WordPress Theme Review Standards

# style.css

  • Theme name must not use keyword like `WordPress`, `Theme`.
  • Text domain must be mentioned. Example: Text Domain:  my-nepal
  • Theme URI and Author URI are optional. If used Theme URI link with the page of theme information and Author URI link with the author personal site or project development site. Avoid using ‘wordpress.org’ as Theme or Author URI.
  • License and License URI must be included.
  • Version of theme should be mentioned.
  • Theme Tags should be written.

# License

  • Always pay extra attention and make sure that the entire theme is GPL, or GPL-Compatible. This will include, fonts, scripts, images etc.
  • Check all given links for GPL license and sure all mentioned URL’s are GPL compatible.
  • External components without GPL license are not allowed.

# Security and Privacy

  • Don’t phone home without informed user consent.
  • Make any collection of user data “opt-in” only and have a theme option that is set to disabled by default.

# Sanitization and Validation

  • Sanitize every theme options used in the theme. You should always escape theme options while output.
  • Escaping URL for ensuring no additional texts & characters are there. Example: <a href=”<?php echo esc_url( home_url( ‘/’ ) ); ?>”>Home</a>
  • Escaping HTML for ensuring no additional texts & characters are there. Example: $html = esc_html( ‘<a href=”http://www.example.com/”>A link</a>’ );
  • Escaping text area & attribute for ensuring no additional texts & characters are there. Example: <?php esc_textarea( $text ); ?>
  • Escaping URL for image source. Example: <img src=“<?php echo esc_url( $image ); ?>

Reference Link:   http://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress–wp-25536

# Theme Options

  • Settings API is not allowed on theme for Theme Options. Use Customizer API to implement theme options.
  • Only one subpage is allowed under Appearance menu. And that should contain relevant information about theme like documentation, user guide, etc.

# Language

  • Can use any language for text, but only use the same one for all text.
  • Themes are required to use as string as the text domain in translation functions.
  • Theme must be translation ready. All string need to be translate able. Example:  ‘Category:’ it’s translation ready is <?php _e( ‘Category: ‘, ‘textdomain’ ); ?>
  • Text domain must be mentioned on ‘style.css’. It must match with the theme name. If theme name is “My Nepal” its text domain is ‘my-nepal’.
  • ‘.pot’ must be inside the languages folder and name must be  ‘textdomain.pot’.
  • Languages must be load on theme file by load_theme_textdomain(‘textdomain’, get_template_directory() . ‘/languages’);

# Readme

  • Make sure ‘readme.txt’ in is theme root directory.
  • If other file like  ‘readme.md’,’theme-info.txt’ found on theme directory, recommended to use  ‘readme.txt’ request to remove other files.
  • ‘readme.txt’ must contain theme info, license info, changelog , short theme description etc. Reference: https://make.wordpress.org/themes/2015/04/29/a-revised-readme/

# Screenshot

  • No logo or mock up, should be of actual theme it appears.
  • Size no bigger than 1200*900px. Any 4:3 image size is accepted.

# Changelog.txt

  • If changelog is not maintained on ‘readme.txt’ it must maintained under the  ‘changelog.txt’.

# Favicon

  • This is now core functionality, new theme should not add this feature.

# Site Logo

  • If logo feature is implemented, Logo must be changeable and be disabled by default.

# Plugins

  • No plugins are not allowed to bundle in the theme, but theme can recommend plugins and those plugins must be in dot org repository. Theme should work good without any plugin.

# Post Type

  • Custom Post types and taxonomies are not allowed.

# Shortcode

  • No shortcodes are  allowed on theme.

# Style and Scripts

  • Theme must have ‘style.css’.
  • No hard coding of style and scripts are allowed. Style and Scripts need to be enqueued.
  • Use  ‘get_template_directory_uri()’ instead of  ‘get_stylesheet_directory_uri()’.
  • No minification of style or scripts files are allowed unless original files are provided.
  • If Google font is used, it should be enqueued. No other CDN urls are allowed.
  • Default Scripts Included and Registered by WordPress itself. No need to enqueue, like ‘jquery.js, masonry.js’ etc
  • Use dependencies on scripts to reduce conflicts.

