Wp Plugin Development
Build or refactor WordPress plugins with correct hooks, Settings API admin UI, lifecycle migrations, security hardening, and release packaging.
Overview
wp-plugin-development is an agent skill most often used in Build (also Ship security, Ship launch) that implements WordPress plugins with hooks, admin settings, security, and release packaging.
Install
npx skills add https://github.com/wordpress/agent-skills --skill wp-plugin-developmentWhat is this skill?
- End-to-end plugin procedure: triage repo, detect plugin headers, locate bootstrap entrypoints
- Covers activation, deactivation, uninstall, and schema migrations
- Settings API and admin UI patterns with nonces, capabilities, sanitization, and escaping
- Deterministic helper scripts: wp-project-triage and detect_plugins.mjs
- Explicit compatibility: WordPress 6.9+ and PHP 7.2.24+ with optional WP-CLI workflows
- Targets WordPress 6.9+ and PHP 7.2.24+ per skill compatibility metadata
Adoption & trust: 2.9k installs on skills.sh; 1.6k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need a maintainable WordPress plugin but hook lifecycle, Settings API, and security rules are easy to get wrong across files.
Who is it for?
Indie WordPress developers building commercial or custom plugins who want agent procedures aligned to core APIs and Trail-style security defaults.
Skip if: Block-only FSE theme work, headless Next.js frontends with no PHP plugin surface, or teams that refuse Node-based triage scripts in the repo.
When should I use this skill?
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security, and release packaging.
What do I get? / Deliverables
You get a triaged plugin codebase with documented structure, hardened admin and storage patterns, and steps toward a shippable release package.
- Structured plugin bootstrap and hook map
- Settings/admin pages with hardened input handling
- Release packaging checklist output
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Plugin implementation is core Build work once you have validated the product direction. WordPress plugins are server-side PHP extensions—canonical shelf is backend, not frontend theming.
Where it fits
Refactor a monolithic plugin.php into namespaced includes with correct activation hooks.
Add a Settings API options page and cron task for an external API sync.
Audit admin POST handlers for missing nonces and unsafe $wpdb queries.
Prepare plugin zip, assets, and readme for.org or commercial distribution.
How it compares
WordPress plugin lifecycle skill with bundled detect scripts—not a generic PHP CRUD generator or Gutenberg block-only tutorial.
Common Questions / FAQ
Who is wp-plugin-development for?
Solo builders and small teams creating or maintaining WordPress plugins on single-site or multisite installs.
When should I use wp-plugin-development?
During Build backend when structuring plugins; during Ship security for nonce and SQL fixes; during Ship launch when packaging releases and readme assets.
Is wp-plugin-development safe to install?
It runs local Node triage scripts and may use WP-CLI—review the Security Audits panel on this Prism page and run scripts only in trusted plugin repos.
SKILL.md
READMESKILL.md - Wp Plugin Development
# WP Plugin Development ## When to use Use this skill for plugin work such as: - creating or refactoring plugin structure (bootstrap, includes, namespaces/classes) - adding hooks/actions/filters - activation/deactivation/uninstall behavior and migrations - adding settings pages / options / admin UI (Settings API) - security fixes (nonces, capabilities, sanitization/escaping, SQL safety) - packaging a release (build artifacts, readme, assets) ## Inputs required - Repo root + target plugin(s) (path to plugin main file if known). - Where this plugin runs: single site vs multisite; WP.com conventions if applicable. - Target WordPress + PHP versions (affects available APIs and placeholder support in `$wpdb->prepare()`). ## Procedure ### 0) Triage and locate plugin entrypoints 1. Run triage: - `node skills/wp-project-triage/scripts/detect_wp_project.mjs` 2. Detect plugin headers (deterministic scan): - `node skills/wp-plugin-development/scripts/detect_plugins.mjs` If this is a full site repo, pick the specific plugin under `wp-content/plugins/` or `mu-plugins/` before changing code. ### 1) Follow a predictable architecture Guidelines: - Keep a single bootstrap (main plugin file with header). - Avoid heavy side effects at file load time; load on hooks. - Prefer a dedicated loader/class to register hooks. - Keep admin-only code behind `is_admin()` (or admin hooks) to reduce frontend overhead. See: - `references/structure.md` ### 2) Hooks and lifecycle (activation/deactivation/uninstall) Activation hooks are fragile; follow guardrails: - register activation/deactivation hooks at top-level, not inside other hooks - flush rewrite rules only when needed and only after registering CPTs/rules - uninstall should be explicit and safe (`uninstall.php` or `register_uninstall_hook`) See: - `references/lifecycle.md` ### 3) Settings and admin UI (Settings API) Prefer Settings API for options: - `register_setting()`, `add_settings_section()`, `add_settings_field()` - sanitize via `sanitize_callback` See: - `references/settings-api.md` ### 4) Security baseline (always) Before shipping: - Validate/sanitize input early; escape output late. - Use nonces to prevent CSRF *and* capability checks for authorization. - Avoid directly trusting `$_POST` / `$_GET`; use `wp_unslash()` and specific keys. - Use `$wpdb->prepare()` for SQL; avoid building SQL with string concatenation. See: - `references/security.md` ### 5) Data storage, cron, migrations (if needed) - Prefer options for small config; custom tables only if necessary. - For cron tasks, ensure idempotency and provide manual run paths (WP-CLI or admin). - For schema changes, write upgrade routines and store schema version. See: - `references/data-and-cron.md` ## Verification - Plugin activates with no fatals/notices. - Settings save and read correctly (capability + nonce enforced). - Uninstall removes intended data (and nothing else). - Run repo lint/tests (PHPUnit/PHPCS if present) and any JS build steps if the plugin ships assets. ## Failure modes / debugging - Activation hook not firing: - hook registered incorrectly (not in main file scope), wrong main file path, or plugin is network-activated - Settings not saving: - settings not registered, wrong option group, missing capability, nonce failure - Security regressions: - nonce present but missing capability checks; or sanitized input not escaped on output See: - `references/debugging.md` ## Escalation For canonical detail, consult the Plugin Handbook and security guidelines before inventing patterns. #