Stats
Actions
Tags
From qe-framework
Develops custom WordPress themes and plugins, Gutenberg blocks, WooCommerce stores, and REST API endpoints with security hardening and performance optimization.
How this skill is triggered — by the user, by Claude, or both
Slash command
/qe-framework:Qwordpress-proThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Expert WordPress developer specializing in custom themes, plugins, Gutenberg blocks, WooCommerce, and WordPress performance optimization.
Expert WordPress developer specializing in custom themes, plugins, Gutenberg blocks, WooCommerce, and WordPress performance optimization.
phpcs --standard=WordPress to catch WPCS violations; verify nonce handling and capability checks manually.Load detailed guidance based on context:
| Topic | Reference | Load When |
|---|---|---|
| Theme Development | references/theme-development.md | Templates, hierarchy, child themes, FSE |
| Plugin Architecture | references/plugin-architecture.md | Structure, activation, settings API, updates |
| Gutenberg Blocks | references/gutenberg-blocks.md | Block dev, patterns, FSE, dynamic blocks |
| Hooks & Filters | references/hooks-filters.md | Actions, filters, custom hooks, priorities |
| Performance & Security | references/performance-security.md | Caching, optimization, hardening, backups |
// Output nonce field in form
wp_nonce_field( 'my_action', 'my_nonce' );
// Verify on submission — bail early if invalid
if ( ! isset( $_POST['my_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['my_nonce'] ) ), 'my_action' ) ) {
wp_die( esc_html__( 'Security check failed.', 'my-textdomain' ) );
}
// Sanitize input (store)
$title = sanitize_text_field( wp_unslash( $_POST['title'] ?? '' ) );
$content = wp_kses_post( wp_unslash( $_POST['content'] ?? '' ) );
$url = esc_url_raw( wp_unslash( $_POST['url'] ?? '' ) );
// Escape output (display)
echo esc_html( $title );
echo wp_kses_post( $content );
echo '<a href="' . esc_url( $url ) . '">' . esc_html__( 'Link', 'my-textdomain' ) . '</a>';
add_action( 'wp_enqueue_scripts', 'my_theme_assets' );
function my_theme_assets(): void {
wp_enqueue_style(
'my-theme-style',
get_stylesheet_uri(),
[],
wp_get_theme()->get( 'Version' )
);
wp_enqueue_script(
'my-theme-script',
get_template_directory_uri() . '/assets/js/main.js',
[ 'jquery' ],
'1.0.0',
true // load in footer
);
// Pass server data to JS safely
wp_localize_script( 'my-theme-script', 'MyTheme', [
'ajaxUrl' => admin_url( 'admin-ajax.php' ),
'nonce' => wp_create_nonce( 'my_ajax_nonce' ),
] );
}
global $wpdb;
$results = $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}my_table WHERE user_id = %d AND status = %s",
absint( $user_id ),
sanitize_text_field( $status )
)
);
// Always check capabilities before sensitive operations
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( esc_html__( 'You do not have permission to do this.', 'my-textdomain' ) );
}
phpcs --standard=WordPresssanitize_text_field, wp_kses_post, etc.)esc_html, esc_url, esc_attr, wp_kses_post)$wpdb->prepare)wp_enqueue_scripts / admin_enqueue_scripts hooks__(), esc_html__(), etc.)$wpdb->prefix)When implementing WordPress features, provide:
WordPress 6.4+, PHP 8.1+, Gutenberg, WooCommerce, ACF, REST API, WP-CLI, block development, theme customizer, widget API, shortcode API, transients, object caching, query optimization, security hardening, WPCS
add_action('hook_name', 'callback_function', priority, arg_count) fired with do_action()add_filter('option_name', function($value) { return sanitize_text_field($value); }) always sanitize inputsdo_action('my_plugin_after_save', $post_id, $data) allows third-party code to extend/**
* Registers custom post type for products.
*
* @since 1.0.0
* @param array $args Custom CPT arguments {
* @type string $singular Singular name
* @type string $plural Plural name
* @type array $supports List of supported features
* }
* @return void
* @throws WP_Error if registration fails
*/
function my_register_custom_post_type( array $args = [] ): void {
// Implementation
}
Run: phpcs --standard=WordPress . && phpstan analyse .
$_GET/$_POST must be sanitized before use$wpdb->prepare() with placeholderscurrent_user_can() check$wpdb->prepare('... WHERE id = %d ...', $id) with proper placeholder typesesc_html(), esc_url(), esc_attr(), or wp_kses_post()wp_verify_nonce() before processingcurrent_user_can() with appropriate capabilitysanitize_text_field(), wp_kses_post(), absint() depending on context| Wrong | Correct |
|---|---|
$wpdb->get_results("SELECT * FROM {$wpdb->users} WHERE id = $id") | $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->users} WHERE id = %d", $id)) |
echo $_GET['name']; (direct output) | echo esc_html(sanitize_text_field(wp_unslash($_GET['name']))); |
if ($_POST['action'] === 'save') { /* save */ } (no nonce) | Verify: wp_verify_nonce($_POST['nonce'] ?? '', 'my_action') first |
if (is_admin()) { /* delete records */ } (only checks admin screen) | if (current_user_can('manage_options')) { /* delete */ } (checks actual capability) |
$result = $wpdb->get_results("SELECT * FROM wp_posts LIMIT 1000") (no pagination) | $limit = 50; for ($page=0; $page<$total_pages; $page++) { ... LIMIT 50 OFFSET 0 ... } |
npx claudepluginhub inho-team/qe-framework --plugin qe-frameworkCreates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.