Planning

  • Scope and Limitations Documentation (Primary Developers)
  • Scope boundaries / Limitations

Third-Party Services/APIs

  • Insufficient Documentation: Identify any gaps or inadequacies in the API documentation, such as unclear instructions or incomplete examples, and their potential impact on integration.
  • Lack of Support: Note the availability and effectiveness of support services, including response times and support channels, communities and how this may affect issue resolution and implementation reliability.

Data Access Restrictions: Outline any limitations on accessing specific data fields or types, as well as privacy constraints for sensitive information.

  • Sandbox availability: Outline limitations of development environment or sandbox.
  • Rate Limits: Document the maximum number of API requests allowed within specific time periods, and any burst request limitations.
  • Usage Limits: Detail any daily or monthly usage caps, and how quotas are managed across different user levels or subscription plans.
  • Authentication and Authorization: Specify the authentication mechanisms required (e.g., OAuth, API keys) and any scope limitations that affect available actions.
  • API Changes and Deprecations: Include information on the frequency of updates, changes to API endpoints or data structures, and policies regarding deprecated versions.
  • Throttling and Blacklisting: Define any mechanisms for rate throttling and policies for blacklisting IP addresses or users who violate terms of service.
  • Data Freshness and Syncing: Describe any restrictions on the frequency of data refreshes and synchronization processes.
  • Feature Access: Specify any limitations on access to advanced features or endpoints based on user plans or API versions.
  • Performance Issues: Widgets may affect page load times due to reliance on external resources.
  • Security Concerns: Specify Potential risks related to the exposure of user data to external services.

Server Configuration

  • Missing Extensions: Document the necessary server extensions that are not typically available by default on most servers.

Library and Framework Updates

  • Insufficient Documentation: Same as of APIs.
  • Lack of Support: Same as for APIs.
  • Upgradation Complexity: Is upgrading library or framework bulking up the plugin? impacting plugin stability and downloads?
  • Geographical Restrictions: Note any geographic limitations on access and data residency requirements based on jurisdictional regulations.
  • Compliance and Regulatory Constraints of plugin and third party APIs: Highlight requirements for compliance with regulations such as GDPR, HIPAA, or CCPA, including logging and reporting obligations.
  • Any other constraints that may impact the development process (e.g., budget, time).

Plugin Name

  • Choose a clear, unique, and memorable name for your plugin that reflects purpose and aligns with your brand.
  • Keep it simple and easy to remember.
  • It must not contain any copyrighted brand names like WordPress, WP, WooCommerce, WC, Stripe etc.
  • Check availability of plugin name according to WordPress naming Guideline.
  • Check the availability of the corresponding domain name.
  • Check plugin name conflicts using Plugin Check (PCP) this plugin before submit to approval for WordPress.org

Plan Architecture

Plugin Boilerplate: Refer Plugin Boilerplate SOP for more information

Segment Modules

  • Reports / Dashboard
  • Layout / Settings Module:  Includes options for layout customization, user preferences, and any other settings necessary for optimal usage.
    •  Data Display and Reports:  Display data in tables or charts for better visualization.

Settings Management

  • Utilize Settings API: Leverage the WordPress Settings API to manage the settings page efficiently.
  • Tabbing Layout: Group related settings together and use tooltips, clear labels and descriptions.
    • Export and Import Mechanism
  • Identify Exportable Settings: Determine which settings within your plugin should be exportable.
  • Define Export Format: Json, xml and eg.

User Feedback and Support: Include settings for users to provide feedback, report issues, and access support resources directly within the plugin interface.

  • Feedback Form or Modal: Create a feedback form or modal dialog within your plugin’s admin interface or settings page.
  • In-Plugin Notifications: Display occasional notifications or prompts asking users for feedback.
  • Integration with Support Channels: Provide a direct link to a feedback form or survey in support emails or on your support forum.

Feedback Collection Best Practices:

  • Ensure feedback forms are easy to access and use, with clear instructions.
  • Respect user privacy and provide options to opt-out of feedback requests.
  • Regularly review and analyze feedback to identify trends and prioritize improvements.

