Important information about this release:

This is the first release candidate for WordPressCS 2.0.0. WordPressCS 2.0.0 contains breaking changes, both for people using custom rulesets as well as for sniff developers who maintain a custom PHPCS standard based on WordPressCS.

Support for PHP_CodeSniffer 2.x has been dropped, the new minimum PHP_CodeSniffer version is 3.3.1. Also, all previously deprecated sniffs, properties and methods have been removed.

Please read the complete changelog carefully before you upgrade.

If you are a maintainer of an external standard based on WordPressCS and any of your custom sniffs are based on or extend WPCS sniffs, please read the Developers Upgrade Guide to WordPressCS 2.0.0.

Added

• Generic.PHP.DiscourageGoto, Generic.PHP.LowerCaseType, Generic.WhiteSpace.ArbitraryParenthesesSpacing and PSR12.Keywords.ShortFormTypeKeywords to the WordPress-Core ruleset.
• Checking the spacing around the instanceof operator to the WordPress.WhiteSpace.OperatorSpacing sniff.

Changed

• The minimum required PHP_CodeSniffer version to 3.3.1 (was 2.9.0).
• The namespace used by WordPressCS has been changed from WordPress to WordPressCS\WordPress. This was not possible while PHP_CodeSniffer 2.x was still supported, but WordPressCS, as a good Open Source citizen, does not want to occupy the WordPress namespace and is releasing its use of it now this is viable.
• The WordPress.DB.PreparedSQL sniff used the same error code for two different errors. The NotPrepared error code remains, however an additional InterpolatedNotPrepared error code has been added for the second error. If you are referencing the old error code in a ruleset XML file or in inline annotations, you may need to update it.
• The WordPress.NamingConventions.PrefixAllGlobals sniff used the same error code for some errors as well as warnings. The NonPrefixedConstantFound error code remains for the related error, but the warning will now use the new VariableConstantNameFound error code. The NonPrefixedHooknameFound error code remains for the related error, but the warning will now use the new DynamicHooknameFound error code. If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• WordPress.NamingConventions.ValidVariableName: the error messages and error codes used by this sniff have been changed for improved usability and consistency.
  • The error messages will now show a suggestion for a valid alternative name for the variable.
  • The NotSnakeCaseMemberVar error code has been renamed to UsedPropertyNotSnakeCase.
  • The NotSnakeCase error code has been renamed to VariableNotSnakeCase.
  • The MemberNotSnakeCase error code has been renamed to PropertyNotSnakeCase.
  • The StringNotSnakeCase error code has been renamed to InterpolatedVariableNotSnakeCase. If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• The WordPress.Security.NonceVerification sniff used the same error code for both an error as well as a warning. The old error code NoNonceVerification is no longer used. The error now uses the Missing error code, while the warning now uses the Recommended error code. If you are referencing the old error code in a ruleset XML file or in inline annotations, please update these to use the new codes instead.
• The WordPress.WP.DiscouragedConstants sniff used to have two error codes UsageFound and DeclarationFound. These error codes will now be prefixed by the name of the constant found to allow for more fine-grained excluding/ignoring of warnings generated by this sniff. If you are referencing the old error codes in a ruleset XML file or in inline annotations, you may need to update these to use the new codes instead.
• The WordPress.WP.GlobalVariablesOverride.OverrideProhibited error code has been replaced by the WordPress.WP.GlobalVariablesOverride.Prohibited error code. If you are referencing the old error code in a ruleset XML file or in inline annotations, you may need to update it.
• WordPress-Extra: Replaced the inclusion of the Generic.Files.OneClassPerFile, Generic.Files.OneInterfacePerFile and the Generic.Files.OneTraitPerFile sniffs with the new Generic.Files.OneObjectStructurePerFile sniff.
• WordPress-Extra: Replaced the inclusion of the Squiz.WhiteSpace.LanguageConstructSpacing sniff with the new Generic.WhiteSpace.LanguageConstructSpacing sniff.
• WordPress-Extra: Replaced the inclusion of the Squiz.Scope.MemberVarScope sniff with the more comprehensive PSR2.Classes.PropertyDeclaration sniff.
• WordPress.NamingConventions.ValidFunctionName: Added a unit test confirming support for interfaces extending multiple interfaces.
• WordPress.NamingConventions.ValidVariableName: Added unit tests confirming support for multi-variable/property declarations.
• The get_name_suggestion() method has been moved from the WordPress.NamingConventions.ValidFunctionName sniff to the base Sniff class, renamed to get_snake_case_name_suggestion() and made static.
• The rulesets are now validated against the PHP_CodeSniffer XSD schema.
• Updated the custom ruleset example to use the recommended ruleset syntax for PHP_CodeSniffer 3.3.1+, including using the new array property format which is now supported.
• Dev: The command to run the unit tests has changed. Please see the updated instructions in the CONTRIBUTING.md file. The bin/pre-commit example git hook has been updated to match. Additionally a run-tests script has been added to the composer.json file for your convenience. To facilitate this, PHPUnit has been added to require-dev, even though it is strictly speaking a dependency of PHPCS, not of WPCS.
• Dev: The DealerDirect PHPCS Composer plugin has been added to require-dev.
• Various code tweaks and clean up.
• User facing documentation, including the wiki, as well as inline documentation has been updated for all the changes contained in WordPressCS 2.0 and other recommended best practices for PHP_CodeSniffer 3.3.1+.

