diff --git a/README.md b/README.md
index 303562de2c..459adb0414 100644
--- a/README.md
+++ b/README.md
@@ -4,18 +4,16 @@
[](https://github.com/WordPress/WordPress-Coding-Standards/releases)
:construction:
[](https://packagist.org/packages/wp-coding-standards/wpcs#dev-develop)
-[](https://github.com/WordPress/WordPress-Coding-Standards/commits/develop)
[](https://github.com/WordPress/WordPress-Coding-Standards/actions/workflows/basic-qa.yml)
[](https://github.com/WordPress/WordPress-Coding-Standards/actions/workflows/unit-tests.yml)
[](https://codecov.io/gh/WordPress/WordPress-Coding-Standards?branch=develop)
[](https://packagist.org/packages/wp-coding-standards/wpcs)
-[](https://github.com/WordPress/WordPress-Coding-Standards/actions/workflows/unit-tests.yml)
+[](https://github.com/WordPress/WordPress-Coding-Standards/actions/workflows/unit-tests.yml)
[](https://github.com/WordPress/WordPress-Coding-Standards/blob/develop/LICENSE)
[](https://packagist.org/packages/wp-coding-standards/wpcs/stats)
-[](https://github.com/WordPress/WordPress-Coding-Standards/graphs/contributors)
@@ -23,11 +21,12 @@
# WordPress Coding Standards for PHP_CodeSniffer
* [Introduction](#introduction)
-* [Project history](#project-history)
+* [Minimum Requirements](#minimum-requirements)
* [Installation](#installation)
- + [Requirements](#requirements)
- + [Composer](#composer)
- + [Standalone](#standalone)
+ + [Composer Project-based Installation](#composer-project-based-installation)
+ + [Composer Global Installation](#composer-global-installation)
+ + [Updating your WordPressCS install to a newer version](#updating-your-wordpresscs-install-to-a-newer-version)
+ + [Using your WordPressCS install](#using-your-wordpresscs-install)
* [Rulesets](#rulesets)
+ [Standards subsets](#standards-subsets)
+ [Using a custom ruleset](#using-a-custom-ruleset)
@@ -35,90 +34,80 @@
+ [Recommended additional rulesets](#recommended-additional-rulesets)
* [How to use](#how-to-use)
+ [Command line](#command-line)
- + [Using PHPCS and WPCS from within your IDE](#using-phpcs-and-wpcs-from-within-your-ide)
-* [Running your code through WPCS automatically using CI tools](#running-your-code-through-wpcs-automatically-using-ci-tools)
+ + [Using PHPCS and WordPressCS from within your IDE](#using-phpcs-and-wordpresscs-from-within-your-ide)
+* [Running your code through WordPressCS automatically using Continuous Integration tools](#running-your-code-through-wordpresscs-automatically-using-continuous-integration-tools)
* [Fixing errors or ignoring them](#fixing-errors-or-ignoring-them)
- + [Tools shipped with WPCS](#tools-shipped-with-wpcs)
+ + [Tools shipped with WordPressCS](#tools-shipped-with-wordpresscs)
* [Contributing](#contributing)
* [License](#license)
+
## Introduction
This project is a collection of [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) rules (sniffs) to validate code developed for WordPress. It ensures code quality and adherence to coding conventions, especially the official [WordPress Coding Standards](https://make.wordpress.org/core/handbook/best-practices/coding-standards/).
-## Project history
-
- - On 22nd April 2009, the original project from [Urban Giraffe](https://urbangiraffe.com/articles/wordpress-codesniffer-standard/) was packaged and published.
- - In May 2011 the project was forked and [added](https://github.com/WordPress/WordPress-Coding-Standards/commit/04fd547c691ca2baae3fa8e195a46b0c9dd671c5) to GitHub by [Chris Adams](https://chrisadams.me.uk/).
- - In April 2012 [XWP](https://xwp.co/) started to dedicate resources to develop and lead the creation of the sniffs and rulesets for `WordPress-Core`, `WordPress-VIP` (WordPress.com VIP), and `WordPress-Extra`.
- - In May 2015, an initial documentation ruleset was [added](https://github.com/WordPress/WordPress-Coding-Standards/commit/b1a4bf8232a22563ef66f8a529357275a49f47dc#diff-a17c358c3262a26e9228268eb0a7b8c8) as `WordPress-Docs`.
- - In 2015, [J.D. Grimes](https://github.com/JDGrimes) began significant contributions, along with maintenance from [Gary Jones](https://github.com/GaryJones).
