement – Updated plugin review check to flag missing input sanitization (WordPress.Security.ValidatedSanitizedInput).
  • Fix – Improve readme checks to exclude invalid files.
  • Fix – Only show edit link if files are actually editable.

1.0.2

  • Feature – New Enqueued_Scripts_Scope_Check (enqueued_scripts_scope), Enqueued_Styles_Size_Check (enqueued_styles_size) and Enqueued_Resources_Check (enqueued_resources) performance checks.
  • Enhancement – Improved readme check and added a new wp_plugin_check_ignored_readme_warnings filter.
  • Enhancement – New wp_plugin_check_default_categories filter to change the categories which are selected by default.
  • Enhancement – New wp_plugin_check_ignore_files filter to allow ignoring specific files.
  • Fix – Correct detection of readme files in Windows by normalizing file paths.

1.0.1

  • Fix – Add missing test-content folder needed for runtime checks.
  • Fix – Do not send emails when setting up test environment.
  • Fix – Prevent PHP warning when the argv variable isn’t set.

1.0.0

  • Feature – Complete overhaul of the plugin, its architecture, and all checks.
  • Feature – Added new WP-CLI commands for running checks and listing available options.
  • Enhancement – Added option to only run checks for a specific category.

0.2.3

  • Tweak – Use version 3.8.0 of the PHP_CodeSniffer library, moving away from squizlabs/PHP_CodeSniffer to use PHPCSStandards/PHP_CodeSniffer.
  • Fix – Ensure the plugin works as expected on the WP playground environment to enable reviewers to use PCP. Props @tellyworth.
  • Fix – Undefined array key “argv” when running the plugin check in certain environments. Props @afragen. #340

0.2.2

  • Enhancement – Include support for Windows Servers.
  • Enhancement – Avoid using PHP CLI directly, which enables plugin developers to use PCP in a variety of new environments.
  • Fix – Remove dependency on shell_exec and exec functions, which enables plugin developers to use PCP in a variety of new environments.
  • Fix – Prevent problems with Readme parser warning related to contributor_ignored for when running the check outside WP.org. Props @dev4press. #276
  • Fix – Remove extra period on the end of the sentence for Phar warning. Props @pixolin. #275

0.2.1

  • Added – ‘View in code editor’ link beneath each PHPCS error or warning. Props @EvanHerman, @westonruter, @felixarntz, @mukeshpanchal27 #262
  • Fix – Ensure readme.txt has priority over readme.md when both are present. Props @bordoni, @afragen #258
  • Fix – Ensure that the PHPCS check runs even when the PHPCS binary is not executable. Props @bordoni, @shawn-digitalpoint, @mrfoxtalbot #254
  • Fix – Readme changes and typos. Props @aaronjorbin. #261
  • Fix – Long lines of code with PHPCS check no longer expand over the size of the notice. Props @bordoni, @felixarntz. #263
  • Fix – Ensure that we have PHP 7.2 compatibility remove trailing comma. Props @bordoni, @leoloso. #265
  • Fix – Include all strings that were missed in the previous release. Props @bordoni, @pixolin. #270

0.2.0

  • Feature – Enable modification of the PHP Binary path used by the plugin with PLUGIN_CHECK_PHP_BIN constant.
  • Feature – Include a check for the usage of ALLOW_UNFILTERED_UPLOADS on any PHP files – Props EvanHerman at #45
  • Feature – Include a check for the presence of the application files (.a, .bin, .bpk, .deploy, .dist, .distz, .dmg, .dms, .DS_Store, .dump, .elc, .exe, .iso, .lha, .lrf, .lzh, .o, .obj, .phar, .pkg, .sh, ‘.so`) – Props EvanHerman at #43
  • Feature – Include a check for the presence of the readme.txt or readme.md file – Props EvanHerman at #42
  • Fix – Ensure that Readme parsing is included properly when a readme.md or readme.txt file is present. Props Bordoni #52
  • Tweak – Disallow functions move_uploaded_file, passthru, proc_open – Props alexsanford at #50
  • Tweak – Change the message type for using functions WordPress already includes from Warning to Error. Props davidperezgar at #18
  • Tweak – Change the message type for incorrect usage of Stable tag from Notice/Warning to Error. Props davidperezgar at #3

[0.1] 2011-09-04

Original version of the plugin check tool, not a released version of the plugin, this changelog is here for historical purposes only.