Planning
- Scope and Limitations Documentation (Primary Developers)
- Scope boundaries / Limitations
Third-Party Services/APIs
- Insufficient Documentation: Identify any gaps or inadequacies in the API documentation, such as unclear instructions or incomplete examples, and their potential impact on integration.
- Lack of Support: Note the availability and effectiveness of support services, including response times and support channels, communities and how this may affect issue resolution and implementation reliability.
Data Access Restrictions: Outline any limitations on accessing specific data fields or types, as well as privacy constraints for sensitive information.
- Sandbox availability: Outline limitations of development environment or sandbox.
- Rate Limits: Document the maximum number of API requests allowed within specific time periods, and any burst request limitations.
- Usage Limits: Detail any daily or monthly usage caps, and how quotas are managed across different user levels or subscription plans.
- Authentication and Authorization: Specify the authentication mechanisms required (e.g., OAuth, API keys) and any scope limitations that affect available actions.
- API Changes and Deprecations: Include information on the frequency of updates, changes to API endpoints or data structures, and policies regarding deprecated versions.
- Throttling and Blacklisting: Define any mechanisms for rate throttling and policies for blacklisting IP addresses or users who violate terms of service.
- Data Freshness and Syncing: Describe any restrictions on the frequency of data refreshes and synchronization processes.
- Feature Access: Specify any limitations on access to advanced features or endpoints based on user plans or API versions.
- Performance Issues: Widgets may affect page load times due to reliance on external resources.
- Security Concerns: Specify Potential risks related to the exposure of user data to external services.
Server Configuration
- Missing Extensions: Document the necessary server extensions that are not typically available by default on most servers.
Library and Framework Updates
- Insufficient Documentation: Same as of APIs.
- Lack of Support: Same as for APIs.
- Upgradation Complexity: Is upgrading library or framework bulking up the plugin? impacting plugin stability and downloads?
- Geographical Restrictions: Note any geographic limitations on access and data residency requirements based on jurisdictional regulations.
- Compliance and Regulatory Constraints of plugin and third party APIs: Highlight requirements for compliance with regulations such as GDPR, HIPAA, or CCPA, including logging and reporting obligations.
- Any other constraints that may impact the development process (e.g., budget, time).
Plugin Name
- Choose a clear, unique, and memorable name for your plugin that reflects purpose and aligns with your brand.
- Keep it simple and easy to remember.
- It must not contain any copyrighted brand names like WordPress, WP, WooCommerce, WC, Stripe etc.
- Check availability of plugin name according to WordPress naming Guideline.
- Check the availability of the corresponding domain name.
- Check plugin name conflicts using Plugin Check (PCP) this plugin before submit to approval for WordPress.org
Plan Architecture
Plugin Boilerplate: Refer Plugin Boilerplate SOP for more information
Segment Modules
- Reports / Dashboard
- Layout / Settings Module: Includes options for layout customization, user preferences, and any other settings necessary for optimal usage.
- Data Display and Reports: Display data in tables or charts for better visualization.
Settings Management
- Utilize Settings API: Leverage the WordPress Settings API to manage the settings page efficiently.
- Tabbing Layout: Group related settings together and use tooltips, clear labels and descriptions.
- Export and Import Mechanism
- Identify Exportable Settings: Determine which settings within your plugin should be exportable.
- Define Export Format: Json, xml and eg.
User Feedback and Support: Include settings for users to provide feedback, report issues, and access support resources directly within the plugin interface.
- Feedback Form or Modal: Create a feedback form or modal dialog within your plugin’s admin interface or settings page.
- In-Plugin Notifications: Display occasional notifications or prompts asking users for feedback.
- Integration with Support Channels: Provide a direct link to a feedback form or survey in support emails or on your support forum.
Feedback Collection Best Practices:
- Ensure feedback forms are easy to access and use, with clear instructions.
- Respect user privacy and provide options to opt-out of feedback requests.