# header.php

  • Proper DOCTYPE is needed.
  • The opening ‘<html>’ tag should include ‘language_attribute’.
  • Use ‘bloginfo()’ to set the ‘<meta>’ charset and description element.
  • Add a call to ‘wp_head()’ before the closing ‘</head>’ tag. Plugins use this action hook to add their own scripts, stylesheets, and other functionality.
  • ‘body_class()’must be inside the opening body tag.

Example: <body <?php body_class(); ?> >

  • Do not link the theme stylesheets in the Header template. Use the ‘wp_enqueue_scripts’ action hook in a theme function instead.

# footer.php

  • Use the ‘wp_footer()’ call, to appear just before closing body tag.

# Customizer API

  • ‘capability’ should be ‘edit_theme_options’ while using Customizer API for theme options.
  • ‘sanitize_callback’ is necessary for sanitizing customizer fields. For example: Sanitizing URL ‘sanitize_callback’ => ‘esc_url_raw’
  • Sanitizing Email ‘sanitize_callback’ => ‘sanitize_email’ etc.

# Code

  • add_theme_support( ‘title-tag’ ); must be included on functions.php. Title tag is not allowed in ‘header.php’. If  <title><?php wp_title(‘|’); ?></title> found, it is not allowed because title tag already defined.
  • Prefix theme functions, classes, global variables, image size name, script and style handles, etc with the theme slug.

Example: function textdomain_footer_copyright{

//code goes here


  • No any PHP error &  warning, Javascript’s console error, WordPress deprecated errors are allowed. Need to fix them.
  • Functions like ‘the_archive_title’ and ‘the_archive_description’ are now available in WordPress core. And thus, we don’t have to keep the backward compatibility for more than last two major versions. They must not be defined. Mostly they are defined in ‘template-tags.php’.

# Others

  • W and P of WordPress always in uppercase.
  • Remove out unnecessary commented code. If any file or folder is not being used, it should be removed.
  • It is not necessary to provide backward compatibility more the two major versions.
  • No customization in WordPress admin.

Hospital Bed

Gorgeous nurses came and asked

Symbolic head shake and show never

Polite voice blows saying unbelievable

I can’t express anything with Velvety tune

Made eyelid up and down

Showing them I am true.

Doctor came and behave Xerox

Said him “Never” with low scale

Marked something on white paper

I Served eyes there as a vicious

Read the text by core heart

With shaking lips

“He never drink alcohol”.

Neighbors asked about my hardship

I opened myself frankly

Destitute feeling shown by them

Actually they are more agony

They want to forget own affliction

And want to spread hope on me.

How humanity it is

I certainly not forget them

Till the death of my life.


When I was on my way to Kathmandu, a girl came and sat nearby. She asked me “Where is your final destination?” I smiled and replied one word “Death”. “What a rude answer?” She said. I replied her “similar as your question”. She stayed silent and closed her eyes for a while. I took my earphone and connected with my phone and started listening songs.
After the silence of some minutes, she turned towards me and said, “Hey why you ignored my question?” Putting out my earpiece and I said “Excuse me!”
She: Where are you up to with me?
Me: Up to my destination.
She: But your destination is death, isn’t it?
Me: With a smiling face, I said “destination may change according to the situation”.
She: Now, your intension is changed for the destination?
Me: I am thinking whether I am doing right or wrong.
She: Sorry, I can’t get you.
Me: If you get me easily, how we can travel a long journey sitting close to each other.
She: Are you “author?” You used to write a novel?
Me: Why? Am I looking like that?
She: Speaking similar, looking gorgeous.
Internally, I smiled and thought about myself. Really I am looking awesome. I turned towards outside and introduced with the nature. Trees, houses and many living and non-living things passed by. I made her, I am entertaining with nature. And prayed for the same.
For erasing the silence, I raised a question to her, aren’t you feeling bored or having tough time? She said “Yes, I am feeling the same, can you give relief from this situation?” An upset was easily determining on her face. “I have no any solution to it, you can ask the assistant driver for next seat” I replied with a fearless face. She said “what a guy you are, I was expecting totally discrepancy from you”. “What you are expecting, feel free to expose I will try to meet your necessity.”
She: Nothing serious.
Me: I know it.
She: How?
Me: Your face is exposing something nostalgic.
She: It’s my face yaar, it’s not a book.
Me: Some time, a face behaves like a book and book behaves like a face.