Donation: Donation Option for Free Plugins

  • One time / Subscription options: Provide single or monthly payment options for donation.

Licensing

  • Currently we are using a GPL license. However, planning to move towards a professional license. In Progress.
  • Third party licencing examples:
  • https://easydigitaldownloads.com/downloads/software-licensing/
  • https://freemius.com/
  • Status
  • System Status: Display system status as of wordpress site health wp-admin/site-health.php
  • Error Logs: Display error logs & debug information within the dashboard interface. Also provide settings to disable the same.

Scheduled actions: List scheduled actions if any.

Logical Components

  • Feedback Form or Modal: Create a feedback form or modal dialog within your plugin’s admin interface or settings page.
  • In-Plugin Notifications: Display occasional notifications or prompts asking users for feedback.
  • Integration with Support Channels: Provide a direct link to a feedback form or survey in support emails or on your support forum.
  • Feedback Collection Best Practices:

Rate Limiting and Throttling

  • Respect rate limits: Adhere to the rate limits set by the API provider to avoid getting blocked.
  • Implement throttling: Add throttling to your requests to ensure you don’t exceed the allowed rate.

API Contingency Planning

  • Risk Assessment: Determine which APIs are crucial for a plugin’s functionality.

Failover Strategies

  • Inform users about the temporary outage, expected resolution time and last updated data.
  • Categorize data into required processing and synced categories.
  • Identify important, non sensitive data and store it in the database.
  • list-out stored data.
  • Implement prompt error handlings.

Uptime strategy

List out real time data.

  • Schedule and process required-processing data.
  • Data regulations: Only retain required data as per legal regulations.
  • Data Module ( Only applicable to custom tables/requirements ): Handles interactions with databases, including creating tables, storing, and retrieving data.
  • Database Schema and Tables: Create custom database tables to store plugin-specific data that doesn’t fit into WordPress’s default tables.
  • CRUD Operations: Implement functions for adding new records, retrieval, modify and delete data from the database.
  • Data Filtering and Sorting: Provide options for filtering and sorting data based on user inputs or predefined criteria.
  • Admin Module: Registering CPT, utilizing settings API etc. Must be done within this module.

Front Module

  • Front-End Forms: Create forms for users to submit data, such as contact forms, booking, or data entries.
  • User Interaction: Create elements that users can interact with directly on the front end, such as rating systems, like buttons, or comment systems.
  • Enqueue assets:  Conditionally enqueue css/js files.
  • Templates and Theme Integration:  Provide custom templates or template tags that users can include in their themes to display plugin features.
  • Content Display: Display dynamic content generated by the plugin, such as lists of recent entries, user-generated content, or data-driven displays.
  • Data processing & Security measures:  Sanitize and validate all user inputs to prevent security vulnerabilities.

Scheduled Actions / Cron Module: Manages cron related functionalities.

  • Using WordPress Cron System: Utilize WordPress’s built-in cron system to schedule and run tasks.
  • Using server cron: Use server cron for high traffic sites.

Review: Each module will undergo a thorough review by a designated reporting person. Any identified issues will be documented and addressed promptly to ensure optimal performance and user satisfaction.

Development Environment Setup

Environment Configuration: Ensure the development environment is configured properly with following configurations.

  • PHP minimum version 8.0 or greater.
  • MySQL version 8.0 or greater OR MariaDB version 10.5 or greater.
  • WordPress Configuration:
  • memory_limit = 128M
  • max_execution_time = 60
  • upload_max_filesize = 32M
  • post_max_size = 64M
  • max_input_vars = 3000
  • max_input_time = 60

Configure Debugging

WP_DEBUG: Enable debug mode in your wp-config.php file to display PHP errors, notices, and warnings.define( ‘WP_DEBUG’, true);