Deprecated

• The use of the WordPressCS native whitelist comments, which were introduced in WPCS 0.4.0, have been deprecated and support will be removed in WPCS 3.0.0. The WordPressCS native whitelist comments will continue to work for now, but a deprecation warning will be thrown when they are encountered. You are encouraged to upgrade our whitelist comment to use the PHPCS native selective ignore annotations as introduced in PHP_CodeSniffer 3.2.0, as soon as possible.

Removed

• Support for PHP 5.3. PHP 5.4 is the minimum requirement for PHP_CodeSniffer 3.x. Includes removing any and all workarounds which were in place to still support PHP 5.3.
• Support for PHP_CodeSniffer < 3.3.1. Includes removing any and all workarounds which were in place for supporting older PHP_CodeSniffer versions.
• The WordPress-VIP standard which was deprecated since WordPressCS 1.0.0. For checking a theme/plugin for hosting on the WordPress.com VIP platform, please use the Automattic VIP coding standards instead.
• Support for array properties set in a custom ruleset without the type="array" attribute. Support for this was deprecated in WPCS 1.0.0. If in doubt about how properties should be set in your custom ruleset, please refer to the Customizable sniff properties wiki page which contains XML code examples for setting each and every WPCS native sniff property. As the minimum PHP_CodeSniffer version is now 3.3.1, you can now also use the new format for setting array properties, so this would be a great moment to review and update your custom ruleset. Note: the ability to set select properties from the command-line as comma-delimited strings is not affected by this change.
• The following sniffs have been removed outright without deprecation. If you are referencing these sniffs in a ruleset XML file or in inline annotations, please update these to reference the replacement sniffs instead.
  • WordPress.Functions.FunctionCallSignatureNoParams - superseded by a bug fix in the upstream PEAR.Functions.FunctionCallSignature sniff.
  • WordPress.PHP.DiscourageGoto - replaced by the same sniff which is now available upstream: Generic.PHP.DiscourageGoto.
  • WordPress.WhiteSpace.SemicolonSpacing - superseded by a bug fix in the upstream Squiz.WhiteSpace.SemicolonSpacing sniff.
  • WordPress.WhiteSpace.ArbitraryParenthesesSpacing - replaced by the same sniff which is now available upstream: Generic.WhiteSpace.ArbitraryParenthesesSpacing.
• The following "base" sniffs which were previously already deprecated and turned into abstract base classes, have been removed:
  • WordPress.Arrays.ArrayAssignmentRestrictions - use the AbstractArrayAssignmentRestrictionsSniff class instead.
  • WordPress.Functions.FunctionRestrictions - use the AbstractFunctionRestrictionsSniff class instead.
  • WordPress.Variables.VariableRestrictions without replacement.
• The following sniffs which were previously deprecated, have been removed:
  • WordPress.Arrays.ArrayDeclaration - use the other sniffs in the WordPress.Arrays category instead.
  • WordPress.CSRF.NonceVerification - use WordPress.Security.NonceVerification instead.
  • WordPress.Functions.DontExtract - use WordPress.PHP.DontExtract instead.
  • WordPress.Variables.GlobalVariables - use WordPress.WP.GlobalVariablesOverride instead.
  • WordPress.VIP.CronInterval - use WordPress.WP.CronInterval instead.
  • WordPress.VIP.DirectDatabaseQuery - use WordPress.DB.DirectDatabaseQuery instead.
  • WordPress.VIP.PluginMenuSlug - use WordPress.Security.PluginMenuSlug instead.
  • WordPress.VIP.SlowDBQuery - use WordPress.DB.SlowDBQuery instead.
  • WordPress.VIP.TimezoneChange - use WordPress.WP.TimezoneChange instead.
  • WordPress.VIP.ValidatedSanitizedInput - use WordPress.Security.ValidatedSanitizedInput instead.
  • WordPress.WP.PreparedSQL - use WordPress.DB.PreparedSQL instead.
  • WordPress.XSS.EscapeOutput - use WordPress.Security.EscapeOutput instead.