- Regularly review and analyze feedback to identify trends and prioritize improvements.
Donation: Donation Option for Free Plugins
- One time / Subscription options: Provide single or monthly payment options for donation.
Licensing
- Currently we are using a GPL license. However, planning to move towards a professional license. In Progress.
- Third party licencing examples:
- https://easydigitaldownloads.com/downloads/software-licensing/
- https://freemius.com/
- Status
- System Status: Display system status as of wordpress site health wp-admin/site-health.php
- Error Logs: Display error logs & debug information within the dashboard interface. Also provide settings to disable the same.
Scheduled actions: List scheduled actions if any.
Logical Components
- Feedback Form or Modal: Create a feedback form or modal dialog within your plugin’s admin interface or settings page.
- In-Plugin Notifications: Display occasional notifications or prompts asking users for feedback.
- Integration with Support Channels: Provide a direct link to a feedback form or survey in support emails or on your support forum.
- Feedback Collection Best Practices:
Rate Limiting and Throttling
- Respect rate limits: Adhere to the rate limits set by the API provider to avoid getting blocked.
- Implement throttling: Add throttling to your requests to ensure you don’t exceed the allowed rate.
API Contingency Planning
- Risk Assessment: Determine which APIs are crucial for a plugin’s functionality.
Failover Strategies
- Inform users about the temporary outage, expected resolution time and last updated data.
- Categorize data into required processing and synced categories.
- Identify important, non sensitive data and store it in the database.
- list-out stored data.
- Implement prompt error handlings.
Uptime strategy
List out real time data.
- Schedule and process required-processing data.
- Data regulations: Only retain required data as per legal regulations.
- Data Module ( Only applicable to custom tables/requirements ): Handles interactions with databases, including creating tables, storing, and retrieving data.
- Database Schema and Tables: Create custom database tables to store plugin-specific data that doesn’t fit into WordPress’s default tables.
- CRUD Operations: Implement functions for adding new records, retrieval, modify and delete data from the database.
- Data Filtering and Sorting: Provide options for filtering and sorting data based on user inputs or predefined criteria.
- Admin Module: Registering CPT, utilizing settings API etc. Must be done within this module.
Front Module
- Front-End Forms: Create forms for users to submit data, such as contact forms, booking, or data entries.
- User Interaction: Create elements that users can interact with directly on the front end, such as rating systems, like buttons, or comment systems.
- Enqueue assets: Conditionally enqueue css/js files.
- Templates and Theme Integration: Provide custom templates or template tags that users can include in their themes to display plugin features.
- Content Display: Display dynamic content generated by the plugin, such as lists of recent entries, user-generated content, or data-driven displays.
- Data processing & Security measures: Sanitize and validate all user inputs to prevent security vulnerabilities.
Scheduled Actions / Cron Module: Manages cron related functionalities.
- Using WordPress Cron System: Utilize WordPress’s built-in cron system to schedule and run tasks.
- Using server cron: Use server cron for high traffic sites.
Review: Each module will undergo a thorough review by a designated reporting person. Any identified issues will be documented and addressed promptly to ensure optimal performance and user satisfaction.
Development Environment Setup
Environment Configuration: Ensure the development environment is configured properly with following configurations.
- PHP minimum version 8.0 or greater.
- MySQL version 8.0 or greater OR MariaDB version 10.5 or greater.
- WordPress Configuration:
- memory_limit = 128M
- max_execution_time = 60
- upload_max_filesize = 32M
- post_max_size = 64M
- max_input_vars = 3000
- max_input_time = 60
Configure Debugging
WP_DEBUG: Enable debug mode in your wp-config.php file to display PHP errors, notices, and warnings.define( ‘WP_DEBUG’, true);
- define( ‘WP_DEBUG_LOG’, true);
- define( ‘WP_DEBUG_DISPLAY’, true);
- @ini_set( ‘display_errors’, 1 );
- define( ‘SCRIPT_DEBUG’, true);
- define( ‘WP_CACHE’, false );
- Query Monitor: Use query monitor plugin which monitors database queries, hooks, conditionals, HTTP requests, and more.