  • define( ‘WP_DEBUG_LOG’, true);
  • define( ‘WP_DEBUG_DISPLAY’, true);
  • @ini_set( ‘display_errors’, 1 );
  • define( ‘SCRIPT_DEBUG’, true);
  • define( ‘WP_CACHE’, false );
  • Query Monitor: Use query monitor plugin which monitors database queries, hooks, conditionals, HTTP requests, and more.
  • HTTPS Support: Enable HTTPS in your development environment to test SSL-related features.
  • Basic Authentication with .htaccess: Set up basic authentication using .htaccess to restrict unauthorized access to the development environment.
  • Discourage Search Engines: Implement measures to discourage search engines from indexing the site during the development stages.
  • Setup and Install Necessary / Core Plugin (if applicable): If the plugin relies on a core framework or dependencies, ensure they are set up and installed correctly.
  • Setup and Install Boilerplate: Refer Boilerplate SOP for more information.
  • Code Linting: Configure code linting tools to maintain code quality and consistency.
  • Version Control Initialization: Always initialize a Git repository early on, to track changes and collaborate effectively with others.
  • Sandbox Environment for API Integrations (If Applicable): Set up a sandbox environment for testing API integrations to prevent any potential disruptions to live systems.

Refer API documentation for generating API and Secret Key.

Code Standards Adherence

Best Practices 

  • Follow Best practices such as using consistent and meaningful variable/class/function/namespace names.

Utilize WordPress VIP standards: Verify your code in phpcs standards.

  • Define Tools for different IDE

Vs code

  • PHP CodeSniffer: An extension specifically for integrating PHPCS. It helps in checking PHP code against coding standards directly within the editor.

Sublime

  • SublimeLinter-phpcs: This is a Sublime Text linter plugin that integrates PHPCS with Sublime Text. It provides real-time feedback as you code.
  • Prefix everything: For example, if your plugin is called “Easy Custom Post Types” then you could use names like these:
  • function ecpt_save_post()
  • define( ‘ECPT_LICENSE’, true );
  • class ECPT_Admin{}
  • namespace EasyCustomPostTypes;
  • update_option( ‘ecpt_settings’, $settings );

Proper Commenting ( DocBlocker ): Must Use multi and single line comments.

Warning & Error Handling

  • Must resolve all warnings & notices.

Try-Catch Blocks: Use try-catch blocks to handle exceptions gracefully.

try {
// Code that might throw an exception
} catch (Exception $e) {
// Handle the exception
 error_log($e->getMessage()); // Optionally display a user-friendly message
}

Custom Error Handlers: Set custom error handlers for PHP errors using set_error_handler().

function custom_error_handler($errno, $errstr, $errfile, $errline) {
// Handle the error error_log(“Error [$errno]: $errstr in $errfile on line $errline”);
}
set_error_handler(“custom_error_handler”);

Check for Null: Always check for null before performing operations on variables.

if ($variable !== null) {

    // Safe to use $variable

} else {

    // Handle the null case

    error_log(“Expected a non-null value.”);

}

Hooks and Filters

  • Use WordPress hooks (add_action and add_filter) effectively. 
  • Provide actions and filters for third party developers.

Security

  • Sanitize and validate all input data: (including POST, GET, and URL parameters) to prevent vulnerabilities like XSS and SQL injection.
  • Use Nonces: Employ WordPress Nonces (wp_nonce_field() and check_admin_referer()) to validate requests from users performing sensitive actions.
  • Secure File Uploads: If your plugin handles file uploads, validate file types and use wp_handle_upload() to manage uploads securely. Restrict file permissions on uploaded files to prevent execution of malicious scripts.

Validate file type

$file_type = wp_check_filetype($file[‘name’]);
if (!in_array($file_type[‘type’], $allowed_mime_types)) {
return array(‘error’ => ‘Invalid file type.’); }

// Validate file size 

if ($file[‘size’] > $max_file_size) {
return array(‘error’ => ‘File size exceeds the allowed limit.’);
}

  • Use Secure Authentication and Authorization (Custom Forms): Utilize secure authentication methods provided by WordPress (wp_generate_password(), wp_hash_password(), etc.).
  • Enforce Least Privilege: Only grant necessary permissions to avoid unauthorized actions.

