README

Shared PHPCS ruleset for WordPress projects. Combines WordPress Coding Standards, Slevomat type hints, YoastCS, and PHPCompatibility into a single reusable standard.

Requirements

• PHP 7.4+

Installation

composer require --dev apermo/apermo-coding-standards

The Composer Installer Plugin automatically registers the standard with PHPCS.

Usage

Reference the Apermo standard in your project's phpcs.xml:

<?xml version="1.0"?>
<ruleset name="My Project">
    <file>.</file>
    <arg name="extensions" value="php"/>
    <arg value="-colors"/>
    <arg value="ns"/>

    <rule ref="Apermo"/>
</ruleset>

Then run:

vendor/bin/phpcs

Project Configuration

The Apermo standard includes rules that require project-specific settings. Without these, you either get false positives or miss valid warnings. Copy phpcs.xml.dist.example as a starting point, or add the properties below to your existing phpcs.xml.

Text Domain (text_domain)

WordPress.WP.I18n validates that all translation calls use the correct text domain. Set this to your plugin or theme slug:

<rule ref="WordPress.WP.I18n">
    <properties>
        <property name="text_domain" type="array">
            <element value="my-plugin"/>
        </property>
    </properties>
</rule>

Global Prefixes (prefixes)

WordPress.NamingConventions.PrefixAllGlobals checks that global functions, hooks, constants, and namespace declarations use your project prefix. Two entries are needed because the namespace root is PascalCase while the function/hook prefix is snake_case:

<rule ref="WordPress.NamingConventions.PrefixAllGlobals">
    <properties>
        <property name="prefixes" type="array">
            <element value="My_Plugin"/>
            <element value="my_plugin"/>
        </property>
    </properties>
</rule>

The PascalCase entry allows namespace My_Plugin\Admin; but flags namespace Other\Admin;. The snake_case entry validates function names like my_plugin_init() and hook names like my_plugin_loaded.

For nested namespace roots (e.g. a vendor namespace), set the full root:

<element value="Acme\My_Plugin"/>

This allows namespace Acme\My_Plugin\Admin; but flags namespace Acme\Other;.

Minimum WordPress Version (minimum_wp_version)

Controls which WordPress functions are flagged as deprecated. Set this to the oldest WordPress version your project supports:

<config name="minimum_wp_version" value="6.2"/>

What's Included

Notable Opinions

• Short array syntax ([]) enforced, long array syntax (array()) forbidden
• Short ternary operators allowed
• Yoda conditions disallowed
• Short open echo tags (<?=) allowed
• Type hints enforced for parameters, return types, and properties
• Closures limited to 5 lines
• Use statements must be alphabetically sorted
• Unused imports are flagged
• No more than 1 consecutive empty line (file-level, class-level, between functions)
• require/require_once enforced over include/include_once
• elseif enforced over else if
• Unconditional if statements (if (true)) are errors
• stdClass usage discouraged — new \stdClass() and (object) casts warned
• Hook invocations (do_action, apply_filters) require PHPDoc blocks
• Assignment alignment must be consistent within groups (all aligned or all single-space)
• Nested closures and arrow functions are warned
• exit() enforced over die and bare exit
• Variable names must be at least 4 characters (configurable allowlist)
• Closures must be static when not using $this
• Trailing comma required in multi-line function calls
• Functions limited to 50 lines, classes to 500 lines
• Cognitive complexity flagged (warning > 15, error > 30)
• Unused local variables flagged
• Implicit array creation ($a[] = on undefined) flagged
• ?? required instead of isset() ternary
• Short type hints enforced in PHPDoc (int not integer)
• null must be last in union types (string|null not null|string)
• and/or operators disallowed (use &&/||)
• Alternative control syntax (endif, endwhile) disallowed
• register_rest_route() must include permission_callback
• FILTER_SANITIZE_STRING and related deprecated constants flagged
• add_option()/update_option() must include explicit autoload parameter
• Docblock summaries must be third-person singular per the WordPress documentation standard (Displays… not Display…, no Allows you to… / Lets you… anti-patterns)

REST Permission Callback (Apermo.WordPress.RequireRestPermissionCallback)

Flags register_rest_route() calls without a permission_callback in the args array. Omitting this callback leaves the endpoint open to unauthenticated access — the #1 REST API security hole.