- - In 2016, [Juliette Reinders Folmer](https://github.com/jrfnl) began contributing heavily, adding more commits in a year than anyone else in the five years since the project was added to GitHub.
- - In July 2018, version [`1.0.0`](https://github.com/WordPress/WordPress-Coding-Standards/releases/tag/1.0.0) of the project was released.
-
-## Installation
-
-### Requirements
-
-The WordPress Coding Standards require PHP 5.4 or higher and [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) version **3.7.2** or higher.
-
-### Composer
-
-Standards can be installed with the [Composer](https://getcomposer.org/) dependency manager:
-
- composer create-project wp-coding-standards/wpcs --no-dev
-
-Running this command will:
+## Minimum Requirements
-1. Install WordPress standards into `wpcs` directory.
-2. Install PHP_CodeSniffer.
-3. Register WordPress standards in PHP_CodeSniffer configuration.
-4. Make `phpcs` command available from `wpcs/vendor/bin`.
+The WordPress Coding Standards package requires:
+* PHP 5.4 or higher with the following extensions enabled:
+ - [Filter](https://www.php.net/book.filter)
+ - [libxml](https://www.php.net/book.libxml)
+ - [Tokenizer](https://www.php.net/book.tokenizer)
+ - [XMLReader](https://www.php.net/book.xmlreader)
+* [Composer](https://getcomposer.org/)
-For the convenience of using `phpcs` as a global command, you may want to add the path to the `wpcs/vendor/bin` directory to a `PATH` environment variable for your operating system.
+For the best results, it is recommended to also ensure the following additional PHP extensions are enabled:
+ - [iconv](https://www.php.net/book.iconv)
+ - [Multibyte String](https://www.php.net/book.mbstring)
-#### Installing WPCS as a dependency
-
-When installing the WordPress Coding Standards as a dependency in a larger project, the above mentioned step 3 will not be executed automatically.
+## Installation
-There are two actively maintained Composer plugins which can handle the registration of standards with PHP_CodeSniffer for you:
-* [composer-phpcodesniffer-standards-plugin](https://github.com/higidi/composer-phpcodesniffer-standards-plugin)
-* [phpcodesniffer-composer-installer](https://github.com/DealerDirect/phpcodesniffer-composer-installer):"^0.6"
+As of WordPressCS 3.0.0, installation via Composer using the below instructions is the only supported type of installation.
-It is strongly suggested to `require` one of these plugins in your project to handle the registration of external standards with PHPCS for you.
+[Composer](https://getcomposer.org/) will automatically install the project dependencies and register the rulesets from WordPressCS and other external standards with PHP_CodeSniffer using the [Composer PHPCS plugin](https://github.com/PHPCSStandards/composer-installer).
-### Standalone
+> If you are upgrading from an older WordPressCS version to version 3.0.0, please read the [Upgrade guide for ruleset maintainers and end-users](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Upgrade-Guide-to-WordPressCS-3.0.0-for-ruleset-maintainers) first!
-1. Install PHP_CodeSniffer by following its [installation instructions](https://github.com/squizlabs/PHP_CodeSniffer#installation) (via Composer, Phar file, PEAR, or Git checkout).
+### Composer Project-based Installation
- Do ensure that PHP_CodeSniffer's version matches our [requirements](#requirements), if, for example, you're using [VVV](https://github.com/Varying-Vagrant-Vagrants/VVV).
+Run the following from the root of your project:
+```bash
+composer config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
+composer require --dev wp-coding-standards/wpcs:"^3.0"
+```
-2. Clone the WordPress standards repository:
+### Composer Global Installation
- git clone -b main https://github.com/WordPress/WordPress-Coding-Standards.git wpcs
+Alternatively, you may want to install this standard globally:
+```bash
+composer global config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
+composer global require --dev wp-coding-standards/wpcs:"^3.0"
+```
-3. Add its path to the PHP_CodeSniffer configuration:
+### Updating your WordPressCS install to a newer version
- phpcs --config-set installed_paths /path/to/wpcs
+If you installed WordPressCS using either of the above commands, you can upgrade to a newer version as follows:
+```bash
+# Project local install
+composer update wp-coding-standards/wpcs --with-dependencies
- **Pro-tip:** Alternatively, you can tell PHP_CodeSniffer the path to the WordPress standards by adding the following snippet to your custom ruleset:
- ```xml
-
- ```
+# Global install
+composer global update wp-coding-standards/wpcs --with-dependencies
+```
-To summarize:
+### Using your WordPressCS install
+Once you have installed WordPressCS using either of the above commands, use it as follows:
```bash
-cd ~/projects
-git clone https://github.com/squizlabs/PHP_CodeSniffer.git phpcs
-git clone -b main https://github.com/WordPress/WordPress-Coding-Standards.git wpcs
-cd phpcs
-./bin/phpcs --config-set installed_paths ../wpcs
+# Project local install
+vendor/bin/phpcs -ps . --standard=WordPress
+
+# Global install
+%USER_DIRECTORY%/Composer/vendor/bin/phpcs -ps . --standard=WordPress
```
-And then add the `~/projects/phpcs/bin` directory to your `PATH` environment variable via your `.bashrc`.