Localization and Translation

Proper Use of Text Domain

  • Text Domain Definition: Define a unique text domain for your plugin, typically matching the plugin’s slug or name.
  • Load the text domain in your plugin to make the translation files available.

Consistent Text Domain Usage: Use the defined text domain consistently throughout your plugin’s codebase.

  • To generate a .mo file from a .po file in WordPress, you can follow these short steps:

Using GUI

  • Install Poedit (optional): If you haven’t already, download and install Poedit, a popular translation editor.
  • Edit the .po file: Open your .po file using Poedit or any text editor.
  • In Poedit, after editing the .po file, simply save it, and Poedit will automatically generate the corresponding .mo file in the same directory.

Command Line (alternative method):

  • msgfmt yourfile.po -o yourfile.mo: To use msgfmt directly, you’ll need to have gettext installed on your system.
  • Nilesh Tarbundiya will add his input here
  • Dynamic text translation: Ensure dynamic text is translatable by wrapping it in translation functions.

Translation Functions: Use the appropriate WordPress translation functions for all user-facing text.

  • __(): Returns the translated string.
  • _e(): Echoes the translated string.
  • _x(): Context-specific translations.
  • _ex(): Echoes context-specific translations.
  • esc_html__(): Escapes and returns the translated string.
  • esc_html_e(): Escapes and echoes the translated string.
  • esc_attr__(): Escapes and returns the translated string for attributes.
  • esc_attr_e(): Escapes and echoes the translated string for attributes.
  • _n(): Translates singular and plural forms.
  • _nx(): Context-specific plural translations.

Folder Structure for Language Files

my-plugin/

├── languages/

│   ├── my-plugin-en_US.po

│   ├── my-plugin-en_US.mo

│   ├── my-plugin-fr_FR.po

│   └── my-plugin-fr_FR.mo

Translation Files: Provide .pot, .po, and .mo files for translations.

  • Provide POT File: Include a .pot (Portable Object Template) file in your plugin, which serves as a template for translators.
  • Generate PO and MO Files: Use the .pot file to generate .po (Portable Object) and .mo (Machine Object) files, which contain translated strings for different languages.
  • Include Translations: Ship your plugin with translated .po and .mo files for commonly used languages, or provide instructions for users to generate their own translations.

Performance

  • Avoid Excessive Plugin Activation & Deactivation Hooks: Avoid performing resource-intensive operations during plugin activation/deactivation. Instead, consider performing such operations asynchronously or on-demand.
  • Avoid using a database query inside a loop to prevent performance issues.
  • Use default Objects: If default WordPress functions do not meet requirements, extend default classes to add or customize functionality.
  • Like $wpdb, WP_List_Table, Walker_Nav_Menu etc
  • Minify CSS and JavaScript: Reduce file sizes by removing unnecessary characters (like whitespace and comments) before deployment.
  • Concatenate Files: Combine multiple CSS and JavaScript files into fewer files to reduce HTTP requests.

Load Assets Conditionally: Load CSS and JavaScript assets conditionally only on frontend/backend only where required.

Compatibility

  • Install necessary plugins: Install all plugins with you think your plugin needs to be compatible with.
  • Handle Dependencies Gracefully: If your plugin relies on another plugin or library, check for its existence and version before attempting to use it. Provide clear instructions for required dependencies.
  • Utilize Versioning: Implement version checks and compatibility layers to handle different versions of WordPress and other plugins gracefully.

Utilize versioning via github. Create a readme.md file with all compatibility information.

  • Check for Conflicts: Test the plugin in various environments with different plugins to identify potential conflicts.
  • Provide Compatibility Notices: Include information about known conflicts and provide guidance on resolving them.

Define plugin compatibility notes in the readme.txt file.