- HTTPS Support: Enable HTTPS in your development environment to test SSL-related features.
- Basic Authentication with .htaccess: Set up basic authentication using .htaccess to restrict unauthorized access to the development environment.
- Discourage Search Engines: Implement measures to discourage search engines from indexing the site during the development stages.
- Setup and Install Necessary / Core Plugin (if applicable): If the plugin relies on a core framework or dependencies, ensure they are set up and installed correctly.
- Setup and Install Boilerplate: Refer Boilerplate SOP for more information.
- Code Linting: Configure code linting tools to maintain code quality and consistency.
- Version Control Initialization: Always initialize a Git repository early on, to track changes and collaborate effectively with others.
- Sandbox Environment for API Integrations (If Applicable): Set up a sandbox environment for testing API integrations to prevent any potential disruptions to live systems.
Refer API documentation for generating API and Secret Key.
Code Standards Adherence
Best Practices
- Follow Best practices such as using consistent and meaningful variable/class/function/namespace names.
Utilize WordPress VIP standards: Verify your code in phpcs standards.
- Define Tools for different IDE
Vs code
- PHP CodeSniffer: An extension specifically for integrating PHPCS. It helps in checking PHP code against coding standards directly within the editor.
Sublime
- SublimeLinter-phpcs: This is a Sublime Text linter plugin that integrates PHPCS with Sublime Text. It provides real-time feedback as you code.
- Prefix everything: For example, if your plugin is called “Easy Custom Post Types” then you could use names like these:
- function ecpt_save_post()
- define( ‘ECPT_LICENSE’, true );
- class ECPT_Admin{}
- namespace EasyCustomPostTypes;
- update_option( ‘ecpt_settings’, $settings );
Proper Commenting ( DocBlocker ): Must Use multi and single line comments.
Warning & Error Handling
- Must resolve all warnings & notices.
Try-Catch Blocks: Use try-catch blocks to handle exceptions gracefully.
try {
// Code that might throw an exception
} catch (Exception $e) {
// Handle the exception
error_log($e->getMessage()); // Optionally display a user-friendly message
}
Custom Error Handlers: Set custom error handlers for PHP errors using set_error_handler().
function custom_error_handler($errno, $errstr, $errfile, $errline) {
// Handle the error error_log(“Error [$errno]: $errstr in $errfile on line $errline”);
}
set_error_handler(“custom_error_handler”);
Check for Null: Always check for null before performing operations on variables.
if ($variable !== null) {
// Safe to use $variable
} else {
// Handle the null case
error_log(“Expected a non-null value.”);
}
Hooks and Filters
- Use WordPress hooks (add_action and add_filter) effectively.
- Provide actions and filters for third party developers.
Security
- Sanitize and validate all input data: (including POST, GET, and URL parameters) to prevent vulnerabilities like XSS and SQL injection.
- Use Nonces: Employ WordPress Nonces (wp_nonce_field() and check_admin_referer()) to validate requests from users performing sensitive actions.
- Secure File Uploads: If your plugin handles file uploads, validate file types and use wp_handle_upload() to manage uploads securely. Restrict file permissions on uploaded files to prevent execution of malicious scripts.
Validate file type
$file_type = wp_check_filetype($file[‘name’]);
if (!in_array($file_type[‘type’], $allowed_mime_types)) {
return array(‘error’ => ‘Invalid file type.’); }
// Validate file size
if ($file[‘size’] > $max_file_size) {
return array(‘error’ => ‘File size exceeds the allowed limit.’);
}
- Use Secure Authentication and Authorization (Custom Forms): Utilize secure authentication methods provided by WordPress (wp_generate_password(), wp_hash_password(), etc.).
- Enforce Least Privilege: Only grant necessary permissions to avoid unauthorized actions.
