Guide to WordPress Plugin Development Rules & Best Practices

Have you got an amazing solution that can solve common problems WordPress users face? If yes, then creating a plugin will be the best idea to monetize your skills and contribute to the WordPress community.

WordPress aims to provide a safe place for all users, regardless of whether they are developers or from a non-technical background. To put everyone on an equal footing, WordPress has created guidelines for developers. You need to follow these guidelines to get approval for your idea.

In this blog, we will discuss the essential rules for developing a WordPress plugin and the best practices expert WordPress developers follow. So, let’s begin.

Why You Should Follow WordPress Plugin Development Rules

Following WordPress plugin development rules isn’t just about ticking boxes—it’s essential for both developers and users. When you create a plugin, you’re contributing to the massive WordPress ecosystem, and there are a few key reasons why sticking to the guidelines matters.

1. Ensure Plugin Security: WordPress prioritizes security, and so should you. The guidelines help you write secure code, reducing the chances of vulnerabilities like SQL injection or cross-site scripting (XSS). If your plugin isn’t secure, it could easily be hacked, putting user data at risk. Sticking to the rules ensures your code is safe for everyone.
2. Build Trust with Users: WordPress has a huge community of developers and users. When you follow the rules, your plugin is more likely to gain the trust of this community. If users know your plugin adheres to WordPress standards, they’ll feel safer installing it, which can lead to better reviews and higher downloads.
3. Avoid Plugin Removal: Violating WordPress guidelines can lead to serious consequences. If your plugin doesn’t meet their standards, it can be removed from the Plugin Directory, and in some cases, it may not be restored. This could mean losing all your hard-earned reviews and user base. Repeated violations can even get you banned, which means no more hosting plugins on WordPress.org.
4. Maintain Compatibility: WordPress constantly updates its platform, and following the development guidelines ensures your plugin stays compatible with the latest versions. Ignoring these rules could result in your plugin breaking or causing issues for users, which is bad for your reputation as a developer.
5. Foster Community Respect: By adhering to the community, forums, and plugin directory guidelines, you contribute to a healthy and respectful environment. This fosters good relationships with other developers, users, and WordPress moderators. Plus, keeping your contact information updated and responding promptly shows professionalism and responsibility.

Rules to Follow for WordPress Plugin Development

Did you know that WordPress powers more than 40% of the web? It has become the best CMS for businesses.

With great power comes great responsibility, and that’s why WordPress has established a set of rules for plugin development. If your plugin doesn’t comply with these rules, it will not get approval from the review team, and your efforts will go in vain.

Let’s explore these rules one by one to improve your approval chances.

1. GPL Compatibility

Rule: Plugins must be compatible with the GNU(General Public License).

Details to consider:

• The recommended license is “GPLv2 or later”.
• All code, data, and images in the plugin directory must comply with GPL or a GPL-Compatible license.
• Third-party libraries must also be compatible.

Why It Matters: This rule ensures that WordPress remains true to its open-source roots. It allows for collaboration, modification, and sharing within the community, fostering innovation and improvement.

2. Developer Responsibility

Rule: Developers are responsible for the contents and actions of their plugins.

Details to consider:

• Developers must ensure all files comply with guidelines.
• Intentionally circumventing guidelines or restoring removed code is prohibited.
• Developers must confirm the licensing of all included files and comply with third-party service terms.

Why It Matters: This rule emphasizes the importance of due diligence and ethical development. It protects users from potentially harmful or non-compliant code.

3. Stable Version Availability

Rule: A stable version of a plugin must be available from its WordPress Plugin Directory page.

Details to consider:

• The directory version should be up-to-date.
• Distributing code via alternate methods without keeping the directory version updated may result in removal.

Why It Matters: This ensures users can always access a reliable version of your plugin, maintaining trust in the WordPress ecosystem.

4. Human-readable Code

Rule: Code must be human-readable.

Details to consider:

• Obscuring code through techniques like p,a,c,k,e,r or uglify’s mangle is not permitted.
• Developers must provide the public with maintained access to their source code and build tools.

Why It Matters: This promotes code transparency, easier debugging, and community collaboration. It’s a safeguard against hidden, malicious code.

5. No Trialware

Rule: Trialware is not allowed.

Details to consider:

• Plugins cannot contain functionality that is restricted or locked behind payment.
• Functionality cannot be disabled after a trial period or quota.
• Sandbox-only access to APIs and services is not allowed.

Why It Matters: This ensures that users have access to full functionality from the start, promoting a fair and open plugin ecosystem.

6. Software as a Service

Rule: You can offer software as a service.

Details to consider:

• Plugins can interface with external third-party services, even paid ones.
• The service must provide substantial functionality and be clearly documented.
• Certain practices, like moving code to create a false service, are prohibited.

