Related Article

What is Visual Studio Code?

Visual Studio Code is the most popular development environment. It is super fast, simple but yet powerful IDE. This is always the #1 IDE we recommend for developer.

You can download and install VS Code from it here.

Source Control Management

WordPress is using Subversion to store and manage all plugin source code on their server. Each plugin is given a unique repository in the WordPress Subversion server.

Rule #1 – Don’t use Subversion for your own development

Here is the confusion. You shouldn’t use this repository for your own development. This repository is just meant to release management.

You should use Git for your development, hands down. SCM choosing itself is a complicated topic that can be discussed in a seperate long article. We won’t go through any details here, but we recommend you to watch this video that Linux Torvalds (the founder of both Linux and Git) explains the idea about Git.

Github and Gitlab is the 2 popular choice for hosting your git repository.

To summarize, you should use Git for your development, and SVN for WordPress deployment.

Project Structure

Your project structure in Git should look like this, and the whole thing should be committed to Git.

- .vscode
  - settings.json
- my-plugin
  - my-plugin.php

This is a typical setup that we will do. Your plugin is named my-plugin. Your repository name in git is my-plugin-wp. The is a standard document entry point for this project.

The folder my-plugin will be the root for the Subversion repository. The my-plugin.php file under this root folder is the entry point of this plugin for WordPress to read.

Everything outside of the my-plugin folder won’t be uploaded to WordPress’s subversion.

The .vscode/settings.json file stores your VS Code environment settings. We will go though the details in the next section. It is important to mention that you should have this committed to the source control, so that your whole team is using the same environment, and auto formatter. This highly increase the code consistency.

Install PHP Sniffer Extension in VS Code

In order for phpcs to work automatically in VSCode, you need to install this PHP Sniffer extension. This plugin can do 2 things:

  • Show phpcs error on the IDE
  • Auto correct error after file save

Put this in settings.json file. It is very important to have settings environment setup and stored in Git, so that you whole team are working under the same environment settings.

  "editor.formatOnSave": true,
  "[php]": {
    "editor.defaultFormatter": "wongjn.php-sniffer"
  "phpSniffer.autoDetect": true,
  "phpSniffer.standard": "WordPress",
  "editor.insertSpaces": false

After all this done, your VS Code should be working with phpcs nicely.

About Plugin Security

WordPress’ Core is secured, but most of the security issues came from plugin’s vulnerability. It is developer’s responsible to ensure your plugin is safe. We recommend all developer to go through below video. This helps you to understand how to avoid obvious security vulnerabilities. It’s amazing to see that this video was recorded in 2011, and most of it’s content still hold true.

Ref: Mark Jaquith: Theme & Plugin Security –