Proper Use of Text Domain
- Text Domain Definition: Define a unique text domain for your plugin, typically matching the plugin’s slug or name.
- Load the text domain in your plugin to make the translation files available.
Consistent Text Domain Usage: Use the defined text domain consistently throughout your plugin’s codebase.
- To generate a .mo file from a .po file in WordPress, you can follow these short steps:
Using GUI
- Install Poedit (optional): If you haven’t already, download and install Poedit, a popular translation editor.
- Edit the .po file: Open your .po file using Poedit or any text editor.
- In Poedit, after editing the .po file, simply save it, and Poedit will automatically generate the corresponding .mo file in the same directory.
Command Line (alternative method):
- msgfmt yourfile.po -o yourfile.mo: To use msgfmt directly, you’ll need to have gettext installed on your system.
- Nilesh Tarbundiya will add his input here
- Dynamic text translation: Ensure dynamic text is translatable by wrapping it in translation functions.
Translation Functions: Use the appropriate WordPress translation functions for all user-facing text.
- __(): Returns the translated string.
- _e(): Echoes the translated string.
- _x(): Context-specific translations.
- _ex(): Echoes context-specific translations.
- esc_html__(): Escapes and returns the translated string.
- esc_html_e(): Escapes and echoes the translated string.
- esc_attr__(): Escapes and returns the translated string for attributes.
- esc_attr_e(): Escapes and echoes the translated string for attributes.
- _n(): Translates singular and plural forms.
- _nx(): Context-specific plural translations.
Folder Structure for Language Files
my-plugin/
├── languages/
│ ├── my-plugin-en_US.po
│ ├── my-plugin-en_US.mo
│ ├── my-plugin-fr_FR.po
│ └── my-plugin-fr_FR.mo
Translation Files: Provide .pot, .po, and .mo files for translations.
- Provide POT File: Include a .pot (Portable Object Template) file in your plugin, which serves as a template for translators.
- Generate PO and MO Files: Use the .pot file to generate .po (Portable Object) and .mo (Machine Object) files, which contain translated strings for different languages.
- Include Translations: Ship your plugin with translated .po and .mo files for commonly used languages, or provide instructions for users to generate their own translations.
Performance
- Avoid Excessive Plugin Activation & Deactivation Hooks: Avoid performing resource-intensive operations during plugin activation/deactivation. Instead, consider performing such operations asynchronously or on-demand.
- Avoid using a database query inside a loop to prevent performance issues.
- Use default Objects: If default WordPress functions do not meet requirements, extend default classes to add or customize functionality.
- Like $wpdb, WP_List_Table, Walker_Nav_Menu etc
- Minify CSS and JavaScript: Reduce file sizes by removing unnecessary characters (like whitespace and comments) before deployment.
- Concatenate Files: Combine multiple CSS and JavaScript files into fewer files to reduce HTTP requests.
Load Assets Conditionally: Load CSS and JavaScript assets conditionally only on frontend/backend only where required.
Compatibility
- Install necessary plugins: Install all plugins with you think your plugin needs to be compatible with.
- Handle Dependencies Gracefully: If your plugin relies on another plugin or library, check for its existence and version before attempting to use it. Provide clear instructions for required dependencies.
- Utilize Versioning: Implement version checks and compatibility layers to handle different versions of WordPress and other plugins gracefully.
Utilize versioning via github. Create a readme.md file with all compatibility information.
- Check for Conflicts: Test the plugin in various environments with different plugins to identify potential conflicts.
- Provide Compatibility Notices: Include information about known conflicts and provide guidance on resolving them.
Define plugin compatibility notes in the readme.txt file.
- Avoid Overwriting Defaults: Ensure your plugin does not overwrite default WordPress behaviors unless explicitly intended.
- Avoid Direct Database Queries: Use WordPress functions for database operations to ensure compatibility with different database setups and versions.