Why It Matters: SaaS allows for integration with valuable external services while maintaining the integrity of the WordPress plugin system.

7. User Consent for Tracking

Rule: Plugins should not track users without their consent.

Details to consider:

• Explicit and authorized consent is required, usually via opt-in.
• Documentation on data collection and use should be included in the readme.
• Certain practices, like automated data collection or misleading users, are prohibited.

Why It Matters: This protects user privacy and builds trust in the WordPress ecosystem.

8. No External Executable Code

Rule: Plugins should not send executable code via third-party systems.

Details to consider:

• All communication must be made as securely as possible.
• Practices like serving updates from non-WordPress.org servers or calling third-party CDNs (except for fonts) are prohibited.

Why It Matters: This rule significantly enhances the security of WordPress sites by preventing potential vectors for malicious code injection.

9. Ethical Development

Rule: Developers and their plugins must not do anything illegal, dishonest, or morally offensive.

Details to consider:

• Prohibited practices include keyword stuffing, fake reviews, sockpuppeting, and more.
• Violations of the WordPress.org Community Code of Conduct, WordCamp Code of Conduct, or Forum Guidelines are not allowed.

Why It Matters: This rule maintains the integrity of the WordPress community and protects users from unethical practices.

10. Optional External Links

Rule: Plugins should not embed external links or credits on the public site without explicitly asking the user’s permission.

Details to consider:

• All “Powered By” or credit displays must be optional and default to not show.
• Plugins cannot require credit or links to function.

Why It Matters: This respects the user’s control over their site’s appearance and prevents unwanted advertising.

11. Admin Dashboard Etiquette

Rule: Plugins should not hijack the admin dashboard.

Details to consider:

• Upgrade prompts and notices must be limited and used sparingly.
• Error messages must include resolution information and self-dismiss when resolved.
• Advertising within the dashboard should be avoided or limited.

Why It Matters: This maintains a clean, uncluttered admin experience for users, enhancing usability.

12. No readme Spam

Rule: Public-facing pages on WordPress.org (readme.txt) must not be spam.

Details to consider:

• Unnecessary affiliate links, excessive tags, and keyword stuffing are prohibited.
• readme.txt should be written for people, not bots.

Why It Matters: This ensures that plugin descriptions are useful for users and maintains the integrity of the plugin directory.

13. Use WordPress Libraries

Rule: Plugins must use WordPress’ default libraries.

Details to consider:

• Plugins must use the versions of libraries packaged with WordPress, not include their own.

Why It Matters: This ensures compatibility and security across the WordPress ecosystem.

14. Mindful Commit Frequency

Rule: Frequent commits to a plugin should be avoided.

Details to consider:

• The SVN repository is for releases, not development.
• Commits should have descriptive messages.

Why It Matters: This prevents unnecessary strain on the system and maintains the integrity of update notifications.

15. Version Number Increments

Rule: Plugin version numbers must be incremented for each new release.

Details to consider:

• The trunk readme.txt must always reflect the current version.

Why It Matters: This ensures users are properly notified of updates.

16. Complete Plugin at Submission

Rule: A complete plugin must be available at the time of submission.

Details to consider:

• Names cannot be “reserved” for future use.

Why It Matters: This prevents cluttering the directory with incomplete or non-functional plugins.

17. Respect Trademarks and Copyrights

Rule: Plugins must respect trademarks, copyrights, and project names.

Details to consider:

• Use of trademarks or project names as the sole or initial term of a plugin slug is prohibited without legal ownership/representation.

Why It Matters: This ensures legal compliance and respects the intellectual property of others in the community.

Best Practices to Follow for WordPress Plugin Development

Now that you know the basic rules for WordPress plugin development, you might be ready to get started.

If you want your WordPress plugin to be a hit, you need to follow some tried-and-true best practices. This section will guide you through the essential steps, from crafting a solid strategy and adhering to coding standards, to ensuring security and using advanced features like AJAX.

Stick with these best practices to create a plugin that stands out and delivers a great user experience.

1. Plan Your Plugin Development Clearly

Before diving into WordPress plugin development, having a clear strategy is essential. Without a solid plan, your efforts can go to waste. Start by identifying the pain points of your target audience and developing solutions that genuinely address their needs.

Here’s a quick checklist to guide your strategy:

• Is my plugin meant for everyday use or just a demo?
• Am I developing it for community contribution, self-promotion, or income generation?
• Can I provide ongoing support to users?
• Are there existing plugins that already solve the problem?

It’s important to stand out. Your plugin should bring something new to the table that existing plugins fail to deliver. Users won’t install your plugin if it doesn’t provide clear value or enhance their website’s functionality.