Only array literal args are checked. Variable or function call args are assumed correct (cannot verify statically).

// Bad — endpoint is publicly accessible
register_rest_route( 'myplugin/v1', '/items', [
    'methods'  => 'GET',
    'callback' => 'get_items',
] );

// Good — access is controlled
register_rest_route( 'myplugin/v1', '/items', [
    'methods'             => 'GET',
    'callback'            => 'get_items',
    'permission_callback' => function () {
        return current_user_can( 'read' );
    },
] );

Customization via phpcs.xml:

<!-- Downgrade to warning during migration -->
<rule ref="Apermo.WordPress.RequireRestPermissionCallback.Missing">
    <type>warning</type>
</rule>

No Filter Sanitize String (Apermo.PHP.NoFilterSanitizeString)

Flags deprecated PHP filter constants that give a false sense of security:

// Bad — deprecated, never actually sanitized
$name = filter_input( INPUT_POST, 'name', FILTER_SANITIZE_STRING );

// Good — proper sanitization
$name = sanitize_text_field( wp_unslash( $_POST['name'] ?? '' ) );

Customization via phpcs.xml:

<!-- Downgrade to warning -->
<rule ref="Apermo.PHP.NoFilterSanitizeString.Found">
    <type>warning</type>
</rule>

Require Option Autoload (Apermo.WordPress.RequireOptionAutoload)

Warns when add_option() or update_option() is called without an explicit autoload parameter. The default behavior loads the option on every page request — a common performance footgun for options that are rarely needed.

// Bad — silently autoloaded on every page load
add_option( 'my_plugin_log', $data );
update_option( 'my_plugin_cache', $value );

// Good — explicit autoload control
add_option( 'my_plugin_log', $data, '', false );
update_option( 'my_plugin_cache', $value, false );

// Good — using named parameter (PHP 8.0+)
add_option( 'my_plugin_setting', $val, autoload: true );

Customization via phpcs.xml:

<!-- Upgrade to error -->
<rule ref="Apermo.WordPress.RequireOptionAutoload.MissingAutoload">
    <type>error</type>
</rule>

<!-- Disable entirely -->
<rule ref="Apermo.WordPress.RequireOptionAutoload.MissingAutoload">
    <severity>0</severity>
</rule>

Exit Usage (Apermo.PHP.ExitUsage)

Enforces exit() as the canonical form. Flags die, die(), and bare exit (without parentheses). Auto-fixable with phpcbf.

// Bad
die;
die();
die( 'message' );
exit;

// Good
exit();
exit( 1 );
exit( 'message' );

Customization via phpcs.xml:

<!-- Allow die (only flag bare exit) -->
<rule ref="Apermo.PHP.ExitUsage.DieFound">
    <severity>0</severity>
</rule>

Minimum Variable Name Length (Apermo.NamingConventions.MinimumVariableNameLength)

Warns on variable names shorter than 4 characters (excluding $). Common short names are allowed by default: i, id, key, url, row, tag, map, max, min, sql, raw.

// Bad
$pt = get_post_type();
$cb = function () {};

// Good
$post_type = get_post_type();
$callback = function () {};
$id = get_the_ID(); // allowed (in default allowlist)

Customization via phpcs.xml:

<!-- Change minimum length -->
<rule ref="Apermo.NamingConventions.MinimumVariableNameLength">
    <properties>
        <property name="minLength" value="3"/>
    </properties>
</rule>

<!-- Append to the default allowlist -->
<rule ref="Apermo.NamingConventions.MinimumVariableNameLength">
    <properties>
        <property name="allowedShortNames" type="array"
                  extend="true">
            <element value="hex"/>
            <element value="css"/>
        </property>
    </properties>
</rule>

Text Domain Validation

WordPress.WP.I18n text domain checking is active via the WordPress ruleset. See Project Configuration for setup instructions.

Forbidden Nested Closures (Apermo.Functions.ForbiddenNestedClosure)

Closures and arrow functions nested inside other closures or arrow functions are warned. Extract the inner callback to a named function instead.

