Skip to content
Home » WordPress » Teaching Artificial Intelligence to use WordPress standards

Teaching Artificial Intelligence to use WordPress standards

What we should be doing right now is teaching AI the WordPress way — the same way we’ve taught tens of thousands of people through the WordPress community over the years.

Over the past two weeks, I’ve been going deep on AI: vibe coding, code fixes, and evaluating feature ideas that other WordPress folks are asking about. At the same time, I keep seeing posts here on LinkedIn, X (formerly Twitter) and Facebook claiming that AI “can’t code” or that it inevitably introduces vulnerabilities. Which I agree has many valid arguments to be made. Then I was reading a post by Matt Cromwell about delayed admin notices, which linked to a blog post — and from there, straight to a GitHub repository.

And then something made sense.

From being in the WordPress world for over 15 years, I have an understanding of how WordPress has evolved over the years. And I have worked at some of the most respected and reputable companies when it comes to WordPress standards. And they publish code that is accessible to the world. Welcome to the chat, Github.

If we want better results from AI in WordPress, we shouldn’t complain from the sidelines. We should teach it like we’ve always taught each other.

Respected WordPress GitHub Repositories

Some of the best #WordPress work already lives on GitHub. Written by companies like WebDevStudios. 10up. GiveWP. Awesome Motive, Inc. WooCommerce, SiteCare, Gravity Forms, WordPress, and many others. These companies have a wide variety of their Github repositories available to the public as they have free WordPress plugins on the WordPress.org repository.

These are teams writing code that follows WordPress coding standards and their own rigorous internal standards. By showing AI where quality WordPress code lives — and how WordPress developers structure plugins and themes — we can start teaching machines the WordPress way and bring them into the ecosystem responsibly.

Thats when I decided to work on something different and change my approach. Instead of asking AI to invent WordPress code, I connected it directly to well-respected GitHub repositories from trusted plugins such as GiveWP, Custom Post Type UI, WooCommerce and last but not least – Health Check and Troubleshooting. I also highlighted what I like about the plugins based on my inside baseball knowledge of the WordPress community.

WordPress Structured Prompt and Guidelines

Below is a text model I used to instruct Grok, Claude and ChatGPT to learn WordPress Standards from reputable sources, setting up PHPCS with WPCS on my [Mac/Windows/Linux] machine, creating a boilerplate starting point for my WordPress plugin projects and Ensuring no private data leaks in any APIs or outputs—e.g., follow WooCommerce’s permission callbacks. I chose the following plugins to use as my model because they all do something unique.

  • WooCommerce for the primary model for code structure, API handling, and Security.I also have many friends who work there and can verify the required standards set by the company.
  • Custom Post Type UI is one of the most popular plugins in the WordPress.org/plugins repository. I use this plugin to model Admin interface, Hooks, and data registration. WebDevStudios is a company I worked at for 3 years. I know first hand the standards the company sets.
  • GiveWP is a very well respected Donation plugin with high standards for handling sensitive data. I want my AI tools to pay attention to form security, nonces and API endpoints.
  • Health Check & Trouble Shooting is now baked into WordPress since version 5.2. However, the Github is still available and it’s another great source for debug tools and secure admin features.

NOTE: This is a prompt I have used many times based on my experience. If there are plugins or code sets you like, use this as a base template and make your own modifications. I want my plugins to be modeled after well respected and heavily installed plugins that have been tested by millions of WordPress users.

The third response from Grok AI response to the prompt above
Grok AI response to the set of instructions given – part 3

To help others instruct AI tools on building WordPress plugins with strong adherence to standards—focusing on security to prevent leaks or vulnerabilities—here’s a structured set of prompts and guidelines you can share in your article. The key is to be explicit: Provide the AI with specific resources upfront, explain why they’re important, and direct it to prioritize WordPress Coding Standards (WPCS) for code quality and security. This counters the common issue where AI might generate functional but insecure code by “just getting the job done.” I’ve framed this as a template prompt anyone can copy-paste directly into an AI conversation.

Good afternoon, Grok. I'm building a new WordPress plugin with you today, and I want to ensure it follows top-tier coding standards to avoid security issues like leaking private data via APIs.

First, please review these GitHub repositories and WordPress resources to familiarize yourself with their code structure, standards, and security practices. Focus on how they handle data securely (e.g., sanitization, validation, escaping, permission checks) and adhere to WordPress conventions.

