Skip to content

PHPCS errors

PHP_CodeSniffer (PHPCS) scans that are run against WordPress application code by the VIP Code Analysis Bot—or scans that are run manually after following the instructions to install PHPCS for WordPress VIP—will run with identical standards that include the WordPress-VIP-Go standard.

The PHPCS scan will generate a report that itemizes identified errors and warnings categorized by severity.

Errors are issues that, if not fixed, may break due to platform incompatibility issues or open a site to serious performance and security issues. VIP strongly recommends resolving errors as soon as possible, preferably before they are committed to an environment on the VIP Platform.

Some common issues reported as errors are described below.

Cache constraints

Multiple caching layers on the VIP Platform (e.g., page cache, object cache, caching of WP REST API requests) can cause operations not to work as expected.

Filesystem operations

On the VIP Platform, web servers run in read-only mode. File operations are only allowed in the /tmp/ directory and limited programmatic access to interact with media files stored on the VIP File System.

Inserting HTML directly into DOM with JavaScript

To avoid XSS, refrain from inserting HTML directly into the document.  Instead, DOM nodes should be programmatically created and appended to the DOM. Avoid .html(), .innerHTML(), and other related functions. Instead, use functions such as .append(), .prepend(),.before(), .after().  Read more information about JavaScript security recommendations.

Manipulating the timezone server-side

Functions such as date_default_timezone_set() are not allowed as they conflict with stats and other systems. Instead, use WordPress’s internal timezone support to obtain a local time.

Order by rand

MySQL queries that use ORDER BY RAND() are expensive and slow on large datasets. Instead, write a custom function that retrieves 100 posts and picks one at random, or use vip_get_random_posts() which performs a similar function.

Settings alteration

VIP strongly discourages using ini_set() for alternating PHP settings, as well as other functions such as error_reporting()with the ability to change the configuration at runtime of scripts. Allowed error reporting in production can lead to Full Path Disclosure.

Validation, sanitization, and escaping

When writing code for the VIP Platform environment, use validating, sanitizing, and escaping vigilantly to present data to the end user and handle data incoming to WordPress securely.

$_GET, $_POST, $_REQUEST, $_SERVER and other data from untrusted sources (including values from the database such as post meta and options) need to be validated and sanitized as early as possible (e.g. when assigning a $_POST value to a local variable) and escaped as late as possible on output.

Nonces should be used to validate all form submissions.

Capability checks need to validate that users can take the requested actions.

The save/update handler for new admin pages, new sections, or existing core admin pages must:

  • Do a nonce check.
  • Use a nonce added to the new page or section output. For existing core admin pages, use the existing _wpnonce.
  • Check for user capability.

Escape output as late as possible, ideally as it is being outputted. This ensures that data is properly escaped and prevents ambiguity about whether the variable was previously validated.

In this example, the value of $title is escaped earlier in the code, requiring effort to confirm that the escaping took place:

$title = esc_html( $instance['title'] );

// Logic that sets up the widget

echo $before_title . $title . $after_title;

In this example, the code reads more clearly that $title is escaped:

$title = $instance['title'];

// Logic that sets up the widget

echo $before_title . esc_html( $title ) . $after_title;

Last updated: December 23, 2023

Relevant to

  • WordPress