Security is an important topic.
Security is everyone’s problem. In particular, if you’re a developer, you should take responsibility for things you create. Even if you’re just starting out as a WordPress user or developer, you should make sure that the sites you’re building for your clients are as secure as possible.
There is no such thing as absolute security.
To quote Bruce Schneier from his book “Applied Cryptography”:
The only secure computer system in the world is unplugged, locked in a vault at the bottom of the ocean and only one person knows the location and combination of that vault. And he is dead.
You’ve probably heard that even big companies like Facebook, Microsoft, Adobe and Google have had their share security problems. These companies have many developers and dedicated teams that only deal with security and things still go wrong.
I hope you haven’t forgotten the Sony incident with plain text passwords. If you’re developing anything, please don’t store passwords in plain text, just don’t.
Security and WordPress
There are many tools that can help you better harden your applications. Some of them are general, some very specific. Such tools exist for WordPress too. For a WordPress site, theme quality is a important part of your overall website security. One of the plugins that can help you in this area is VIP Scanner. The VIP Scanner plugin is a UI for VIP Scanner library. You can find the library in the plugins folder under vip-scanner.
My current local setup uses Vagrant with Chassis, take a look at this article on Chassis if you want to use it too.
There are two ways to install VIP Scanner. From the plugin page and by installing it manually with git in the plugins folder. The preferred way is to install it is via git. That’s because the VIP Scanner plugin page only has an older version ( v0.7 ) available, as opposed to the GitHub repo which is version v0.8. The developers of this plugin prefer the git way too. To install the plugin navigate inside plugin folder and execute:
git clone https://github.com/Automattic/vip-scanner.git vipscanner
cd vipscanner
git submodule update --init --recursiveThe first command will download the plugin. The second will navigate into our newly cloned directory. The third will clone all the submodules (PHP-Parser).
Now, navigate to your WordPress dashboard and activate the plugin. To see this plugin in action, navigate on Tools > VIP Scanner.
There you will find 3 different types of scanning options:
- Undefined function check
- wp.com theme review
- VIP theme review
When you first run a scan using this tool, it will use the current active theme – it’s worth mentioning that this tool only deals with themes. Each type of scan is different, this comes in handy when you develop WordPress themes and care about code quality (which everyone should).
You can also use this tool with WP-CLI, you can check out the VIP Scanner docs for more information.
When you scan a theme (the active theme), you’ll find all sort of problems. The first scan type (undefined function check) does what the name says. It scans the whole theme directory for undefined functions. This is the basic scan and you should use it on every theme that you develop. The other two are more specific. The second scan type (wp.com theme review) is used when you are developing themes for the community. The third scan is used only for WordPress VIP.
So now we know a little bit about VIP Scanner, lets have some fun! Let’s scan the official themes that come preinstalled with WordPress (the latest theme). The first scan (undefined function) will not throw any errors. The second one will display some errors (mostly warnings). There are 3 sections for the scanning, Errors, Notes and Analysis. The first one is the section where errors will be shown, the second are warnings and the third is a nice way where we can find more information about the structure of the theme. Information like the number of classes, functions and author details.
Even with the official WordPress themes, we found a few errors. Most of them are:
The theme uses @package WordPress. This is reserved for WordPress Core files.
This is because you are not supposed to use @package WordPress in any of your themes (despite being the official WordPress themes).
Now go and scan a few more themes with this tool. This tool is very powerful when you’re developing your own themes (or even reviewing) for a client. If you’re writing your own themes, take small steps and then scan. This way you’re less likely to screw things up. Also you can find bugs in the early stages of development, which saves time.
The Bad Parts
One thing that I find very frustrating with WordPress in general is the lack of good quality code. VIP Scanner does its job very well, and from the commits, pull requests and issues it tells us that it’s under active development, which is great. What I’d like to see is the project using git submodules for dependency management. Packagist and Composer exist for that reason. PHP lacked dependency management tools, but they’re finally here. Also, I had a few problems with Code Sniffer. When scanning themes with the “VIP theme review”, I always got the error telling me I didn’t have Code Sniffer installed locally. I tried to work around this and install that tool, but I couldn’t get it to work. Please leave a comment if you figured this out.
