W WordPress Skillsfor Claude and Codex

Guide

How to review a WordPress plugin with Claude Code

If you want Claude Code to give you more than generic PHP advice, you need a review flow that understands WordPress plugin architecture, hooks, Settings API patterns, REST routes, admin screens, data migrations, and release risk. This guide shows how to use the WordPress Skills pack for a practical plugin review.

What this workflow is good for

  • Pre-release plugin reviews
  • Security and performance triage before a client handoff
  • Architecture review for a plugin that has grown messy over time
  • WooCommerce, REST API, admin UI, or migration-specific audits

Step 1: Install the WordPress plugin pack

git submodule add https://github.com/jorgerosal/wordpress-skills.git .claude/plugins/wordpress-skills

git commit -m "Add WordPress Claude skills"

Once installed as a Claude Code plugin, the commands are namespaced. That means the full review command looks like this: 

/wordpress-skills:wp-plugin-review wp-content/plugins/my-plugin

Step 2: Start with the right review command

Use the full review command when you want architecture and fix guidance, or the fast scan when you need triage.

  • /wordpress-skills:wp-plugin-review [path] — full plugin review
  • /wordpress-skills:wp-plugin [path] — quick plugin triage
  • /wordpress-skills:wp-sec-review [path] — deep security review
  • /wordpress-skills:wp-perf-review [path] — deep performance review

Step 3: Ask in natural language when that fits your workflow

Review this WordPress plugin for security and architecture issues
Check this plugin release for migration risk
Audit this WooCommerce extension for HPOS compatibility
Review this plugin settings page and admin notices

The pack is structured so Claude Code can map these requests to the right domain instead of flattening everything into a single vague checklist.

What a strong plugin review should cover

Architecture

  • Plugin bootstrap layout and autoloading
  • Activation, deactivation, and uninstall behavior
  • Hook organization and side-effect boundaries
  • Settings API and admin screen structure

Security

  • Escaping, sanitization, and validation gaps
  • Nonce verification and capability checks
  • SQL query safety and upload handling
  • REST API permission callback quality

Performance

  • Heavy queries, N+1 patterns, and page-load writes
  • Cron or Action Scheduler misuse
  • Admin-only logic leaking into frontend requests
  • Asset loading and cache strategy issues

Release readiness

  • Schema changes and backfill safety
  • Rollback risk
  • WordPress.org standards and packaging issues
  • Testing gaps before shipping

Example output shape

Critical — Missing capability check before plugin settings save
- File: includes/admin/class-settings-page.php:88
- Why it matters: authenticated low-privilege users may be able to change plugin behavior
- Fix: gate the handler with current_user_can(...) before processing input

Warning — Expensive meta query inside frontend request loop
- File: includes/class-catalog.php:214
- Why it matters: high-cardinality postmeta lookups can slow product/category pages
- Fix: reduce per-request queries, cache IDs, or redesign the data model

Related commands to branch into

  • Use /wordpress-skills:wp-woo-review for WooCommerce-specific extensions
  • Use /wordpress-skills:wp-rest-review for custom REST controllers and routes
  • Use /wordpress-skills:wp-migration-review when versioned upgrades are risky
  • Use /wordpress-skills:wp-test-review to turn findings into a test plan

Why this page exists

Developers search for very specific workflows like how to review a WordPress plugin with Claude Code, WordPress plugin security review, or AI WordPress code review checklist. This page is meant to be a direct, example-driven landing page for that intent.