// Bad — nested closures
$fn = function () {
    $inner = function () {
        return 1;
    };
};

// Bad — nested arrow functions
$fn = fn() => fn() => 1;

// Good — extract to named function
function get_one(): int {
    return 1;
}
$fn = function () {
    $inner = get_one();
};

Customization via phpcs.xml:

<!-- Disable entirely -->
<rule ref="Apermo.Functions.ForbiddenNestedClosure.NestedClosure">
    <severity>0</severity>
</rule>

Commented-Out Code (Apermo.PHP.ExplainCommentedOutCode)

Commented-out PHP code in // comments must be preceded by a /** */ doc-block explanation starting with a recognized keyword:

Examples:

/** Disabled: Plugin doesn't support PHP 8.3 yet. */
// add_action( 'init', 'my_func' );

/** Review (2026-02-14): Found during refactor, unclear if still needed. */
// register_post_type( 'legacy_type', $args );

An optional date in YYYY-MM-DD format can be added in parentheses after the keyword.

Supersedes Squiz.PHP.CommentedOutCode — that rule is disabled automatically.

Customization via phpcs.xml:

<!-- Add custom keywords -->
<rule ref="Apermo.PHP.ExplainCommentedOutCode">
    <properties>
        <property name="keywords" value="Disabled,Kept,Debug,Review,WIP,Deprecated"/>
    </properties>
</rule>

<!-- Downgrade to warning instead of error -->
<rule ref="Apermo.PHP.ExplainCommentedOutCode">
    <properties>
        <property name="error" value="false"/>
    </properties>
</rule>

Multiple Empty Lines (Apermo.WhiteSpace.MultipleEmptyLines)

No more than one consecutive empty line is allowed outside functions and closures. Inside functions, Squiz.WhiteSpace.SuperfluousWhitespace already enforces this.

Auto-fixable with phpcbf.

// Bad — 2+ consecutive empty lines at file/class level
$a = 1;


$b = 2;

// Good — at most 1 empty line
$a = 1;

$b = 2;

Customization via phpcs.xml:

<!-- Downgrade to warning -->
<rule ref="Apermo.WhiteSpace.MultipleEmptyLines">
    <type>warning</type>
</rule>

<!-- Disable entirely -->
<rule ref="Apermo.WhiteSpace.MultipleEmptyLines.MultipleEmptyLines">
    <severity>0</severity>
</rule>

Require Not Include (Apermo.PHP.RequireNotInclude)

include and include_once are forbidden because they silently continue on failure. Use require/require_once instead.

Not auto-fixable (changing include to require may alter behavior).

// Bad
include 'file.php';
include_once 'helpers.php';

// Good
require 'file.php';
require_once 'helpers.php';

Use // phpcs:ignore Apermo.PHP.RequireNotInclude to suppress when include is genuinely intended.

Separate error codes (IncludeFound, IncludeOnceFound) allow independent configuration:

<!-- Allow include but not include_once -->
<rule ref="Apermo.PHP.RequireNotInclude.IncludeFound">
    <severity>0</severity>
</rule>

Array Complexity (Apermo.DataStructures.ArrayComplexity)

Flags deeply nested or wide associative arrays that would benefit from typed objects (DTOs, value objects). Arrays with many string keys or deep nesting often indicate data structures that should be classes.

Three independent checks. The first two apply to array literals (advisory, since literals often mirror external WordPress API shapes the caller does not own). The third applies to custom function, method, and closure parameters whose default value or PHPStan/Psalm @param array{...} shape is complex — those are errors, because the signature author owns the shape and can refactor to a DTO.

Default thresholds for literals are tuned so idiomatic WordPress usage (a WP_Query call with meta_query, a 7-key arg set to register_post_type, etc.) stays silent. Genuinely monolithic shapes still surface.

Only outermost literal arrays are checked — nested sub-arrays are not reported separately. Numeric arrays (without =>) are ignored entirely. The canonical fix for a literal TooDeep warning is to extract the complex sub-array into its own variable.