  • Avoid Overwriting Defaults: Ensure your plugin does not overwrite default WordPress behaviors unless explicitly intended.
  • Avoid Direct Database Queries: Use WordPress functions for database operations to ensure compatibility with different database setups and versions.
  • Things to take care specifically for multisites
  • Database Tables: Check that your plugin properly handles the different database tables created for each site.
  • Options and Transients: Ensure your plugin stores options and transients properly for multisite, using site-specific or network-wide options as needed.
  • Use WordPress Multisite-specific functions where necessary, such as get_sites(), switch_to_blog(), and restore_current_blog().
  • Test Network Activation/Deactivation: Activate and deactivate your plugin across the network, and ensure it doesn’t cause any errors.
  • Test Site-Specific Activation/Deactivation: Activate/deactivate your plugin on individual sites within the network and ensure the plugin functions correctly without affecting other sites.
  • Check Multi Site-Specific Functionality: If your plugin interacts with multisite features like user roles, site management, or shared content, thoroughly test these aspects.

 

Version Control

  • Initialize a Git Repository: Start by initializing a Git repository in your plugin’s root directory.
  • Create a .gitignore File: Exclude unnecessary files (e.g., logs, temporary files, build artifacts) from version control by creating a .gitignore file and specifying patterns for files and directories to ignore.
  • Branch Naming Conventions: Adopt consistent branch naming conventions (e.g., feature/branch-name, bugfix/issue-number) for clarity and organization.
  • Use Branches for Feature Development: Create branches (git branch) for new features or bug fixes to isolate changes and facilitate parallel development without affecting the main codebase.
  • Commit Early and Often: Keep commits focused on specific changes to maintain a clear history and simplify troubleshooting.
  • Merge Changes with Pull Requests: Use pull requests (PRs) to merge changes from feature branches into the main branch (e.g., main or master). Review code, discuss changes, and ensure code quality before merging.
  • Collaborate GitHub: Host your Git repository on GitHub to facilitate collaboration, issue tracking, and code reviews with team members and the community. 

User Experience

  • Maintain consistency in design elements like colors, typography, spacing, and iconography throughout your plugin.
  • Design your plugin to be responsive and mobile-friendly. Test across various devices and screen sizes.

Ensure your plugin is accessible to all users, including those with disabilities. Follow accessibility standards.

  • Provide informative feedback messages (e.g., success notifications, error alerts) to users after actions like form submissions or settings changes.
  • User guide link

Testing

  • Unit Testing: As a developer must perform functional testing in different devices and browsers.
  • Compatibility Testing: Test the plugin’s interaction with other plugins and themes.
  • Department Testing : Will share within WordPress Group to test with a due date.
  • QA Testing: Functionality testing performed by QA team on different real and virtual browsers and devices.
  • Regression Testing: Implement regression testing procedures to detect and address functional issues introduced by new code changes or updates.

Documentation and support

  •  Must use screenshots / videos for documentation.

User Documentation:

  • Installation
  • Configuration
  • Best Practices (If applicable like Optimization plugins).

Features List.

  • User Interface Guide.
  • Export Import Settings: Provide best practice exportable file.
  • General Troubleshooting: List down general issues and respective troubleshootings.

Support and Resources.

  • WordPress.org support forum.
  • Mail ticket or Support System.

FAQs

  • Development Documentation: Document of code and APIs for secondary developers.
  • Changelog: Maintain a changelog for tracking updates and changes.

Terms and conditions with refund policy: Must include T&C documentation with no refund policy explicitly.

 

Regular Maintenance and Updates

  • Compatibility Updates: Keep your plugin compatible with the latest versions of WordPress core.
  • Security Updates: Respond quickly to security issues reported by users or discovered through audits. Release security patches promptly and encourage users to update.

Deployment

Preparation

Check Requirements

  • Ensure your plugin meets the minimum WordPress and PHP versions.
  • Confirm compatibility with the latest WordPress version.

Code Review

  • Review your code for errors and optimize performance.
  • Ensure there are no naming conflicts with other plugins.
  • Include code comments where necessary for maintainability.

Documentation

  • Update the plugin documentation, including installation instructions and changelog.
  • Ensure README files and any other documentation are clear and concise.

Testing

Local Environment Testing

  • Test your plugin in a local development environment.
  • Ensure all functionalities work as expected.