+> **Pro-tip**: For the convenience of using `phpcs` as a global command, use the _Global install_ method and add the path to the `%USER_DIRECTORY%/Composer/vendor/bin` directory to the `PATH` environment variable for your operating system.
-You should then see `WordPress-Core` et al listed when you run `phpcs -i`.
## Rulesets
@@ -131,117 +120,123 @@ You can use the following as standard names when invoking `phpcs` to select snif
* `WordPress` - complete set with all of the sniffs in the project
- `WordPress-Core` - main ruleset for [WordPress core coding standards](https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/)
- `WordPress-Docs` - additional ruleset for [WordPress inline documentation standards](https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/)
- - `WordPress-Extra` - extended ruleset for recommended best practices, not sufficiently covered in the WordPress core coding standards
+ - `WordPress-Extra` - extended ruleset with recommended best practices, not sufficiently covered in the WordPress core coding standards
- includes `WordPress-Core`
-**Note:** The WPCS package used to include a `WordPress-VIP` ruleset and associated sniffs, prior to WPCS 2.0.0.
-The `WordPress-VIP` ruleset was originally intended to aid with the [WordPress.com VIP coding requirements](https://docs.wpvip.com/technical-references/code-review/), but has been superseded. It is recommended to use the [official VIP coding standards](https://github.com/Automattic/VIP-Coding-Standards) ruleset instead for checking code against the VIP platform requirements.
-
### Using a custom ruleset
-If you need to further customize the selection of sniffs for your project - you can create a custom ruleset file. When you name this file either `.phpcs.xml`, `phpcs.xml`, `.phpcs.xml.dist` or `phpcs.xml.dist`, PHP_CodeSniffer will automatically locate it as long as it is placed in the directory from which you run the CodeSniffer or in a directory above it. If you follow these naming conventions you don't have to supply a `--standard` arg. For more info, read about [using a default configuration file](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Advanced-Usage#using-a-default-configuration-file). See also provided [`phpcs.xml.dist.sample`](phpcs.xml.dist.sample) file and [fully annotated example](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Annotated-ruleset.xml) in the PHP_CodeSniffer documentation.
+If you need to further customize the selection of sniffs for your project - you can create a custom ruleset file.
+
+When you name this file either `.phpcs.xml`, `phpcs.xml`, `.phpcs.xml.dist` or `phpcs.xml.dist`, PHP_CodeSniffer will automatically locate it as long as it is placed in the directory from which you run the CodeSniffer or in a directory above it. If you follow these naming conventions you don't have to supply a `--standard` CLI argument.
+
+For more info, read about [using a default configuration file](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Advanced-Usage#using-a-default-configuration-file). See also the provided WordPressCS [`phpcs.xml.dist.sample`](phpcs.xml.dist.sample) file and the [fully annotated example ruleset](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Annotated-ruleset.xml) in the PHP_CodeSniffer documentation.
### Customizing sniff behaviour
-The WordPress Coding Standard contains a number of sniffs which are configurable. This means that you can turn parts of the sniff on or off, or change the behaviour by setting a property for the sniff in your custom `.phpcs.xml.dist` file.
+The WordPress Coding Standard contains a number of sniffs which are configurable. This means that you can turn parts of the sniff on or off, or change the behaviour by setting a property for the sniff in your custom `[.]phpcs.xml[.dist]` file.
+
+You can find a complete list of all the properties you can change for the WordPressCS sniffs in the [wiki](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Customizable-sniff-properties).
+
+WordPressCS also uses sniffs from PHPCSExtra and from PHP_CodeSniffer itself.
+The [README for PHPCSExtra](https://github.com/PHPCSStandards/PHPCSExtra) contains information on the properties which can be set for the sniff from PHPCSExtra.
+Information on custom properties which can be set for sniffs from PHP_CodeSniffer can be found in the [PHP_CodeSniffer wiki](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Customisable-Sniff-Properties).
-You can find a complete list of all the properties you can change in the [wiki](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Customizable-sniff-properties).
