playbooks

home / skills / jcastillotx / vibe-skeleton-app / wordpress-best-practices

wordpress-best-practices skill

/setup/skills/wordpress-best-practices

This skill helps you apply WordPress best practices across plugins, themes, and blocks to improve security, performance, and reliability.

npx playbooks add skill jcastillotx/vibe-skeleton-app --skill wordpress-best-practices

Review the files below or copy the command above to add this skill to your agents.

Files (8)
SKILL.md
1.5 KB
---
name: wordpress-best-practices
description: WordPress development standards. Triggers when working with WordPress plugins, themes, hooks, REST API, or Gutenberg blocks.
trigger_patterns:
  - wordpress
  - wp-content
  - add_action
  - add_filter
  - get_option
  - wp_enqueue
  - functions.php
auto_load_with:
  - php-best-practices
  - mysql-best-practices
---

# WordPress Best Practices

Comprehensive coding standards for WordPress development, optimized for AI agents and LLMs.

## Overview

This skill provides 25 rules organized across 8 categories:

1. **Security Hardening (security-)** - Output escaping, input sanitization, nonces [CRITICAL]
2. **Database Optimization (database-)** - Autoload options, transients, meta queries [HIGH]
3. **Performance (perf-)** - Asset enqueuing, lazy loading, heartbeat [HIGH]
4. **Plugin Development (plugin-)** - Prefixing, hooks, activation/deactivation [MEDIUM-HIGH]
5. **Theme Development (theme-)** - Template hierarchy, child themes, customizer [MEDIUM]
6. **REST API (api-)** - Permissions, schemas, namespacing [MEDIUM]
7. **Multisite (multisite-)** - Network admin, site switching [LOW-MEDIUM]
8. **Gutenberg/Blocks (blocks-)** - Block patterns, InnerBlocks [LOW-MEDIUM]

## Usage

Reference this skill when:
- Developing WordPress plugins
- Creating or modifying themes
- Building custom Gutenberg blocks
- Implementing REST API endpoints
- Optimizing WordPress performance

## Build

```bash
pnpm build    # Compile rules to AGENTS.md
pnpm validate # Validate rule files
```

Overview

This skill documents WordPress development standards focused on security, performance, and maintainability. It organizes 25 practical rules across security, database, performance, plugin, theme, REST API, multisite, and Gutenberg areas. Use it as a concise checklist to reduce vulnerabilities, improve speed, and keep code consistent across plugins, themes, and blocks.

How this skill works

The skill inspects common WordPress touchpoints and recommends concrete coding patterns: escaping output, sanitizing inputs, using nonces, optimizing queries, and enqueueing assets correctly. It maps checks to contexts like plugins, themes, REST endpoints, multisite, and Gutenberg blocks so agents can surface targeted suggestions. Each rule emphasizes minimal change with measurable benefit, such as replacing expensive meta queries or moving autoloaded options to transients.

When to use it

  • Building or reviewing WordPress plugins or themes
  • Creating custom REST API endpoints or schema definitions
  • Developing Gutenberg blocks and block patterns
  • Diagnosing performance regressions or slow admin pages
  • Preparing code for multisite or network-wide deployment

Best practices

  • Always escape output (esc_html, esc_attr) and sanitize inputs (sanitize_text_field, wp_kses) before database or HTML use.
  • Use nonces and capability checks for state-changing actions; verify permissions in REST routes and AJAX handlers.
  • Avoid autoloading large options; prefer transients or lazy-loaded options for infrequently used data.
  • Enqueue scripts and styles with dependencies and versions; load scripts in footer and use conditional loading for admin vs front-end.
  • Prefix plugin/theme globals, option names, and custom DB columns; namespace REST routes and Gutenberg block names.

Example use cases

  • Reviewing a plugin to replace direct SQL with prepared WP_Query or $wpdb->prepare for safety and performance.
  • Refactoring a theme to use proper template hierarchy, child theme support, and Customizer settings.
  • Adding a REST API route with explicit permission_callback, request schema, and namespaced endpoints.
  • Optimizing a slow page by deferring noncritical JS, enabling lazy loading for images, and replacing expensive meta queries.
  • Building Gutenberg blocks that use InnerBlocks correctly, register block styles, and follow block naming conventions.

FAQ

Do these rules apply to small custom sites or only public plugins?

Yes. The rules improve security and performance for any WordPress codebase, whether a custom site or a distributed plugin.

Which checks are highest priority?

Security hardening (escaping, sanitization, nonces) and database/performance optimizations (avoid autoload bloat, use transients) are highest priority because they prevent common exploits and slowdowns.