WordPress Standards Codes

PHP Snippets for Header

Title of the site : <?php bloginfo(‘name’); ?>

Title of the specific post or page : <?php wp_title(); ?>

The style.css file’s theme location: <?php bloginfo (‘stylesheet_url’); ?>

Pingback URL for the site :  <?php bloginfo(‘pingback_url’); ?>

Location for the site’s theme file : <?php bloginfo(‘template_url’); ?>

WordPress version for the site : <?php bloginfo(‘version’); ?>

Name of the site : <?php bloginfo(‘name’); ?>

PHP Snippets for Templates:

Author of a specific post or page: <?php the_author(); ?>

ID of a specific post or page: <?php the_ID(); ?>

Link to edit a specific post or page: <?php edit_post_link(); ?>

Links form the blogroll : <?php get_links_list(); ?>

Comment.php file’s content: <?php comments_template(); ?>

List of pages of the site: <?php wp_list_pages(); ?>

List of categories for the site : <?php wp_list_cats(); ?>

URL to the next post: <?php next_post_link(‘%link’); ?>

URL to the previous post: <?php previous_post_link(‘%link’); ?>

The built in calendar : <?php get_calendar(); ?>

List of archives for the site : <?php wp_get_archives(); ?>

Next and previous post link: <?php posts_nav_link(); ?>

Site’s description : <?php bloginfo(‘description’); ?>

Content of the posts: <?php the_content(); ?>

Checks if there are posts: <?php if(have_posts() ) : ?>

Shows posts if post are available: <?php while(have_posts () ) : the_post(); ?>

Closes while function: <?php endwhile; ?>

Closes if function: <?php endif; ?>

Header.php file content: <?php get_header(); ?>

Sidebar.php file content: <?php get_sidebar(); ?>

Footer.php  file content: <?php get_footer(); ?>

The date in 08-18-15 format: <?php the_time(‘m-d-y’); ?>

Title of the specific post or page : <?php the_title(); ?>

URL of a specific post or page : <?php the_permalink(); ?>

Category of a specific post or page: <?php the_category(); ?>

For More information you can visit: Codex

How to create a post on WordPress

1. Login on your WordPress site dashboard. For example you can login to your website like this,
yourwebsiteurl/wp-admin or examplesite.com/wp-admin

A section with username and password will appear. Enter your WordPress username and password. See the below screenshot. Your site dashboard login will appear like this.

2. Go to the post section as described below on screenshot.
3. Give the title of the post.
4. Write the content of the post on the below then title. You can use html tags also.
5. Insert the image for the post on the section featured image.
6. Press the publish button to save the post.

Child Theme Development

Create a child theme based on an existing parent theme in WordPress and change the functionality, presentation or styling of your website. If changes are made on parent theme, the update version of the theme lost all the code written on it. If you change the code on parent theme and want the site same, you are unable to update the theme. Without updating the theme, the theme may not compatible with the current version of the WordPress. So, for secure and stable changes on your website, the best way to create a child theme of your parent theme.

Child theme development is easier process. Here I am going to describe you how to create a child theme. Follow the steps and create a child theme easily within a minute.

Confirm the parent theme of which you are going to make the child theme:For example; I decide to make the child theme of Twenty fifteen theme.For making a child theme, the main necessary file are style.css and functions.php
Create a directory for child theme, the directory name is parent theme directory and ‘-’ and child. For example; the parent directory of twenty fifteen theme is twentyfifteen and the directory name of its child theme is twentyfifteen-child.
Now create a style.css in a child theme directory and write the following line of code on it.