This tool does lack a few things, mostly code standards. But, it is a good tool and does its job very well, so you definitely should use it on every theme you develop.
Conclusion
In this article we saw what the VIP Scanner plugin is and how use it to better harden our sites. This is a nice plugin that can help you, not only for existing WordPress sites, but also assist you when you’re developing your own themes. Using this plugin you can speed up the development of your themes, knowing you’re building them with peace of mind. This is a kind of Unit Testing for WordPress themes, so you’ll know for sure that things are working the right way. Security comes from good practices and that will help you grow as a developer.
What do you think about this plugin. Would you consider using it in your workflow? What other plugins are you using when creating themes to improve quality?
Frequently Asked Questions (FAQs) about Improving WordPress Theme Quality with VIP Scanner
What is the VIP Scanner and how does it help in improving WordPress theme quality?
The VIP Scanner is a powerful tool designed to analyze and improve the quality of WordPress themes. It performs a comprehensive scan of your theme, identifying any potential issues or areas for improvement. This includes checking for coding errors, security vulnerabilities, and adherence to WordPress coding standards. By using the VIP Scanner, you can ensure that your WordPress theme is of the highest quality, providing a better user experience and improving your site’s performance.
How does the VIP Scanner compare to other WordPress theme quality tools?
The VIP Scanner stands out from other WordPress theme quality tools due to its comprehensive and detailed analysis. It not only checks for coding errors but also ensures that your theme adheres to WordPress coding standards. This includes checking for deprecated functions, incorrect use of global variables, and more. Additionally, the VIP Scanner is designed to work seamlessly with WordPress, making it a convenient and efficient tool for improving theme quality.
How can I install and use the VIP Scanner?
Installing and using the VIP Scanner is a straightforward process. You can download the tool from the WordPress plugin directory and install it directly on your WordPress site. Once installed, you can run the scanner on any theme to identify potential issues and areas for improvement. The scanner provides detailed reports, making it easy to understand and address any identified issues.
Can the VIP Scanner help in identifying security vulnerabilities in my WordPress theme?
Yes, the VIP Scanner is designed to identify potential security vulnerabilities in your WordPress theme. It checks for common security issues such as the use of deprecated functions, incorrect use of global variables, and more. By identifying and addressing these issues, you can ensure that your WordPress theme is secure and reliable.
What are the WordPress coding standards and why are they important?
WordPress coding standards are a set of guidelines and best practices for writing code for WordPress. They are designed to ensure that code is clean, efficient, and easy to understand. Adhering to these standards can improve the quality of your WordPress theme, making it more reliable, secure, and easy to maintain.
How does the VIP Scanner improve the performance of my WordPress site?
The VIP Scanner improves the performance of your WordPress site by identifying and helping you address potential issues in your theme. This includes coding errors, security vulnerabilities, and non-adherence to WordPress coding standards. By addressing these issues, you can ensure that your theme is efficient and reliable, leading to improved site performance.
Can I use the VIP Scanner on any WordPress theme?
Yes, the VIP Scanner can be used on any WordPress theme. It is a versatile tool that can analyze and improve the quality of any theme, regardless of its complexity or design.
What kind of issues can the VIP Scanner identify in my WordPress theme?
The VIP Scanner can identify a wide range of issues in your WordPress theme. This includes coding errors, security vulnerabilities, non-adherence to WordPress coding standards, and more. The scanner provides detailed reports of any identified issues, making it easy to understand and address them.
How often should I use the VIP Scanner on my WordPress theme?
It is recommended to use the VIP Scanner regularly to ensure that your WordPress theme remains of high quality. Regular scans can help identify and address potential issues early, before they can impact your site’s performance or user experience.
Is the VIP Scanner easy to use for beginners?
Yes, the VIP Scanner is designed to be user-friendly and easy to use, even for beginners. It provides detailed reports of any identified issues, making it easy to understand and address them. Additionally, the scanner is integrated with WordPress, making it convenient and straightforward to use.
Aleksander KokoAleksander is young developer who loves to play with the newest web technologies. In his free time, he reads about PHP, Firefox OS or experiments with a new language. Currently, his main interests are PHP design patterns, laravel, dart and cloud.