### Recommended additional rulesets
+#### PHPCompatibility
+
The [PHPCompatibility](https://github.com/PHPCompatibility/PHPCompatibility) ruleset and its subset [PHPCompatibilityWP](https://github.com/PHPCompatibility/PHPCompatibilityWP) come highly recommended.
-The [PHPCompatibility](https://github.com/PHPCompatibility/PHPCompatibility) sniffs are designed to analyse your code for cross-PHP version compatibility.
+The [PHPCompatibility](https://github.com/PHPCompatibility/PHPCompatibility) sniffs are designed to analyse your code for cross-version PHP compatibility.
The [PHPCompatibilityWP](https://github.com/PHPCompatibility/PHPCompatibilityWP) ruleset is based on PHPCompatibility, but specifically crafted to prevent false positives for projects which expect to run within the context of WordPress, i.e. core, plugins and themes.
Install either as a separate ruleset and run it separately against your code or add it to your custom ruleset, like so:
```xml
-
+
*\.php$
```
-Whichever way you run it, do make sure you set the `testVersion` to run the sniffs against. The `testVersion` determines for which PHP versions you will receive compatibility information. The recommended setting for this at this moment is `5.6-` to support the same PHP versions as WordPress Core supports.
+Whichever way you run it, do make sure you set the `testVersion` to run the sniffs against. The `testVersion` determines for which PHP versions you will receive compatibility information. The recommended setting for this at this moment is `7.0-` to support the same PHP versions as WordPress Core supports.
For more information about setting the `testVersion`, see:
* [PHPCompatibility: Sniffing your code for compatibility with specific PHP version(s)](https://github.com/PHPCompatibility/PHPCompatibility#sniffing-your-code-for-compatibility-with-specific-php-versions)
* [PHPCompatibility: Using a custom ruleset](https://github.com/PHPCompatibility/PHPCompatibility#using-a-custom-ruleset)
+#### VariableAnalysis
+
+For some additional checks around (undefined/unused) variables, the [`VariableAnalysis`](https://github.com/sirbrillig/phpcs-variable-analysis/) standard is a handy addition.
+
+#### VIP Coding Standards
+
+For those projects which deploy to the WordPress VIP platform, it is recommended to also use the [official WordPress VIP coding standards](https://github.com/Automattic/VIP-Coding-Standards) ruleset.
+
+
## How to use
### Command line
Run the `phpcs` command line tool on a given file or directory, for example:
-
- phpcs --standard=WordPress wp-load.php
+```bash
+vendor/bin/phpcs --standard=WordPress wp-load.php
+```
Will result in following output:
+```
+--------------------------------------------------------------------------------
+FOUND 6 ERRORS AND 4 WARNINGS AFFECTING 5 LINES
+--------------------------------------------------------------------------------
+ 36 | WARNING | error_reporting() can lead to full path disclosure.
+ 36 | WARNING | error_reporting() found. Changing configuration values at
+ | | runtime is strongly discouraged.
+ 52 | WARNING | Silencing errors is strongly discouraged. Use proper error
+ | | checking instead. Found: @file_exists( dirname(...
+ 52 | WARNING | Silencing errors is strongly discouraged. Use proper error
+ | | checking instead. Found: @file_exists( dirname(...
+ 75 | ERROR | Overriding WordPress globals is prohibited. Found assignment
+ | | to $path
+ 78 | ERROR | Detected usage of a possibly undefined superglobal array
+ | | index: $_SERVER['REQUEST_URI']. Use isset() or empty() to
+ | | check the index exists before using it
+ 78 | ERROR | $_SERVER['REQUEST_URI'] not unslashed before sanitization. Use
+ | | wp_unslash() or similar
+ 78 | ERROR | Detected usage of a non-sanitized input variable:
+ | | $_SERVER['REQUEST_URI']
+ 104 | ERROR | All output should be run through an escaping function (see the
+ | | Security sections in the WordPress Developer Handbooks), found
+ | | '$die'.
+ 104 | ERROR | All output should be run through an escaping function (see the
+ | | Security sections in the WordPress Developer Handbooks), found
+ | | '__'.
+--------------------------------------------------------------------------------
+```
- ------------------------------------------------------------------------------------------
- FOUND 8 ERRORS AND 10 WARNINGS AFFECTING 11 LINES
- ------------------------------------------------------------------------------------------
- 24 | WARNING | [ ] error_reporting() can lead to full path disclosure.
- 24 | WARNING | [ ] error_reporting() found. Changing configuration at runtime is rarely
- | | necessary.
