Table of content
WordPress plugin development with modern practices and hooks.
Installation
npx claude-plugins install @jezweb/claude-skills/wordpress-plugin-core
Contents
Folders: assets, examples, references, scripts, templates
Files: README.md, SKILL.md
Documentation
Status: Production Ready ✅ Last Updated: 2025-11-06 Production Tested: Based on WordPress Plugin Handbook official documentation + Patchstack Security Database
Auto-Trigger Keywords
Claude Code automatically discovers this skill when you mention:
Primary Keywords
- wordpress plugin
- wordpress plugin development
- wp plugin development
- wordpress coding standards
- wordpress plugin architecture
Secondary Keywords
- wordpress security
- wordpress hooks
- wordpress filters
- custom post type
- register_post_type
- register_taxonomy
- wordpress settings api
- wordpress rest api
- admin-ajax
- add_meta_box
- add_options_page
- register_rest_route
- $wpdb
- wpdb prepare
Security Keywords
- sanitize_text_field
- esc_html
- esc_attr
- esc_url
- wp_kses_post
- wp_nonce
- wp_verify_nonce
- wp_nonce_field
- check_ajax_referer
- current_user_can
Distribution & Updates Keywords
- github auto-updates
- github updates
- plugin auto-update
- plugin update checker
- wordpress plugin distribution
- git updater
- custom update server
- plugin versioning
- github releases
- private plugin updates
- license key updates
- plugin update api
- wordpress transients updates
Error-Based Keywords
- “wordpress sql injection”
- “wordpress xss”
- “wordpress csrf”
- “plugin activation 404”
- “nonce verification failed”
- “wordpress security vulnerability”
- “wordpress sanitization”
- “wordpress escaping”
- “plugin naming conflict”
- “custom post type 404”
What This Skill Does
This skill provides comprehensive knowledge for building secure, standards-compliant WordPress plugins. It covers core patterns, security best practices, database interactions, hooks/filters, Settings API, custom post types, REST API, and AJAX implementations.
Core Capabilities
✅ Security Foundation - Prevents 20+ documented vulnerabilities (SQL injection, XSS, CSRF, etc.) ✅ Plugin Architecture - Simple, OOP, and PSR-4 patterns with templates ✅ WordPress APIs - Settings API, REST API, Custom Post Types, Taxonomies, Meta Boxes ✅ Database Patterns - Secure $wpdb queries, custom tables, transients ✅ Standards Compliance - WordPress Coding Standards, prefixing, ABSPATH checks ✅ Lifecycle Management - Activation, deactivation, uninstall hooks ✅ Distribution & Updates - GitHub auto-updates, Plugin Update Checker, versioning, releases ✅ Advanced Features - WP-CLI commands, scheduled events, internationalization
Known Issues This Skill Prevents
| Issue | Why It Happens | Source | How Skill Fixes It |
|---|---|---|---|
| SQL Injection (15%) | Direct concatenation of user input | Patchstack | Always use $wpdb->prepare() with placeholders |
| XSS (35%) | Unsanitized output to HTML | Patchstack DB | Escape all output with esc_html(), esc_attr(), etc. |
| CSRF (10-15%) | No request origin verification | NinTechNet | Use nonces with wp_verify_nonce() |
| Missing Capability Checks | Using is_admin() instead of current_user_can() | WP Security Guidelines | Always check capabilities |
| Direct File Access | No ABSPATH check | WP Plugin Handbook | Add ABSPATH check to every file |
| Prefix Collision | Generic function/class names | WP Coding Standards | Use unique 4-5 char prefix |
| 404 on Custom Post Types | Rewrite rules not flushed | WP Plugin Handbook | Flush on activation |
| Transient Accumulation | No cleanup on uninstall | WP Transients API | Delete in uninstall.php |
| Performance Issues | Scripts loaded everywhere | WP Performance Best Practices | Conditional asset enqueuing |
| Data Loss on Deactivation | Deleting data on deactivation | WP Best Practices | Only delete in uninstall.php |
Total: 20 documented issues prevented
When to Use This Skill
✅ Use When:
- Creating new WordPress plugins from scratch
- Implementing security features (nonces, sanitization, escaping)
- Working with WordPress database ($wpdb, custom tables)
- Building admin interfaces (Settings API, meta boxes)
- Registering custom post types or taxonomies
- Creating REST API endpoints
- Handling AJAX requests
- Debugging plugin activation/deactivation issues
- Preventing security vulnerabilities
- Setting up auto-updates from GitHub or custom servers
- Distributing plugins outside WordPress.org
- Implementing license key validation for premium plugins
❌ Don’t Use When:
- Building Gutenberg blocks → Use
wordpress-gutenberg-blocksskill - Creating WooCommerce extensions → Use
woocommerce-extensionskill - Developing Gravity Forms add-ons → Use
gravity-forms-addonskill - Building Elementor widgets → Use
elementor-widgetskill
Claude Code will automatically combine this skill with specialized skills when needed.
…(truncated)