wp-plugin-development_skill

This skill helps you develop secure, maintainable WordPress plugins by guiding architecture, hooks, settings, migrations, and packaging.
  • JavaScript

159

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill automattic/agent-skills --skill wp-plugin-development

  • SKILL.md3.9 KB

Overview

This skill helps develop and harden WordPress plugins across architecture, lifecycle hooks, admin UI, data handling, security, cron/tasks, and release packaging. It focuses on predictable structure, safe activation/deactivation/uninstall, Settings API usage, and secure input/output handling. Use it to ensure plugins are maintainable, upgrade-safe, and ready for release.

How this skill works

The skill inspects plugin entry points and identifies the main bootstrap file and hook registrations. It evaluates structure (loader patterns, admin vs frontend separation), lifecycle hooks, settings implementation, data storage choices, cron tasks, and security controls (nonces, capabilities, sanitization/escaping). It also verifies activation behavior, settings persistence, uninstall cleanup, and build/release readiness.

When to use it

  • Creating or refactoring plugin structure and bootstrap patterns
  • Adding or auditing actions, filters, and lifecycle hooks
  • Implementing settings pages and managing options via the Settings API
  • Hardening security: nonces, capability checks, sanitization, escaping, SQL safety
  • Designing data storage, cron tasks, migrations, and upgrade routines
  • Preparing a plugin release: build artifacts, readme, and packaging

Best practices

  • Keep a single main bootstrap file that registers a loader or main class and avoid heavy side effects during file load
  • Register activation/deactivation/uninstall hooks at top level and write safe, idempotent upgrade routines
  • Use the Settings API (register_setting, add_settings_section/field) and sanitize inputs via callbacks
  • Always validate and sanitize input early; escape output late; enforce nonces and capability checks for any state-changing actions
  • Prefer WP options for small data; use custom tables only when justified and track schema version for migrations
  • Make cron tasks idempotent and expose manual run paths (WP-CLI or admin) for debugging

Example use cases

  • Refactor a plugin to use a loader class and defer admin-only code behind admin hooks
  • Add a settings page using the Settings API with proper sanitize callbacks and capability checks
  • Implement activation migration that creates a custom table and stores a schema version for future upgrades
  • Audit a plugin for security issues: missing nonces, direct use of $_POST/$_GET, and unsafe SQL concatenation
  • Package a release: build JS/CSS assets, update readme and changelog, and ensure activation runs without errors

FAQ

Activate the plugin (single and network if applicable), save settings, run any cron tasks or upgrade routines, and run lint/tests and asset builds if present.

When should I use a custom table instead of options?

Use a custom table only when data volume or query complexity cannot be handled efficiently by options or post/meta APIs; always provide schema versioning and migrations.

How to avoid activation hook failures?

Register hooks at top-level in the main plugin file, ensure the main plugin path is correct, and account for network-activation differences.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
wp-plugin-development skill by automattic/agent-skills | VeilStrat