W WordPress Skillsfor Claude and Codex

Guide

How to review a WordPress REST API with Claude Code

A lot of WordPress API bugs hide in permission callbacks, argument validation, schema drift, and route versioning decisions. If the project powers a headless frontend, a mobile app, or custom admin tooling, those issues get expensive fast. This guide shows how to use the wp-rest-api-development skill for a more precise REST API review.

When this review matters most

  • Custom route registration in plugins or themes
  • Headless WordPress projects with Next.js, Astro, or mobile clients
  • Authenticated admin or editor workflows built on REST endpoints
  • Plugin releases that add or change API behavior

Start with the REST review command

/wp-rest-review wp-content/plugins/my-api-plugin

Use the faster scan when you want to triage first:

/wp-rest wp-content/plugins/my-api-plugin

Natural language prompts that work well

Review these custom WordPress REST routes
Check this permission_callback logic for security issues
Audit this headless WordPress API before launch
Review this plugin API schema and request validation

What a strong REST API review should cover

Routes and permissions

  • Route naming and namespace hygiene
  • permission_callback quality and capability boundaries
  • Anonymous access that is broader than intended

Validation and sanitization

  • Request arg definitions and defaults
  • Validation callbacks that actually reject bad input
  • Sanitization that matches the storage and response model

Response design

  • Stable response shape and error structure
  • Correct status codes for failures and edge cases
  • Schema quality for clients that rely on predictable fields

Headless WordPress concerns

  • Preview and draft-access flows
  • Caching behavior and invalidation assumptions
  • Versioning strategy for frontend clients that ship independently

Example output shape

Critical — permission_callback returns true for a write route that updates post meta
- File: includes/rest/class-settings-controller.php:58
- Why it matters: authenticated users without the intended capability boundary may be able to mutate content or settings
- Fix: gate the route with a capability-aware callback and verify object-level authorization rules

Warning — Route accepts unsanitized query args and returns unstable field shapes
- File: includes/rest/class-catalog-controller.php:117
- Why it matters: client assumptions become brittle and invalid input can leak into query construction
- Fix: define args with validation/sanitization callbacks and normalize the response schema

Related review commands

  • /wp-sec-review for deeper auth and data-exposure review
  • /wp-plugin-review for broader plugin architecture checks
  • /wp-test-review to build API integration and regression tests
  • /wp-perf-review when the API powers expensive catalog or search flows

More guides