// Warning — 4 levels of associative nesting (literal)
$order = [
    'customer' => [
        'address' => [
            'details' => [
                'city' => 'Berlin',
            ],
        ],
    ],
];

// Warning — 11 associative keys (literal)
$user = [
    'id' => 1, 'name' => 'John', 'email' => 'j@example.tld',
    'role' => 'admin', 'active' => true, 'verified' => true,
    'locale' => 'en', 'tz' => 'UTC', 'theme' => 'dark',
    'mfa' => true, 'notifications' => 'email',
];

// OK — numeric arrays are ignored
$grid = [ [ 1, 2 ], [ 3, 4 ] ];

// Error — parameter default with 6 top-level keys (ComplexParameterKeys)
function make( array $opts = [
    'a' => 1, 'b' => 2, 'c' => 3,
    'd' => 4, 'e' => 5, 'f' => 6,
] ): void {}

// Error — @param shape exceeds parameterMaxDepth (ComplexParameterDepth)
/**
 * @param array{a: array{b: array{c: int}}} $opts
 */
function handle( array $opts ): void {}

// Good — refactor to a DTO
function handle( Options $opts ): void {}

Customization via phpcs.xml:

<!-- Adjust literal thresholds -->
<rule ref="Apermo.DataStructures.ArrayComplexity">
    <properties>
        <property name="warnDepth" value="3"/>
        <property name="errorDepth" value="5"/>
        <property name="warnKeys" value="8"/>
        <property name="errorKeys" value="15"/>
    </properties>
</rule>

<!-- Loosen or tighten the parameter-shape check -->
<rule ref="Apermo.DataStructures.ArrayComplexity">
    <properties>
        <property name="parameterMaxKeys" value="8"/>
        <property name="parameterMaxDepth" value="3"/>
    </properties>
</rule>

<!-- Disable key count checks entirely -->
<rule ref="Apermo.DataStructures.ArrayComplexity.TooManyKeys">
    <severity>0</severity>
</rule>
<rule ref="Apermo.DataStructures.ArrayComplexity.TooManyKeysError">
    <severity>0</severity>
</rule>

<!-- Disable parameter-shape checks entirely -->
<rule ref="Apermo.DataStructures.ArrayComplexity.ComplexParameterKeys">
    <severity>0</severity>
</rule>
<rule ref="Apermo.DataStructures.ArrayComplexity.ComplexParameterDepth">
    <severity>0</severity>
</rule>

Global Post Access (Apermo.WordPress.GlobalPostAccess)

Flags global $post; inside functions, methods, closures, and arrow functions. Top-level (template) usage is allowed because the WordPress loop sets $post there. Functions should receive WP_Post or a post ID as a parameter.

// Bad — hidden dependency on global state
function get_title() {
    global $post;
    return $post->post_title;
}

// Good — explicit dependency
function get_title( WP_Post $post ) {
    return $post->post_title;
}

Implicit Post Function (Apermo.WordPress.ImplicitPostFunction)

Flags WordPress template functions called without an explicit post argument inside function scopes. These functions implicitly read the global $post, creating hidden dependencies.

Severity depends on what was passed, not which function:

// Bad — implicit global access inside function
function render() {
    $title = get_the_title();        // error: MissingArgument
    $id    = get_the_ID();           // error: NoPostParameter
    get_the_title( null );           // error: NullArgument
    get_the_title( $post->ID );      // warning: IntegerArgument
}

// Good — explicit post argument
function render( WP_Post $post ) {
    $title = get_the_title( $post );
    $id    = $post->ID;
}

Customization via phpcs.xml:

<!-- Downgrade to warning during migration -->
<rule ref="Apermo.WordPress.ImplicitPostFunction.MissingArgument">
    <type>warning</type>
</rule>

<!-- Disable NoPostParameter errors entirely -->
<rule ref="Apermo.WordPress.ImplicitPostFunction.NoPostParameter">
    <severity>0</severity>
</rule>

Forbidden stdClass (Apermo.PHP.ForbiddenObjectCast + SlevomatCodingStandard.PHP.ForbiddenClasses)

Discourages stdClass usage in favor of typed classes. Two rules work together:

• Apermo.PHP.ForbiddenObjectCast warns on (object) casts
• SlevomatCodingStandard.PHP.ForbiddenClasses warns on new \stdClass()

Both emit warnings (not errors) to allow gradual migration.