Your plugin needs to have a unique selling point (USP) and be easy to market. It should improve the website’s usability and offer a simple solution to a complex problem. A well-defined strategy ensures that you can create and promote your plugin successfully.

2. Implement WordPress Coding Standards

Following WordPress Coding Standards is crucial to ensure that your plugin is clean, readable, and maintainable. Since WordPress is developed by a global community, adhering to these standards helps everyone understand your code, making it easier for others to contribute, debug, and improve.

WordPress provides detailed standards for CSS, HTML, JavaScript, and PHP. Abiding by these guidelines enhances code consistency and reduces common errors. For instance, clear formatting, proper indentation, informative variable names, and well-placed comments make a huge difference.

Here’s a comparison to illustrate this:

Less readable code

function parsefile($imagedata,$file){
if(!in_array($imagedata['mime'], array('image/jpeg','image/png','image/gif'))){
  $result['error']='Your image must be a jpeg, png or gif!';
  }elseif(($file['size']>200000)){
  $result['error']='Your image was '.$file['size'].' bytes! It must not exceed '.MAX_UPLOAD_SIZE.' bytes.';
  }
  return $result;
}

Improved version

/* 
processes the uploaded image, checking against file type and file size 
*/
function parse_file($image_data, $file){
  if(!in_array($image_data['mime'], unserialize(TYPE_WHITELIST))){
    $result['error'] = 'Your image must be a jpeg, png or gif!';
  } elseif($file['size'] > MAX_UPLOAD_SIZE) {
    $result['error'] = 'Your image was ' . $file['size'] . ' bytes! It must not exceed ' . MAX_UPLOAD_SIZE . ' bytes.';
  }
  return $result;
}

Notice the clear spacing, indentation, and proper commenting. Following these standards not only makes your code easier to understand but also simplifies future edits and debugging.

3. Optimize Namespacing in Your Plugin Code

WordPress plugins can be developed using either standalone functions or classes. If you choose to use functions, be mindful of the global namespace, where your functions can conflict with others. For example, a generic function like plugin_init might already exist in another plugin, causing issues.

To avoid conflicts, you can prefix your function names with something unique, like the initials of your plugin name. For example, if your plugin is called “My Great Plugin,” you could prefix all your functions with mgp_ to avoid collisions.

A better solution is to structure your plugin as a class. This ensures that all your functions are namespaced under the class name, allowing you to use shorter, more common method names without worrying about conflicts. For example:

class my_class {
  function hello_world() {
    return 'Hello World!';
  }
  
  function goodbye_world() {
    return 'Goodbye World!';
  }
}

You can then access these methods under their own namespace:

$my_new_plugin = new my_class();
echo $my_new_plugin->hello_world();
echo $my_new_plugin->goodbye_world();

Using classes ensures cleaner, more modular code, preventing function name conflicts and improving code organization.

4. Prioritize Security

Security is one of the most crucial aspects of WordPress plugin development, yet it’s often neglected. Don’t make this mistake—your plugin’s security is vital for protecting your users and their data. Here are some key practices to ensure your plugin is secure:

Sanitize Inputs and Escape Outputs

Always sanitize any input data and escape output data to prevent malicious code from being injected or executed. WordPress provides several functions to help with this:

• esc_url, esc_url_raw – for URLs
• esc_attr – for attributes
• esc_html – for HTML content
• esc_textarea – for textareas

If you’re using wp_insert_post or $wpdb->insert, WordPress automatically sanitizes the data for you. But if you’re working with raw SQL queries (like $wpdb->get_results), always use wpdb->prepare to prevent SQL injection. For example:

Instead of:

$admin_posts = $wpdb->get_results("SELECT ID, post_title FROM $wpdb->posts WHERE post_status = 'publish' AND post_author = 1");

You should use:

$admin_posts = $wpdb->get_results($wpdb->prepare(
  "SELECT ID, post_title FROM $wpdb->posts WHERE post_status = %s AND post_author = %d", 
  'publish', 1
));

Here, %s is a placeholder for a string (‘publish’), and %d is a placeholder for a number (1). This ensures that the data passed into the query is safe.

Use Nonces for Form and URL Verification

To ensure that your WordPress site generated a form or URL and not an attacker, you need to use nonces (a number used once). For forms, you can generate a nonce field using wp_nonce_field, which adds a hidden field to your form:

wp_nonce_field('my_nonce', 'my_nonce_submit');

Then, when the form is submitted, verify the nonce using wp_verify_nonce:

wp_verify_nonce($_POST['my_nonce_submit'], 'my_nonce');

If you’re working with URLs (for example, links in emails), use wp_nonce_url to generate a secure, nonced URL:

$nonced_url = wp_nonce_url('http://my_site.com?action=register&id=123456', 'register_nonce');

This will create a URL with a nonce, like:

http://my_site.com?action=register&id=123456&_wpnonce=250d696dc6

You can verify this URL using check_admin_referer:

if ($_GET['action'] == 'register') {
  if (check_admin_referer('register_nonce')) {
    if (verify_id($_GET['id'])) {
      echo 'Registration verified!';
    }
  } else {
    echo 'Registration verification FAILED!';
  }
}

5. Use Web Services Efficiently

Accessing external web services can be tricky, but WordPress provides an easy way to handle this with the HTTP API. It helps you make remote requests using the most efficient method available, ensuring your plugin works smoothly.

