Wordpress Plugin Core
Ship a custom WordPress plugin with correct hooks, admin settings, CPTs, and REST routes without common injection and XSS mistakes.
Overview
WordPress Plugin Core is an agent skill for the Build phase that guides secure WordPress plugin development with hooks, database access, Settings API, custom post types, REST API routes, and three architecture patterns p
Install
npx skills add https://github.com/jezweb/claude-skills --skill wordpress-plugin-coreWhat is this skill?
- Three architecture paths: Simple procedural, OOP, and PSR-4 plugin layout
- Security Trinity coverage for SQL injection, XSS, and CSRF with sanitize/escape and nonces
- Hooks, filters, custom post types, taxonomies, meta boxes, and admin-ajax patterns
- Settings API and register_rest_route REST endpoint scaffolding
- WordPress 6.7–6.9 breaking changes plus 6.8+ bcrypt password migration notes
- Three plugin architecture patterns: Simple, OOP, and PSR-4
- Security Trinity framing for SQL injection, XSS, and CSRF
- Documents WordPress 6.7–6.9 breaking changes and 6.8+ bcrypt migration
Adoption & trust: 569 installs on skills.sh; 841 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need a WordPress plugin but official APIs, coding standards, and security fixes across 6.7+ are easy to mix up, leaving SQL injection, XSS, CSRF, or broken REST permissions in production.
Who is it for?
Indie builders and small teams shipping bespoke plugins, membership tools, or agency client extensions on self-hosted WordPress.
Skip if: Pure theme-only CSS work, headless Next.js frontends with no PHP plugin, or teams that already standardize on a maintained commercial plugin framework without custom code.
When should I use this skill?
Creating WordPress plugins or troubleshooting SQL injection, XSS, CSRF, REST API vulnerabilities, wpdb::prepare errors, nonce edge cases, or WordPress 6.8+ bcrypt migration.
What do I get? / Deliverables
You leave with a structured plugin skeleton, hardened input/output patterns, and REST and admin flows that match WordPress handbook and current breaking-change notes.
- Plugin bootstrap and activation hooks
- Admin settings pages via Settings API
- Custom post types, taxonomies, and REST routes with capability checks
Recommended Skills
Journey fit
Plugin authoring is core product construction—PHP hooks, database access, and APIs land in the build phase before you ship to production sites. WordPress plugins are server-side PHP with $wpdb, Settings API, and register_rest_route—canonical backend work on the integrations shelf.
How it compares
Structured plugin handbook in skill form—not a one-click MCP installer or a generic “write PHP” prompt.
Common Questions / FAQ
Who is wordpress-plugin-core for?
Solo builders and small teams writing or hardening custom WordPress plugins who want handbook-aligned patterns and security trinity checks in the agent loop.
When should I use wordpress-plugin-core?
Use it during Build when creating plugins, registering CPTs or REST routes, or when debugging SQL injection, XSS, CSRF, wpdb::prepare errors, nonce failures, or WordPress 6.8+ bcrypt migration issues.
Is wordpress-plugin-core safe to install?
Treat it like any third-party skill: review the Security Audits panel on this Prism page and your org policy before enabling it in Claude Code, Cursor, or Codex.
SKILL.md
READMESKILL.md - Wordpress Plugin Core
{ "name": "wordpress-plugin-core", "description": "Build secure WordPress plugins with hooks, database interactions, Settings API, custom post types, and REST API. Covers Simple, OOP, and PSR-4 architecture patterns plus the Security Trinity. Includes WordPress 6.7-6.9 breaking changes. Use when creating plugins or troubleshooting SQL injection, XSS, CSRF, REST API vulnerabilities, wpdb::prepare errors, nonce edge cases, or WordPress 6.8+ bcrypt migration.", "version": "1.0.0", "author": { "name": "Jeremy Dawes", "email": "jeremy@jezweb.net" }, "license": "MIT", "repository": "https://github.com/jezweb/claude-skills", "keywords": [] } # WordPress Plugin Development (Core) **Status**: Production Ready ✅ **Last Updated**: 2025-11-06 **Production Tested**: Based on WordPress Plugin Handbook official documentation + Patchstack Security Database --- ## Auto-Trigger Keywords Claude Code automatically discovers this skill when you mention: ### Primary Keywords - wordpress plugin - wordpress plugin development - wp plugin development - wordpress coding standards - wordpress plugin architecture ### Secondary Keywords - wordpress security - wordpress hooks - wordpress filters - custom post type - register_post_type - register_taxonomy - wordpress settings api - wordpress rest api - admin-ajax - add_meta_box - add_options_page - register_rest_route - $wpdb - wpdb prepare ### Security Keywords - sanitize_text_field - esc_html - esc_attr - esc_url - wp_kses_post - wp_nonce - wp_verify_nonce - wp_nonce_field - check_ajax_referer - current_user_can ### Distribution & Updates Keywords - github auto-updates - github updates - plugin auto-update - plugin update checker - wordpress plugin distribution - git updater - custom update server - plugin versioning - github releases - private plugin updates - license key updates - plugin update api - wordpress transients updates ### Error-Based Keywords - "wordpress sql injection" - "wordpress xss" - "wordpress csrf" - "plugin activation 404" - "nonce verification failed" - "wordpress security vulnerability" - "wordpress sanitization" - "wordpress escaping" - "plugin naming conflict" - "custom post type 404" --- ## What This Skill Does This skill provides comprehensive knowledge for building secure, standards-compliant WordPress plugins. It covers core patterns, security best practices, database interactions, hooks/filters, Settings API, custom post types, REST API, and AJAX implementations. ### Core Capabilities ✅ **Security Foundation** - Prevents 20+ documented vulnerabilities (SQL injection, XSS, CSRF, etc.) ✅ **Plugin Architecture** - Simple, OOP, and PSR-4 patterns with templates ✅ **WordPress APIs** - Settings API, REST API, Custom Post Types, Taxonomies, Meta Boxes ✅ **Database Patterns** - Secure $wpdb queries, custom tables, transients ✅ **Standards Compliance** - WordPress Coding Standards, prefixing, ABSPATH checks ✅ **Lifecycle Management** - Activation, deactivation, uninstall hooks ✅ **Distribution & Updates** - GitHub auto-updates, Plugin Update Checker, versioning, releases ✅ **Advanced Features** - WP-CLI commands, scheduled events, internationalization --- ## Known Issues This Skill Prevents | Issue | Why It Happens | Source | How Skill Fixes It | |-------|---------------|---------|-------------------| | **SQL Injection** (15%) | Direct concatenation of user input | [Patchstack](https://patchstack.com/articles/sql-injection/) | Always use `$wpdb->prepare()` with placeholders | | **XSS** (35%) | Unsanitized output to HTML | [Patchstack DB](https://patchstack.com) | Escape all output with `esc_html()`, `esc_attr()`, etc. | | **CSRF** (10-15%) | No request origin verification | [NinTechNet](https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/) | Use nonces with `wp_verify_nonce()` | | **Missing Capability Checks** | Using `is_admin()` instead of `current_user_can()` | WP Security Guidelines | Always check capabilities | |