// Bad — untyped data bags
$config = (object) [ 'host' => 'localhost', 'port' => 3306 ];
$dto = new \stdClass();

// Good — typed classes
class DbConfig {
    public function __construct(
        public string $host,
        public int $port,
    ) {}
}
$config = new DbConfig( 'localhost', 3306 );

Customization via phpcs.xml:

<!-- Disable the (object) cast warning -->
<rule ref="Apermo.PHP.ForbiddenObjectCast.Found">
    <severity>0</severity>
</rule>

<!-- Disable the new stdClass() warning -->
<rule ref="SlevomatCodingStandard.PHP.ForbiddenClasses">
    <severity>0</severity>
</rule>

Hook Documentation (Apermo.Hooks.RequireHookDocBlock)

WordPress hook invocations (do_action, apply_filters, and their _ref_array and _deprecated variants) must be preceded by a PHPDoc block.

The sniff checks:

All violations are errors.

// Bad — no documentation
do_action( 'my_plugin_init', $config );

// Good — documented hook
/**
 * Fires after plugin initialization.
 *
 * @param array $config Plugin configuration.
 */
do_action( 'my_plugin_init', $config );

// Bad — filter missing @return
/**
 * @param string $title The title.
 */
apply_filters( 'my_title', $title );

// Good — filter with @return
/**
 * Filters the display title.
 *
 * @param string $title The title.
 *
 * @return string Filtered title.
 */
apply_filters( 'my_title', $title );

Customization via phpcs.xml:

<!-- Disable entirely -->
<rule ref="Apermo.Hooks.RequireHookDocBlock">
    <severity>0</severity>
</rule>

<!-- Only require doc blocks, skip param/return checks -->
<rule ref="Apermo.Hooks.RequireHookDocBlock.MissingParam">
    <severity>0</severity>
</rule>
<rule ref="Apermo.Hooks.RequireHookDocBlock.MissingReturn">
    <severity>0</severity>
</rule>

Docblock Summary Style (Apermo.Commenting.DocSummaryStyle)

Enforces third-person singular docblock summaries per the WordPress PHP Documentation Standards. The rule of thumb: prepending "It" to the summary must read grammatically — Displays the post title. ("It displays…") passes; Display the post title. ("It display…") does not.

Applies to function, method, class, interface, trait, and enum docblocks. Property, constant, and bare-variable docblocks are skipped — their summaries are idiomatically noun-form.

Three layered checks, evaluated in order. First match wins.

Whitelist (pass-through): Callback, Wrapper, Helper, Utility, Alias, Shortcut. Common noun-lead openers that WordPress style tolerates.

All violations are warnings. No autofixer — rewriting verb forms reliably requires handling irregulars (Do→Does, Have→Has, Go→Goes) that a naive +s rule gets wrong.

// Warning — "Display" doesn't end in s (NotThirdPerson)
/** Display the date. */
function render_date(): void {}

// Warning — "Process" is a bare infinitive (BareInfinitive)
/** Process the queue. */
function handle_queue(): void {}

// Warning — "Allows you to" is an anti-pattern (AntiPattern)
/** Allows you to modify the post content. */

// Good — third-person singular
/** Displays the last modified date for a post. */
function render_date(): void {}

/** Filters the post content before rendering. */

/** Fires after the plugin is initialized. */

/** Callback for the save_post action. */  // whitelist passes

// Skipped — property docblock (noun-form is idiomatic)
class User {
    /** The user's display name. */
    public string $name = '';
}

Customization via phpcs.xml:

<!-- Extend the whitelist of accepted noun-lead openers -->
<rule ref="Apermo.Commenting.DocSummaryStyle">
    <properties>
        <property name="whitelist" type="array"
                  value="Callback,Wrapper,Helper,Utility,Alias,Shortcut,Handler,Matcher"/>
    </properties>
</rule>

<!-- Extend the anti-pattern list -->
<rule ref="Apermo.Commenting.DocSummaryStyle">
    <properties>
        <property name="antiPatterns" type="array"
                  value="Allows you to,Lets you,Used to,This function,This method,This class,Meant to"/>
    </properties>
</rule>

<!-- Disable a specific error code -->
<rule ref="Apermo.Commenting.DocSummaryStyle.AntiPattern">
    <severity>0</severity>
</rule>

Consistent Assignment Alignment (Apermo.Formatting.ConsistentAssignmentAlignment)

Consecutive assignment statements must use a consistent style: either all = operators are aligned to the same column, or all use a single space before =. Mixing styles within a group is warned. Auto-fixable with phpcbf — deviators are adjusted to match the majority style.