Staging Environment Testing

  • Deploy your plugin on a staging site that mirrors the live environment.
  • Perform thorough testing, including edge cases.

Compatibility Testing

  • Test your plugin with popular themes and plugins.
  • Ensure there are no conflicts or issues.

Deployment

Backup

  • Take a backup of the current live site, including files and database.

Upload Plugin

  • Navigate to the WordPress admin dashboard.
  • Go to Plugins > Add New and upload your plugin zip file.

Activate Plugin

  • Activate the plugin and ensure there are no errors.
  • Check the site for any immediate issues.

Post-Deployment

Verify Functionality

  • Test all features of the plugin on the live site.
  • Ensure everything works as expected.

Monitor

  • Keep an eye on the site for any unexpected behavior or errors.
  • Check logs for any warnings or errors.

User Feedback

  • Collect feedback from users to identify any issues or areas for improvement.

Maintenance

Regular Updates

  • Release updates to fix bugs, improve performance, and add new features.
  • Ensure updates are tested before deployment.
  • Communicate update details to users and provide guidance on any changes.

Support

  • Provide support to users experiencing issues.
  • Keep documentation up to date with any changes or new features.
  • Address support tickets in a timely manner and offer solutions or workarounds.

Security

  • Regularly review your plugin for security vulnerabilities.
  • Apply necessary security patches promptly.
  • Stay informed about WordPress security updates and best practices.

Performance Optimization

  • Regularly review the plugin’s performance and optimize where necessary.
  • Ensure that the plugin does not negatively impact the site’s loading times or overall performance.

Compliance

  • Ensure that the plugin complies with relevant legal and regulatory requirements (e.g., GDPR).
  • Implement necessary features or settings to maintain compliance.

Deprecation Plan

  • Develop a plan for deprecating old versions or features.
  • Notify users in advance and provide guidance on migration paths if needed.

Checklist

WordPress Plugin Development

  • Create and share scope documentation with stakeholders & team members.
  • Ensure sufficient documentation for features and third-party services/APIs.
  • API Management: Communicate with clients regarding support issues and data access restrictions, verify sandbox availability, rate limits, and usage limits, and manage authentication, authorization, API changes, deprecations, and blacklisting.
  • API Reliability: Ensure data freshness, syncing, feature access, and performance issues.
  • API Limit Check: Plan for API rate limiting, throttling, and contingency measures.
  • Check and communicate any security concerns with client or user
  • server configuration, and missing extensions.
  • Update libraries and frameworks; check for geographical restrictions.
  • Choose a clear, unique, memorable plugin name; check availability per WordPress naming guidelines.
  • Verify corresponding domain name availability and check plugin name conflicts using Plugin Check (PCP).
  • Plan plugin architecture and segment modules (reports/dashboard, layout/settings, data display, etc.).
  • Utilize the Settings API
  • Implement export and import mechanisms.
  • Free Plugin : Include user feedback, support options, donation options for free plugins, and licensing information.
  • Implement system status checks and logical component separation (admin, front, data modules).
  • Set up development environment configuration, including WordPress and debugging tools.
  • Configure HTTPS to support basic authentication and discourage search engines during development.
  • Install necessary/core plugins and boilerplate.
  • Adhere to code standards and best practices using WordPress VIP standards.
  • Define tools for different IDEs, prefix everything, and maintain proper commenting (DocBlocker).
  • Handle warnings and errors efficiently; implement hooks and filters.
  • Ensure security, localization, and translation using proper text domains and functions.
  • Maintain folder structure for language files and ensure translation files are accurate.
  • Ensure plugin performance and compatibility, especially for multisite setups.
  • Initialize a Git repository and create a .gitignore file.
  • Use branch naming conventions and branches for feature development.
  • Commit changes early and often, merge changes with pull requests.
  • Maintain consistency in design elements like colors, typography, spacing, and iconography.
  • Ensure intuitive navigation and user-friendly interfaces.
  • Provide clear instructions and tooltips within the plugin.
  • Gather user feedback regularly and make iterative improvements.