Theme Name: Twenty Fifteen Child

Theme URI: http://example.com/twenty-fifteen-child/

Description: Twenty Fifteen Child Theme

Author: John Doe

Author URI: http://example.com

Template: twentyfifteen

Version: 1.0.0

License: GNU General Public License v2 or later

License URI: http://www.gnu.org/licenses/gpl-2.0.html

Tags: light, dark, two-columns, right-sidebar, responsive-layout, accessibility-ready

Text Domain: twenty-fifteen-child


You can use the above code for the twenty fifteen child theme. If you are going to create a child theme for your own theme, copy the above similar code from parent theme style.css, located on the top of the style.css file.

Remember that, “Template” is important and never miss it. Template is the name of parent theme directory. If your parent theme folder is “business” then you have to write the “Template: business” in child theme.

4. Now create another file functions.php on child theme. The only required child theme file is style.css, but functions.php is necessary to enqueue styles correctly.

add_action( 'wp_enqueue_scripts', 'theme_enqueue_styles' );
function theme_enqueue_styles() {
wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' );


Enqueue style through functions.php.
WordPress Codex

Data Sanitization and Validation with WordPress

1. Data Validation:
Validation is to ensure data correctness and usefulness. Untrusted data comes from many sources (users, third party sites, your own database etc.) and all of it needs to be validated both on input and output. Proper security is critical to keeping your site or that of your theme or plugins safe.

Validation simply means the checks that are run to ensure the data you have is, what is should be. For example: The email address always contains @ sign. If the input email is without the @ sign it is invalid. So the proper or valid email address should be entered on email field.

Another example is that, while creating an account on a site, we are asked to enter the password twice. Both the passwords are validated; they are checked to confirm whether they both are same or not.

Web application may vulnerable without practice data validation. While creating an account on a site, we are asked to enter the password twice. Both the passwords are validated; they are checked to confirm whether they both are same or not.

Client side validation is for user experience. You can inform a user if their input is invalid without making a roundtrip to the server. However, client side validation can be bypassed so you should validate server side too, to ensure data integrity.


For example:

Imagine a web shop database that would allow you to enter a new customer without an address. You would be unable to ship goods to such a customer.

Imagine that the same web shop database stores the country of residence of its customers. If the database doesn’t enforce a certain input pattern on this data you will end up different with values for the same country, like Nepal, US. This makes it impossible, or at least much harder to extract information like how much customers from the United States have used your web shop, and how many from Nepal.

Validation are done on different approach, some of them are as follows:

It only accepts the data from a finite list of known and trusted values.

Reject data from finite list of known untrusted values. This is very rarely a good idea.

Format Detection:
Test to see if the data is of the correct format. Only accept it if it is.

Format Correction:
Accept most any data, but remove or alter the dangerous pieces.


WordPress provides a couple of functions to validate only some types of data. Developers usually define their own functions for validate data.

WordPress provided is_email () function o check whether the email is valid or not.

Code Example:

if( is_email (“example@example.com”)){

echo “Valid email”;



echo “Invalid Email”;


2. Data Sanitization:

Sanitization is to ensure data safety and to prevent code injection. Sanitization means cleaning user input. Sanitization is a bit more liberal of an approach to accepting user data. It is a way of removing text, characters or codes from input that is not allowed. For example: Widget title cannot have HTML tags in them. If you put HTML tags, then they are automatically removed before the title is saved.


When data is included in some context, that data could be misinterpreted as a code for that environment. If the data contains malicious code, then using data without sanitizing it, means that code will be executed. The code doesn’t even necessary have to be malicious for it to cause undesired effects.


There are various functions provided by WordPress to sanitize different data into different forms.

Code Example:


echo sanitize_email(“test example@example.com”);

//output is “testexample@example.com”

Another example is using


echo sanitize_file_name(“_profile pic- -1.png”);

//Output is “profile-pic-1.png”

Some of the other function used to sanitize data are:

sanitize_option() etc.

Validation of data, on the other hand, should be done as soon as it’s received and before it’s written to the database. The idea is that ‘invalid’ data should either be auto-corrected, or be flagged to the data, and only valid data should be given to the database.

That said – you may want to also perform validation when data is displayed too. In fact sometimes, ‘validation’ will also ensure the data is safe.

For More Information,

Code TutsPlus

WordPress Codex

Search Software