This issue tracks checks that should either be moved to update mode (downgraded or skipped for existing plugins), or whose current enforcement level needs clarification to avoid over-enforcement during reviews.
Checks that should move to update mode
1. outdated_tested_upto_header
Current behavior: Fires as an ERROR (severity 7) when the Tested up to value in readme.txt/readme.md is behind the latest WordPress version.
Argument: The consequence of an outdated Tested up to header is a lower search ranking on WordPress.org — not a functional or security issue. For a new plugin submission this is a reasonable hard requirement. For an existing plugin already in the directory, the penalty is already being applied by the directory itself. Flagging it as an error in update mode adds noise without actionable urgency.
Proposed change: In update mode, downgrade to a WARNING or lower severity.
2. plugin_header_nonexistent_domain_path
Current behavior: Fires as a WARNING (severity 6) when the Domain Path header in the main plugin file points to a folder that doesn't exist.
Argument: A Domain Path: /languages/ header pointing to a non-existent folder has zero functional impact — WordPress simply won't find .mo files there, which is the same outcome as if the header weren't present at all. For a new submission this is a reasonable quality check; for an existing plugin in update mode it is cosmetic noise.
Proposed change: In update mode, skip this check entirely or downgrade to an informational notice.
Checks that should NOT change — clarification only
3. Missing ABSPATH check (Direct_File_Access_Check)
Current behavior: Flags PHP files that lack a direct access guard (e.g., if ( ! defined( 'ABSPATH' ) ) exit;).
Clarification: This check is controversial — many modern setups (autoloaders, files never directly web-accessible) make the guard redundant. It should not be treated as a critical/blocking issue during reviews. The current non-critical warning level is appropriate; escalating it in either mode would generate too many false positives.
Proposed change: No change to severity or mode. Document the controversy explicitly so reviewers don't over-enforce it.
4. Heredoc (<<<) vs. Nowdoc (<<<')
Current behavior: Heredoc syntax is flagged via the WPCS WordPress-Core ruleset (T_HEREDOC). Nowdoc is already allowed.
Clarification: This distinction is intentional and correct and should remain as-is:
- Heredoc (
<<<LABEL) supports variable interpolation — unescaped variables inside a heredoc bypass output escaping, making it a legitimate security concern.
- Nowdoc (
<<<'LABEL') behaves like a single-quoted string with no interpolation and is safe.
Proposed change: No change. Keep heredoc flagged; nowdoc remains permitted.
This issue tracks checks that should either be moved to update mode (downgraded or skipped for existing plugins), or whose current enforcement level needs clarification to avoid over-enforcement during reviews.
Checks that should move to update mode
1.
outdated_tested_upto_headerCurrent behavior: Fires as an
ERROR(severity 7) when theTested up tovalue in readme.txt/readme.md is behind the latest WordPress version.Argument: The consequence of an outdated
Tested up toheader is a lower search ranking on WordPress.org — not a functional or security issue. For a new plugin submission this is a reasonable hard requirement. For an existing plugin already in the directory, the penalty is already being applied by the directory itself. Flagging it as an error in update mode adds noise without actionable urgency.Proposed change: In update mode, downgrade to a
WARNINGor lower severity.2.
plugin_header_nonexistent_domain_pathCurrent behavior: Fires as a
WARNING(severity 6) when theDomain Pathheader in the main plugin file points to a folder that doesn't exist.Argument: A
Domain Path: /languages/header pointing to a non-existent folder has zero functional impact — WordPress simply won't find.mofiles there, which is the same outcome as if the header weren't present at all. For a new submission this is a reasonable quality check; for an existing plugin in update mode it is cosmetic noise.Proposed change: In update mode, skip this check entirely or downgrade to an informational notice.
Checks that should NOT change — clarification only
3. Missing ABSPATH check (
Direct_File_Access_Check)Current behavior: Flags PHP files that lack a direct access guard (e.g.,
if ( ! defined( 'ABSPATH' ) ) exit;).Clarification: This check is controversial — many modern setups (autoloaders, files never directly web-accessible) make the guard redundant. It should not be treated as a critical/blocking issue during reviews. The current non-critical warning level is appropriate; escalating it in either mode would generate too many false positives.
Proposed change: No change to severity or mode. Document the controversy explicitly so reviewers don't over-enforce it.
4. Heredoc (
<<<) vs. Nowdoc (<<<')Current behavior: Heredoc syntax is flagged via the WPCS
WordPress-Coreruleset (T_HEREDOC). Nowdoc is already allowed.Clarification: This distinction is intentional and correct and should remain as-is:
<<<LABEL) supports variable interpolation — unescaped variables inside a heredoc bypass output escaping, making it a legitimate security concern.<<<'LABEL') behaves like a single-quoted string with no interpolation and is safe.Proposed change: No change. Keep heredoc flagged; nowdoc remains permitted.