For example, to fetch remote data, use wp_remote_get:

$page_data = wp_remote_get('http://site.com/page');
if ($page_data['response']['code'] == 200) {
  $body = $page_data['body'];
}

To send data (like logging into a service), use wp_remote_post:

$args = array(
  'login'    => 'login_name',
  'password' => 'my_password'
);
$response = wp_remote_post('http://site.com/login', $args);

By using these WordPress functions, you ensure that your plugin handles web services efficiently, with minimal risk of failure.

6. Clean Up Your Plugin’s Data on Deactivation

When users deactivate and delete your plugin, it’s essential that you clean up any settings, options, or custom tables created during activation. Deactivating the plugin only stops it from running, but deleting it should remove any data it left behind.

You can handle this by creating an uninstall.php file. When the user deletes the plugin, WordPress will automatically run the code inside this file to perform a cleanup:

if (defined('WP_UNINSTALL_PLUGIN')) {
  // Delete options, custom tables, or anything else created by your plugin
}

By adding this, you ensure that no unnecessary data lingers in the database after your plugin is removed.

7. Use WP_DEBUG to Catch Errors

WordPress Debug is a powerful feature that should be enabled while you’re writing the plugin code. It helps you catch errors and troubleshoot issues, ensuring that your plugin works reliably. To enable it, add these lines to your wp-config.php file:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);

WP_DEBUG will catch different types of errors:

• Notices: Minor, non-critical issues.
• Warnings: Problems that won’t break the plugin but need fixing.
• Fatal Errors: Critical errors that will stop your plugin from working.
• Parse Errors: Syntax issues.

By enabling logging (WP_DEBUG_LOG), you can also store these errors for future reference, which is helpful for long-term troubleshooting. After you finish development, remember to turn off WP_DEBUG to avoid unnecessary notifications on the live site.

8. Enhance Your Plugin with AJAX

AJAX (Asynchronous JavaScript and XML) is a powerful tool that allows you to update content on a page without needing to reload the entire page. When you’re developing a WordPress plugin, integrating AJAX can significantly improve both functionality and user experience.

Using AJAX, you can make your plugin more interactive and dynamic. For example, users can:

• Modify content
• Add images
• Embed files

All of this happens in the background, without the need for a page refresh. This creates a seamless experience for the user, who won’t even notice that the content has been updated.

Why Use AJAX in WordPress Plugins?

• Improved User Experience: Since AJAX eliminates the need for full-page reloads, it leads to faster content updates and smoother browsing, resulting in better user retention and conversion rates.
• Streamlined Content Editing: AJAX allows for real-time editing of content on the page, making content management faster and easier.
• Reduced Server Load: By only loading the necessary content instead of the whole page, AJAX reduces the strain on your server, which can speed up page load times and improve overall performance.

WordPress also has built-in support for AJAX, which makes it highly compatible with plugins. This means you can smoothly integrate AJAX into your WordPress plugin without needing complex workarounds. Many professional WordPress developers and companies use AJAX in plugins rather than embedding it directly into the code, as it ensures better security and functionality.

By implementing AJAX, you not only enhance your plugin’s performance but also give users a more dynamic and enjoyable experience on their WordPress site.

FAQs on WordPress Plugin Development Rules & Best Practices

Conclusion

Building a WordPress plugin is both a challenge and an opportunity. By starting with a solid plan and sticking to WordPress coding standards, you set yourself up for success. Remember to:

• Plan Ahead: Define your plugin’s purpose and make sure it stands out.
• Follow Coding Standards: Keep your code clean and consistent for easier maintenance.
• Prioritize Security: Sanitize inputs, escape outputs and use nonces to protect your users.
• Leverage AJAX: Improve user experience by updating content dynamically without page reloads.
• Clean Up: Ensure your plugin doesn’t leave behind unnecessary data when deleted.
• Use Debugging Tools: Enable WP_DEBUG to spot and fix issues early in development.

With these practices in mind, you’ll not only create a functional plugin but one that’s secure, efficient, and user-friendly. Dive in, follow these steps, and watch your plugin make a positive impact on WordPress sites everywhere.

If you need help, our WordPress development experts are here to guide you through every step of the process.