- Things to take care specifically for multisites
- Database Tables: Check that your plugin properly handles the different database tables created for each site.
- Options and Transients: Ensure your plugin stores options and transients properly for multisite, using site-specific or network-wide options as needed.
- Use WordPress Multisite-specific functions where necessary, such as get_sites(), switch_to_blog(), and restore_current_blog().
- Test Network Activation/Deactivation: Activate and deactivate your plugin across the network, and ensure it doesn’t cause any errors.
- Test Site-Specific Activation/Deactivation: Activate/deactivate your plugin on individual sites within the network and ensure the plugin functions correctly without affecting other sites.
- Check Multi Site-Specific Functionality: If your plugin interacts with multisite features like user roles, site management, or shared content, thoroughly test these aspects.
Version Control
- Initialize a Git Repository: Start by initializing a Git repository in your plugin’s root directory.
- Create a .gitignore File: Exclude unnecessary files (e.g., logs, temporary files, build artifacts) from version control by creating a .gitignore file and specifying patterns for files and directories to ignore.
- Branch Naming Conventions: Adopt consistent branch naming conventions (e.g., feature/branch-name, bugfix/issue-number) for clarity and organization.
- Use Branches for Feature Development: Create branches (git branch) for new features or bug fixes to isolate changes and facilitate parallel development without affecting the main codebase.
- Commit Early and Often: Keep commits focused on specific changes to maintain a clear history and simplify troubleshooting.
- Merge Changes with Pull Requests: Use pull requests (PRs) to merge changes from feature branches into the main branch (e.g., main or master). Review code, discuss changes, and ensure code quality before merging.
- Collaborate GitHub: Host your Git repository on GitHub to facilitate collaboration, issue tracking, and code reviews with team members and the community.
User Experience
- Maintain consistency in design elements like colors, typography, spacing, and iconography throughout your plugin.
- Design your plugin to be responsive and mobile-friendly. Test across various devices and screen sizes.
Ensure your plugin is accessible to all users, including those with disabilities. Follow accessibility standards.
- Provide informative feedback messages (e.g., success notifications, error alerts) to users after actions like form submissions or settings changes.
- User guide link
Testing
- Unit Testing: As a developer must perform functional testing in different devices and browsers.
- Compatibility Testing: Test the plugin’s interaction with other plugins and themes.
- Department Testing : Will share within WordPress Group to test with a due date.
- QA Testing: Functionality testing performed by QA team on different real and virtual browsers and devices.
- Regression Testing: Implement regression testing procedures to detect and address functional issues introduced by new code changes or updates.
Documentation and support
- Must use screenshots / videos for documentation.
User Documentation:
- Installation
- Configuration
- Best Practices (If applicable like Optimization plugins).
Features List.
- User Interface Guide.
- Export Import Settings: Provide best practice exportable file.
- General Troubleshooting: List down general issues and respective troubleshootings.
Support and Resources.
- WordPress.org support forum.
- Mail ticket or Support System.
FAQs
- Development Documentation: Document of code and APIs for secondary developers.
- Changelog: Maintain a changelog for tracking updates and changes.
Terms and conditions with refund policy: Must include T&C documentation with no refund policy explicitly.
Regular Maintenance and Updates
- Compatibility Updates: Keep your plugin compatible with the latest versions of WordPress core.
- Security Updates: Respond quickly to security issues reported by users or discovered through audits. Release security patches promptly and encourage users to update.
Deployment
Preparation
Check Requirements
- Ensure your plugin meets the minimum WordPress and PHP versions.
- Confirm compatibility with the latest WordPress version.
Code Review
- Review your code for errors and optimize performance.
- Ensure there are no naming conflicts with other plugins.
- Include code comments where necessary for maintainability.
Documentation
- Update the plugin documentation, including installation instructions and changelog.
- Ensure README files and any other documentation are clear and concise.
Testing
Local Environment Testing
- Test your plugin in a local development environment.