1. WooCommerce:
- GitHub: https://github.com/woocommerce/woocommerce
- WordPress Plugin Repo: https://wordpress.org/plugins/woocommerce/
- Description: The leading e-commerce plugin for WordPress, maintained by Automattic. Use this as the primary model for code structure, API handling, and security—e.g., how they expose data via REST APIs without leaks.

2. Custom Post Type UI (CPTUI):
- GitHub: https://github.com/WebDevStudios/custom-post-type-ui
- WordPress Plugin Repo: https://wordpress.org/plugins/custom-post-type-ui/
- Description: A popular plugin for custom post types, with strict coding standards. Model admin interfaces, hooks, and data registration after this.

3. GiveWP:
- GitHub: https://github.com/impress-org/givewp
- WordPress Plugin Repo: https://wordpress.org/plugins/give/
- Description: A donation plugin with high standards for handling sensitive data. Pay attention to form security, nonces, and API endpoints.

4. Health Check & Troubleshooting (deprecated but useful for reference):
- GitHub: https://github.com/WordPress/health-check
- WordPress Plugin Repo: https://wordpress.org/plugins/health-check/
- Description: Maintained by the WordPress.org team; great for examples of debug tools and secure admin features.

5. Automattic Team 51 Repositories:
- GitHub Organization: https://github.com/a8cteam51/
- Key Repositories:
  - safety-net: https://github.com/a8cteam51/safety-net - Scrubs options, deactivates denylisted plugins, and deletes user data on development sites; excellent for modeling data security and privacy practices.
  - plugin-autoupdate-filter: https://github.com/a8cteam51/plugin-autoupdate-filter - Sets autoupdates to run at specific times; demonstrates standards for plugin management and automation.
  - tiktok-embed-validator: https://github.com/a8cteam51/tiktok-embed-validator - Validates TikTok embeds to prevent broken or risky content; highlights security in media handling and validation.
  - internet-archive-wayback-machine-link-fixer: https://github.com/a8cteam51/internet-archive-wayback-machine-link-fixer - Combats link rot by fixing broken links; good example of maintaining content integrity and long-term data reliability.
- Description: Plugins and tools maintained by Automattic's Special Projects team. Use these as additional models for secure development, emphasizing data sanitization, risk mitigation, and adherence to WordPress best practices in various utility scenarios.

6. WordPress Coding Standards:
- Developer Handbook: https://developer.wordpress.org/coding-standards/wordpress-coding-standards/
- GitHub: https://github.com/WordPress/WordPress-Coding-Standards
- Description: Official rules for code quality. Enforce these using PHP_CodeSniffer (PHPCS). Prioritize security: Always sanitize inputs, validate data, escape outputs, use nonces/capability checks, and avoid direct database queries for sensitive info.

Once you've reviewed these, confirm your understanding and suggest the first steps to start my plugin, including:
- Setting up PHPCS with WPCS on my [Mac/Windows/Linux] machine.
- Creating a secure boilerplate structure (e.g., main plugin file, classes, assets).
- Ensuring no private data leaks in any APIs or outputs—e.g., follow WooCommerce's permission callbacks.

My plugin's name is [Plugin Name], and its purpose is [brief description, e.g., 'a custom API for user data with privacy controls']. Let's build it step by step, always aligning with these standards.

Why This Template Works

  • Resource-First Approach: By listing specific repos and descriptions early, you “prime” the AI with context. This helps it draw from real, high-quality examples rather than generic knowledge, reducing the risk of insecure code. For instance, WooCommerce’s API standards ensure things like current_user_can() checks are baked in.
  • Security Emphasis: Explicitly calling out “avoid leaking private information over the API” and referencing sanitization/escaping forces the AI to prioritize this. AIs can generate vulnerable code (e.g., unsanitized user input leading to SQL injection) if not reminded, but this template makes it a core directive.
  • Standards Enforcement: Directing the AI to use WPCS and PHPCS integrates automated checks. In your article, explain that users should run phpcs on generated code snippets to verify compliance—AI output isn’t perfect, but this catches issues.
  • Step-by-Step Guidance: Asking for “first steps” (like setup and boilerplate) prevents the AI from jumping to complex code too soon, allowing iterative review.
  • Customization: Users can swap in their plugin details, OS, or add more resources (e.g., if focusing on blocks, include Gutenberg examples).

Ai’s response to the prompts

This is what Grok Ai responded with to my prompts and guidelines. I will say that the instructions are great. I have copied the response the AI platform gave me. However, there are a set of instructions for installing certain code bases on my Macbook and I do not want to make these instructions to where any one reading this blog post can copy the explicit instructions. I want AI to give you the latest advice. So part of the following text is available, and the rest of the message is shown using screenshots. You still see the result give on my screen.

GROK: “From reviewing the repositories and resources you shared, here’s a high-level synthesis of the common patterns and standards I’ve internalized:

  • Repository and Code Structure: These plugins typically follow a modular setup with a main entry file (e.g., woocommerce.php, custom-post-type-ui.php, give.php, health-check.php) that handles bootstrapping, constants, and initialization. Core logic lives in directories like includes/, src/, or classes/ for PHP classes, functions, and hooks. Assets (JS, CSS, images) are in assets/ or src/ (often built with tools like Webpack). Templates for output are in templates/. Testing is emphasized via tests/ with PHPUnit configs. Build tools (e.g., Composer for PHP deps, npm for JS) and config files (e.g., .editorconfig, phpcs.xml.dist, webpack.config.js) ensure consistency.
  • Coding Style and WordPress Conventions: All align closely with official WordPress Coding Standards (WPCS), using PHPCS for enforcement. PHP is object-oriented where possible, with namespaced classes (e.g., prefixed like WooCommerce\, Give\), proper docblocks, and hooks (add_action, add_filter) for extensibility. Indentation is consistent (tabs or spaces per .editorconfig), no trailing whitespace, and functions avoid globals. JavaScript often shifts away from jQuery toward modern ES6+ or React for blocks/UI.
  • API and Data Handling (Focus on Security): WooCommerce and GiveWP provide strong models for APIs—using WordPress REST API with endpoints (e.g., for donors, donations, products) that include permission callbacks (current_user_can), input validation/sanitization (e.g., sanitize_text_field, wp_unslash), and output escaping (e.g., esc_attr, esc_html). They prevent leaks by anonymizing data, restricting access (e.g., capability checks, nonces for forms/actions), and avoiding direct exposure of sensitive info like emails or payments without keys. CPTUI and Health Check emphasize admin-side security: nonce verification, capability restrictions, and no unnecessary data exposure. Overall, the rule is: Sanitize all inputs, validate data types/structures, escape all outputs, and use WP APIs over custom queries to minimize risks.
  • Best Practices and Choices: These plugins prioritize internationalization (e.g., __() for strings, WPML configs), compatibility (e.g., PHP 7.4+, WP 6.3+), and testing/CI (e.g., Travis CI, GitHub Actions). Security policies (e.g., SECURITY.md, vulnerability reporting via HackerOne) are common. Deprecated plugins like Health Check still model clean uninstall hooks and debug data handling without leaks. GiveWP’s use of static analysis (PHPStan) and WooCommerce’s monorepo for scalability are notable for larger plugins.

We’ll mirror these: Stick to WPCS religiously, structure for modularity, and build APIs (if needed) with robust security to avoid leaking private data—e.g., always check permissions, sanitize/escape, and log/audit if handling sensitive info.

A screenshot of Grok AI response to the prompt
Grok AI response to the set of instructions given – part 1
The second screenshot from Grok AI response to the prompt
Grok AI response to the set of instructions given – part 2

You can see by the instructions given by AI – we’re going to be getting into heavy development mode. Running commands, setting up a Github repo – following explicit steps to reproduce quality code and make sure we’re doing all of this in an efficient way.

In Conclusion

The main point I’m getting at here remains the same. Unless we tell AI how we want our code to look like, operate and require the most demanding of standards to ensure product security and stability – we’re never going to get better code from AI. Sure, AI models can learn on their own and apply what they read. However, I like to think of AI as a brain. In my brain I only want AI to pull from certain sources that I know are reputable, respected and have a wide number of installs on WordPress websites on the internet.

WooCommerce and Custom Post Type UI alone have a combined total of over 2 million installs as of this blog post date. You can see the active installs number on the WordPress.org repositories. GiveWP has 100,000+ installs which is a great thing to see. It’s a popular plugin for solving a specific feature of donation forms. All three of these plugins offer outstanding code structure, battle tested results and a proven track record of meeting industry demand of a quality product backed by solid code infrastructure.

Of course over time, this is going to change. For today, it’s a great start at getting into vibe coding, or helping AI setup a test plugin to mock up a demonstration. At least you can be proud of the fact you tried to ensure your code is up to SOME kind of standards and not COWBOY coded into a mashup of “At least it’s working” excuses some developers like to make.

I encourage you to try what I have and share with me your experience. I know I’ve read the comments on a great article that have helped me over the years.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.