Groups where all operators are aligned but padded beyond the longest variable + 1 space are flagged as OverAligned errors (not auto-fixable).

A group of assignments breaks on: blank lines, non-assignment statements, or EOF.

Supersedes Generic.Formatting.MultipleStatementAlignment — that rule is disabled automatically.

// OK — all single-space
$a = 1;
$bb = 2;
$ccc = 3;

// OK — all aligned
$a   = 1;
$bb  = 2;
$ccc = 3;

// Warning (fixable) — mixed styles
$short = 1;
$veryLongName = 2;
$x            = 3;

// Error — over-aligned
$short     = 1;
$medium    = 2;
$long      = 3;

Customization via phpcs.xml:

<!-- Disable inconsistency warnings -->
<rule ref="Apermo.Formatting.ConsistentAssignmentAlignment.InconsistentAlignment">
    <severity>0</severity>
</rule>

<!-- Disable over-alignment errors -->
<rule ref="Apermo.Formatting.ConsistentAssignmentAlignment.OverAligned">
    <severity>0</severity>
</rule>

Consistent Double Arrow Alignment (Apermo.Arrays.ConsistentDoubleArrowAlignment)

Multi-line associative arrays must use a consistent => style: either all arrows are aligned to the same column, or all use a single space before =>. Mixing styles within an array is warned. Auto-fixable with phpcbf — deviators are adjusted to match the majority style.

Arrays where all arrows are aligned but padded beyond the longest key + 1 space are flagged as OverAligned errors (not auto-fixable).

Only outermost arrays are checked — nested sub-arrays are analyzed independently. Single-line arrays are skipped.

Supersedes WordPress.Arrays.MultipleStatementAlignment — that rule is disabled automatically.

// OK — all single-space
$config = [
    'host' => 'localhost',
    'port' => 3306,
    'database' => 'mydb',
];

// OK — all aligned
$config = [
    'host'     => 'localhost',
    'port'     => 3306,
    'database' => 'mydb',
];

// Warning (fixable) — mixed styles
$config = [
    'host' => 'localhost',
    'port' => 3306,
    'database_name' => 'mydb',
    'x'             => 'value',
];

// Error — over-aligned
$config = [
    'a'      => 1,
    'bb'     => 2,
    'ccc'    => 3,
];

Customization via phpcs.xml:

<!-- Disable inconsistency warnings -->
<rule ref="Apermo.Arrays.ConsistentDoubleArrowAlignment.InconsistentAlignment">
    <severity>0</severity>
</rule>

<!-- Disable over-alignment errors -->
<rule ref="Apermo.Arrays.ConsistentDoubleArrowAlignment.OverAligned">
    <severity>0</severity>
</rule>

Elseif Over Else If (PSR2.ControlStructures.ElseIfDeclaration)

else if must be written as elseif. Upgraded from the PSR2 default warning to an error.

Auto-fixable with phpcbf.

// Bad
if ( $a ) {
    // ...
} else if ( $b ) {
    // ...
}

// Good
if ( $a ) {
    // ...
} elseif ( $b ) {
    // ...
}

Custom Sniffs

Place custom sniffs in Apermo/Sniffs/<Category>/<SniffName>Sniff.php. PHPCS discovers them automatically.

Example: Apermo/Sniffs/Naming/FunctionPrefixSniff.php is referenced as Apermo.Naming.FunctionPrefix.

Contributing

Development

composer install       # Install dependencies
composer test          # Run PHPUnit tests
composer analyse       # Run PHPStan static analysis

Release Process

1. Create a release/X.Y.Z branch from main
2. Update CHANGELOG.md with the version heading and release date
3. Open a PR — CI runs tests, PHPStan, and validates the changelog
4. Merge the PR — GitHub Actions creates a draft release with the tag
5. Review and publish the draft release on GitHub

AI Disclaimer

This project is developed with major assistance from Claude Code (Anthropic). Claude handles the bulk of the implementation — writing sniffs, tests, fixtures, CI workflows, and documentation — while the maintainer reviews, steers, and makes final decisions. Projects with stricter rules regarding the use of AI-generated code should refrain from forking or reusing code from this repository.

License

MIT