- 37 | WARNING | [x] "require_once" is a statement not a function; no parentheses are
- | | required
- 39 | WARNING | [ ] Silencing errors is discouraged
- 39 | WARNING | [ ] Silencing errors is discouraged
- 42 | WARNING | [x] "require_once" is a statement not a function; no parentheses are
- | | required
- 46 | ERROR | [ ] Inline comments must end in full-stops, exclamation marks, or
- | | question marks
- 46 | ERROR | [x] There must be no blank line following an inline comment
- 49 | WARNING | [x] "require_once" is a statement not a function; no parentheses are
- | | required
- 54 | WARNING | [x] "require_once" is a statement not a function; no parentheses are
- | | required
- 63 | WARNING | [ ] Detected access of super global var $_SERVER, probably needs manual
- | | inspection.
- 63 | ERROR | [ ] Detected usage of a non-validated input variable: $_SERVER
- 63 | ERROR | [ ] Missing wp_unslash() before sanitization.
- 63 | ERROR | [ ] Detected usage of a non-sanitized input variable: $_SERVER
- 69 | WARNING | [x] "require_once" is a statement not a function; no parentheses are
- | | required
- 74 | ERROR | [ ] Inline comments must end in full-stops, exclamation marks, or
- | | question marks
- 92 | ERROR | [ ] All output should be run through an escaping function (see the
- | | Security sections in the WordPress Developer Handbooks), found
- | | '$die'.
- 92 | ERROR | [ ] All output should be run through an escaping function (see the
- | | Security sections in the WordPress Developer Handbooks), found '__'.
- ------------------------------------------------------------------------------------------
- PHPCBF CAN FIX THE 6 MARKED SNIFF VIOLATIONS AUTOMATICALLY
- ------------------------------------------------------------------------------------------
-
-### Using PHPCS and WPCS from within your IDE
-
-* **PhpStorm** : Please see "[PHP Code Sniffer with WordPress Coding Standards Integration](https://confluence.jetbrains.com/display/PhpStorm/WordPress+Development+using+PhpStorm#WordPressDevelopmentusingPhpStorm-PHPCodeSnifferwithWordPressCodingStandardsIntegrationinPhpStorm)" in the PhpStorm documentation.
-* **Sublime Text** : Please see "[Setting up WPCS to work in Sublime Text](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Setting-up-WPCS-to-work-in-Sublime-Text)" in the wiki.
-* **Atom**: Please see "[Setting up WPCS to work in Atom](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Setting-up-WPCS-to-work-in-Atom)" in the wiki.
-* **Visual Studio**: Please see "[Setting up PHP CodeSniffer in Visual Studio Code](https://tommcfarlin.com/php-codesniffer-in-visual-studio-code/)", a tutorial by Tom McFarlin.
-* **Eclipse with XAMPP**: Please see "[Setting up WPCS when using Eclipse with XAMPP](https://github.com/WordPress/WordPress-Coding-Standards/wiki/How-to-use-WPCS-with-Eclipse-and-XAMPP)" in the wiki.
-
-
-## Running your code through WPCS automatically using CI tools
+### Using PHPCS and WordPressCS from within your IDE
+
+The [wiki](https://github.com/WordPress/WordPress-Coding-Standards/wiki) contains links to various in- and external tutorials about setting up WordPressCS to work in your IDE.
+
+
+## Running your code through WordPressCS automatically using Continuous Integration tools
- [Running in GitHub Actions](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Running-in-GitHub-Actions)
- [Running in Travis](https://github.com/WordPress/WordPress-Coding-Standards/wiki/Running-in-Travis)
+
## Fixing errors or ignoring them
You can find information on how to deal with some of the more frequent issues in the [wiki](https://github.com/WordPress/WordPress-Coding-Standards/wiki).
-### Tools shipped with WPCS
+### Tools shipped with WordPressCS
-Since version 1.2.0, WPCS has a special sniff category `Utils`.
+Since version 1.2.0, WordPressCS has a special sniff category `Utils`.
This sniff category contains some tools which, generally speaking, will only be needed to be run once over a codebase and for which the fixers can be considered _risky_, i.e. very careful review by a developer is needed before accepting the fixes made by these sniffs.
The sniffs in this category are disabled by default and can only be activated by adding some properties for each sniff via a custom ruleset.
-At this moment, WPCS offer the following tools:
+At this moment, WordPressCS offer the following tools:
* `WordPress.Utils.I18nTextDomainFixer` - This sniff can replace the text domain used in a code-base.
The sniff will fix the text domains in both I18n function calls as well as in a plugin/theme header.
Passing the following properties will activate the sniff: