Tips & next steps
Your plugin works — now what? Here's what to think about before using it for real.
Is it ready for a real site?
Probably not quite yet — and that's fine. A vibe-coded plugin is a great starting point, not a finished product. Here's an honest checklist:
- Does it do what you expect? Test every feature, including edge cases (empty posts, no content, logged-out users).
- Does it activate and deactivate cleanly? No errors, no leftover data after deactivation.
- Has it passed Plugin Check? See the section below. This catches most common issues automatically.
- Are you the only user? A plugin just for your own site has lower risk than one others will use.
- Does it handle user input? If yes, security review is a must (see below).
Security — what to look for
AI does a reasonable job with some security practices, but misses others. Here's a quick overview:
| What | Why it matters | AI usually… |
|---|---|---|
Direct file accessif (!defined('ABSPATH')) exit; |
Prevents the PHP file from being run directly in a browser | ✓ Gets this right |
Output escapingesc_html(), esc_attr(), esc_url() |
Prevents XSS — malicious code being injected into your page output | ✓ Usually correct |
Input sanitizationsanitize_text_field(), absint() |
Cleans user input before storing or using it | ⚠ Sometimes missing |
Nonceswp_nonce_field() + check_admin_referer() |
Prevents CSRF — someone tricking an admin into unknowingly submitting a form | ⚠ Often missing |
Capability checkscurrent_user_can('manage_options') |
Ensures only users with the right role can perform admin actions | ⚠ Sometimes missing |
Database queries$wpdb->prepare() |
Prevents SQL injection when querying the database | ⚠ Often incomplete |
You can ask your AI tool to audit the security of its own output:
Plugin Check
Plugin Check (also called PCP) is a free WordPress plugin that automatically scans your code for common issues — security problems, coding standards violations, and WordPress.org requirements.
How to use it
- Install the Plugin Check plugin from WordPress.org (search "Plugin Check" in WP Admin → Plugins → Add New)
- Go to Tools → Plugin Check
- Select your plugin from the dropdown
- Click "Check plugin"
- Review the results — errors are things to fix, warnings are things to consider
What it checks
- Security issues (missing escaping, sanitization, nonces)
- Plugin header completeness
- WordPress coding standards
- Internationalization (translatable strings)
- Accessibility of admin interfaces
- Performance (loading scripts and styles only where needed)
Accessibility — don't forget your users
WordPress itself aims for WCAG 2.2 Level AA. There are no mandatory accessibility requirements for plugins in the WordPress directory, but you are strongly encouraged to consider accessibility when building your plugin.
AI-generated code often gets accessibility wrong — it may produce forms without labels, buttons without descriptive text, or colour contrast that fails. Worth checking.
Things to check in your plugin's output
- Images have meaningful
alttext (oralt=""if decorative) - Form inputs have a visible
<label> - Buttons describe what they do ("Save settings", not just "Submit")
- Colour is not the only way information is conveyed
- Text contrast is at least 4.5:1 against its background
- Everything that's clickable is also reachable by keyboard
More guidance: WordPress Plugin Accessibility — WP Accessibility
Publishing to WordPress.org
Anyone can submit a plugin to the WordPress.org repository — it's free and open source. But should you?
- You want others to be able to use it
- You want to contribute to the WordPress community
- You're building a commercial plugin (many start here)
- You want free code review from the WP team
- It's just for your own site
- It's very site-specific (your logo, your settings)
- It hasn't passed Plugin Check yet
- You're not ready to maintain it over time
What WordPress.org requires
- A unique function prefix (e.g.
rt_for "reading-time") — no generic names likeget_data() - A
readme.txtin the correct format - GPL-compatible license
- No obfuscated code, no external calls without disclosure
- Passes the automated and manual code review (can take several weeks)
What is vibe coding good for?
An honest take — because knowing the limits is part of the skill.
- Quick prototypes and internal tools
- Testing an idea before involving a developer
- Learning how WordPress plugins work by reading generated code
- Small utilities that solve your own problem
- Automating repetitive tasks on your own site
- Plugins for sites with real users (security needs expert review)
- Complex features that interact with existing systems
- Anything where you can't verify whether the result is correct
- Assuming "it works" means "it's done"
The key skill in vibe coding is not writing code — it's describing what you want precisely and knowing when to trust the output. That judgment develops with practice.
Want to go further?
Improve your plugin
- Ask the AI to add a settings page so you can configure it from WP Admin
- Ask the AI to make all user-facing text translatable using
__()and_e() - Ask the AI to write unit tests for the plugin
- Ask the AI to make it comply with WordPress Coding Standards
- Export the plugin as a zip: Plugins → [your plugin] → Download (LocalWP) or create a zip from the folder
Keep learning
- WordPress Plugin Handbook — the official guide to building plugins properly
- Plugin Check (PCP) — automated quality and security scanning
- WordPress PHP Coding Standards — what "clean WordPress code" looks like
- Inline documentation standards — how to document your code