When authors submit themes to the WordPress.org theme directory they are sometimes surprised that they might need to wait up to 8 weeks for a review.
One of the reasons to why it can take this long is that many authors submit themes that are incomplete.
By checking these four things you can greatly reduce the time it takes to review your theme:
- License
- Code Errors
- Security
- Translation
Back to basics
The list of requirements is long and we as reviewers understand if authors miss some of them. In fact very few themes are set live in the theme directory without changes.
However, I feel strongly that theme authors, –especially those who sell themes -at least should get the basics right.
License
WordPress themes need to be 100% compatible with GPLv2 or later.
The theme directory cannot redistribute your theme if you use items that have a license that limits redistribution or commercial use.
I expect authors to understand the difference between copyright and license. I expect them to include information about both in the theme.
If a theme has a commercial version, that version also needs to be 100% compatible with GPL.
How to check:
Open style.css. Make sure that your stylesheets file header has a license statement.
Examples:License: GNU General Public License v2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
or:License: GNU General Public License v2 or later
License URI: LICENSE
Where license.txt is included and contains a copy of the license.
Open the readme file. Make sure that you have included a copyright notice for the theme.
Example:Twenty Seventeen WordPress Theme, Copyright 2016 WordPress.org
Make sure that you have listed the names, source, copyright and license information for all resources like third party scripts, styles and images, including images used in the screenshot, since the screenshot is part of the theme.
Code
Do not include code that you don’t understand. This might seem obvious, but many authors copy and paste code from others without understanding what the code does. Keep your code simple. Comment and document your custom code. The reviewer might need to ask questions about your code, and more advanced code takes longer to review.
Do not include code, files or folders that are not used in the theme. Asking us to review code that is not even used will delay your review further. It’s a waste of our time.
Test your theme on different PHP versions. Test all your custom page templates, options, and custom widgets. Check for JS errors and missing files. Do not rely on the reviewer to do this for you. The reviewer is not your tester, we expect you to check this before you submit the theme.
Security
We understand that security can be the hardest part. But there are some simple rules that you can use when developing and checking your theme.
- Don’t trust any data.
- Escaping and sanitizing: You can’t have one, you can’t have none, you can’t have one without the other.
- Don’t include external files. All scripts, styles and images should be included in the theme. The exception is google fonts.
Untrusted data needs to be validated and/or sanitized before saving, and escaped as late as possible before output. Theme options are not considered safe.
By far the most common problem that we see in themes is missing escaping, or using the wrong function.
Untrusted links should be escaped using esc_url().
esc_attr() -Attr stands for attribute. This should only be used inside actual html attributes like title, alt, width, height, placeholder and similar. It should not be used between html tags.
esc_html() This should only be used between html tags. It should not be used inside html attributes.
The customizer has a range of different control types, and authors can also add custom controls. We often find that authors use sanitize_text_field() for all their control types, even controls that are not text fields.
Use a sanitize_callback that is suitable for your control type.
How to check:
Search your theme files for: sanitize_callback
, esc_attr
, esc_html
and echo get_theme_mod
.
Make sure that all text strings are translatable
There is no shortcut for this. The best way to make sure that all your texts are translation ready is to add the translation functions when you build the theme, instead of trying to add them afterwards. Finding text strings that are missing translation functions is a very time consuming job, where both the reviewer and the theme author needs to manually open all files -including JS files, to find these text strings.
You can understand why this slows the review process down for everyone, and why this increases the waiting time.
Help the reviewers and your fellow theme authors to reduce the queue time for everyone by only submitting complete, tested themes.
By checking these four things before you submit your theme, you have also reduced the risk of having your theme closed as not approved.
The Theme Review Team is open to everyone, and you can help out by reviewing submitted themes for these issues. With the help of more reviewers, the waiting time will be shortened.