WordPress

Security and coding standards rules for WordPress themes and plugins.

Enabled Rules

Rule	Severity	Description
`security/secret-detection`	block	Detects database credentials and auth keys in theme/plugin files
`security/env-exposure`	block	Prevents `wp-config.php` secrets from leaking
`quality/naming-conventions`	block	WordPress naming conventions (snake_case functions, prefixed globals)
`quality/anti-patterns`	warn	Direct database queries without `$wpdb->prepare()`
`workflow/migration-safety`	warn	Flags dangerous SQL in activation/deactivation hooks

import { defineConfig } from '@solanticai/vguard';

export default defineConfig({
  presets: ['wordpress'],
});

No hardcoded credentials — Blocks database passwords, auth salts, and API keys written directly in PHP files. Use wp-config.php with environment variables.
Naming conventions — Functions must be snake_case with a plugin/theme prefix (mytheme_enqueue_scripts). Classes use PascalCase with prefix.
SQL injection prevention — Warns when $wpdb->query() is called without $wpdb->prepare() for parameterized queries.
Migration safety — Flags DROP TABLE and destructive SQL in plugin activation/deactivation hooks.