- Ensure all functionalities work as expected.
Staging Environment Testing
- Deploy your plugin on a staging site that mirrors the live environment.
- Perform thorough testing, including edge cases.
Compatibility Testing
- Test your plugin with popular themes and plugins.
- Ensure there are no conflicts or issues.
Deployment
Backup
- Take a backup of the current live site, including files and database.
Upload Plugin
- Navigate to the WordPress admin dashboard.
- Go to Plugins > Add New and upload your plugin zip file.
Activate Plugin
- Activate the plugin and ensure there are no errors.
- Check the site for any immediate issues.
Post-Deployment
Verify Functionality
- Test all features of the plugin on the live site.
- Ensure everything works as expected.
Monitor
- Keep an eye on the site for any unexpected behavior or errors.
- Check logs for any warnings or errors.
User Feedback
- Collect feedback from users to identify any issues or areas for improvement.
Maintenance
Regular Updates
- Release updates to fix bugs, improve performance, and add new features.
- Ensure updates are tested before deployment.
- Communicate update details to users and provide guidance on any changes.
Support
- Provide support to users experiencing issues.
- Keep documentation up to date with any changes or new features.
- Address support tickets in a timely manner and offer solutions or workarounds.
Security
- Regularly review your plugin for security vulnerabilities.
- Apply necessary security patches promptly.
- Stay informed about WordPress security updates and best practices.
Performance Optimization
- Regularly review the plugin’s performance and optimize where necessary.
- Ensure that the plugin does not negatively impact the site’s loading times or overall performance.
Compliance
- Ensure that the plugin complies with relevant legal and regulatory requirements (e.g., GDPR).
- Implement necessary features or settings to maintain compliance.
Deprecation Plan
- Develop a plan for deprecating old versions or features.
- Notify users in advance and provide guidance on migration paths if needed.
Checklist
WordPress Plugin Development
- Create and share scope documentation with stakeholders & team members.
- Ensure sufficient documentation for features and third-party services/APIs.
- API Management: Communicate with clients regarding support issues and data access restrictions, verify sandbox availability, rate limits, and usage limits, and manage authentication, authorization, API changes, deprecations, and blacklisting.
- API Reliability: Ensure data freshness, syncing, feature access, and performance issues.
- API Limit Check: Plan for API rate limiting, throttling, and contingency measures.
- Check and communicate any security concerns with client or user
- server configuration, and missing extensions.
- Update libraries and frameworks; check for geographical restrictions.
- Choose a clear, unique, memorable plugin name; check availability per WordPress naming guidelines.
- Verify corresponding domain name availability and check plugin name conflicts using Plugin Check (PCP).
- Plan plugin architecture and segment modules (reports/dashboard, layout/settings, data display, etc.).
- Utilize the Settings API
- Implement export and import mechanisms.
- Free Plugin : Include user feedback, support options, donation options for free plugins, and licensing information.
- Implement system status checks and logical component separation (admin, front, data modules).
- Set up development environment configuration, including WordPress and debugging tools.
- Configure HTTPS to support basic authentication and discourage search engines during development.
- Install necessary/core plugins and boilerplate.
- Adhere to code standards and best practices using WordPress VIP standards.
- Define tools for different IDEs, prefix everything, and maintain proper commenting (DocBlocker).
- Handle warnings and errors efficiently; implement hooks and filters.
- Ensure security, localization, and translation using proper text domains and functions.
- Maintain folder structure for language files and ensure translation files are accurate.
- Ensure plugin performance and compatibility, especially for multisite setups.
- Initialize a Git repository and create a .gitignore file.
- Use branch naming conventions and branches for feature development.
- Commit changes early and often, merge changes with pull requests.
- Maintain consistency in design elements like colors, typography, spacing, and iconography.
- Ensure intuitive navigation and user-friendly interfaces.
- Provide clear instructions and tooltips within the plugin.
- Gather user feedback regularly and make iterative improvements.