  • WordPress.PHP.DiscouragedFunctions without direct replacement. The checks previously contained in this sniff were moved to separate sniffs in WPCS 0.11.0.
  • WordPress.Variables.VariableRestrictions without replacement.
  • WordPress.VIP.AdminBarRemoval without replacement.
  • WordPress.VIP.FileSystemWritesDisallow without replacement.
  • WordPress.VIP.OrderByRand without replacement.
  • WordPress.VIP.PostsPerPage without replacement. Part of the previous functionality was split off in WPCS 1.0.0 to the WordPress.WP.PostsPerPage sniff.
  • WordPress.VIP.RestrictedFunctions without replacement.
  • WordPress.VIP.RestrictedVariables without replacement.
  • WordPress.VIP.SessionFunctionsUsage without replacement.
  • WordPress.VIP.SessionVariableUsage without replacement.
  • WordPress.VIP.SuperGlobalInputUsage without replacement.
• The WordPress.DB.SlowDBQuery.DeprecatedWhitelistFlagFound error code which is superseded by the blanket deprecation warning for using the now deprecated WPCS native whitelist comments.
• The WordPress.PHP.TypeCasts.NonLowercaseFound error code which has been replaced by the upstream Generic.PHP.LowerCaseType sniff.
• The WordPress.PHP.TypeCasts.LongBoolFound and WordPress.PHP.TypeCasts.LongIntFound error codes which has been replaced by the new upstream PSR12.Keywords.ShortFormTypeKeywords sniff.
• The WordPress.Security.EscapeOutput.OutputNotEscapedShortEcho error code which was only ever used if WPCS was run on PHP 5.3 with the short_open_tag ini directive set to off.
• The following sniff categories which were previously deprecated, have been removed, though select categories may be reinstated in the future:
  • CSRF
  • Functions
  • Variables
  • VIP
  • XSS
• WordPress.NamingConventions.ValidVariableName: The customVariableWhitelist property, which had been deprecated since WordPressCS 0.11.0. Use the customPropertiesWhitelist property instead.
• WordPress.Security.EscapeOutput: The customSanitizingFunctions property, which had been deprecated since WordPressCS 0.5.0. Use the customEscapingFunctions property instead.
• WordPress.Security.NonceVerification: The errorForSuperGlobals and warnForSuperGlobals properties, which had been deprecated since WordPressCS 0.12.0.
• The vip_powered_wpcom function from the Sniff::$autoEscapedFunctions list which is used by the WordPress.Security.EscapeOutput sniff.
• The AbstractVariableRestrictionsSniff class, which was deprecated since WordPressCS 1.0.0.
• The Sniff::has_html_open_tag() utility method, which was deprecated since WordPressCS 1.0.0.
• The internal $php_reserved_vars property from the WordPress.NamingConventions.ValidVariableName sniff in favour of using a PHPCS native property which is now available.
• The class aliases and WPCS native autoloader used for PHPCS cross-version support.
• The unit test framework workarounds for PHPCS cross-version unit testing.
• Support for the @codingStandardsChangeSetting annotation, which is generally only used in unit tests.
• The old generic GitHub issue template which was replaced by more specific issue templates in WPCS 1.2.0.

Fixed

• Support for PHP 7.3. PHP_CodeSniffer < 3.3.1 was not fully compatible with PHP 7.3. Now the minimum required PHPCS has been upped to PHP_CodeSniffer 3.3.1, WordPressCS will run on PHP 7.3 without issue.
• WordPress.Arrays.ArrayDeclarationSpacing: improved fixing of the placement of array items following an array item with a trailing multi-line comment.
• WordPress.NamingConventions.ValidFunctionName: the sniff will no longer throw false positives nor duplicate errors for methods declared in nested anonymous classes. The error message has also been improved for methods in anonymous classes.
• WordPress.NamingConventions.ValidFunctionName: the sniff will no longer throw false positives for PHP 4-style class constructors/destructors where the name of the constructor/destructor method did not use the same case as the class name.