wp-cli · swissspidy · Apr 8, 2026 · Mar 31, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -1,5 +1,6 @@
 Feature: Check the type of file
 
+  @skip-object-cache
   Scenario: Check that object-cache.php isn't a symlink
     Given a WP install
     And a config.yml file:
@@ -32,7 +33,7 @@ Feature: Check the type of file
       """
     And the return code should be 1
 
-
+  @skip-object-cache
   Scenario: Check that object-cache.php is a symlink
     Given a WP install
     And a config.yml file:

@@ -80,9 +80,9 @@ Feature: Basic check usage
     Then STDOUT should be:
       """
       name,status
-      cache-flush,warning
       option-blog-public,error
       php-in-upload,success
+      cache-flush,warning
       """
     And the return code should be 1
 
@@ -104,8 +104,8 @@ Feature: Basic check usage
     Then STDOUT should be:
       """
       name,status
-      cache-flush,warning
       option-blog-public,error
+      cache-flush,warning
       """
     And the return code should be 1
 

@@ -0,0 +1,14 @@
+parameters:
+  level: 9
+  paths:
+    - src
+    - doctor-command.php
+  scanDirectories:
+    - vendor/wp-cli/wp-cli/php
+  scanFiles:
+    - vendor/php-stubs/wordpress-stubs/wordpress-stubs.php
+    - tests/phpstan/scan-files.php
+  treatPhpDocTypesAsCertain: false
+  ignoreErrors:
+    - '#Call to deprecated method setAccessible\(\) of class ReflectionProperty\.#'
+
@@ -31,6 +31,8 @@ abstract class Check {
 
 	/**
 	 * Initialize the check.
+	 *
+	 * @param array<string, mixed> $options
 	 */
 	public function __construct( $options = array() ) {
 
@@ -48,6 +50,8 @@ public function __construct( $options = array() ) {
 
 	/**
 	 * Get when the check is expected to run.
+	 *
+	 * @return string
 	 */
 	public function get_when() {
 		return $this->_when;
@@ -57,6 +61,7 @@ public function get_when() {
 	 * Set when the check is expected to run.
 	 *
 	 * @param string $when
+	 * @return void
 	 */
 	public function set_when( $when ) {
 		$this->_when = $when;
@@ -66,6 +71,7 @@ public function set_when( $when ) {
 	 * Set the status of the check.
 	 *
 	 * @param string $status
+	 * @return void
 	 */
 	protected function set_status( $status ) {
 		$this->_status = $status;
@@ -75,6 +81,7 @@ protected function set_status( $status ) {
 	 * Set the message of the check.
 	 *
 	 * @param string $message
+	 * @return void
 	 */
 	protected function set_message( $message ) {
 		$this->_message = $message;
@@ -85,13 +92,15 @@ protected function set_message( $message ) {
 	 *
 	 * Because each check checks for something different, this method must be
 	 * subclassed. Method is expected to set $status_code and $status_message.
+	 *
+	 * @return void
 	 */
 	abstract public function run();
 
 	/**
 	 * Get results of the check.
 	 *
-	 * @return array
+	 * @return array<string, string>
 	 */
 	public function get_results() {
 		return array(

@@ -17,6 +17,9 @@ class Autoload_Options_Size extends Check {
 	 */
 	protected $threshold_kb = 900;
 
+	/**
+	 * @return void
+	 */
 	public function run() {
 		ob_start();
 		WP_CLI::run_command(
@@ -40,9 +43,14 @@ public function run() {
 		}
 	}
 
+	/**
+	 * @param int|float $size Size in bytes.
+	 * @param int       $precision Precision.
+	 * @return string
+	 */
 	private static function format_bytes( $size, $precision = 2 ) {
 		$base     = log( $size, 1024 );
 		$suffixes = array( '', 'kb', 'mb', 'g', 't' );
-		return round( pow( 1024, $base - floor( $base ) ), $precision ) . $suffixes[ floor( $base ) ];
+		return round( pow( 1024, $base - floor( $base ) ), $precision ) . $suffixes[ (int) floor( $base ) ];
 	}
 }
@@ -11,6 +11,9 @@
  */
 class Cache_Flush extends File_Contents {
 
+	/**
+	 * @return void
+	 */
 	public function run() {
 
 		// Path to wp-content directory.
@@ -21,7 +24,12 @@ public function run() {
 		// Regex to match.
 		$this->regex = 'wp_cache_flush\(\)';
 
-		foreach ( $iterator as $file ) {
+		$files = iterator_to_array( $iterator );
+
+		foreach ( $files as $file ) {
+			if ( ! $file instanceof \SplFileInfo ) {
+				continue;
+			}
 			$this->check_file( $file );
 		}
 

@@ -26,9 +26,9 @@ class Constant_Definition extends Check {
 	/**
 	 * Whether or not the constant is expected to be a falsy value.
 	 *
-	 * @var bool
+	 * @var bool|null
 	 */
-	protected $falsy;
+	protected $falsy = null;
 
 	/**
 	 * Expected value of the constant.
@@ -39,6 +39,8 @@ class Constant_Definition extends Check {
 
 	/**
 	 * Initialize the constant check
+	 *
+	 * @param array<string, mixed> $options
 	 */
 	public function __construct( $options = array() ) {
 		parent::__construct( $options );
@@ -47,6 +49,9 @@ public function __construct( $options = array() ) {
 		}
 	}
 
+		/**
+	 * @return void
+	 */
 	public function run() {
 
 		if ( isset( $this->falsy ) ) {
@@ -99,7 +104,7 @@ public function run() {
 			return;
 		}
 
-		if ( $this->defined && ! isset( $this->value ) ) {
+		if ( ! isset( $this->value ) ) {
 			$this->set_status( 'success' );
 			$this->set_message( "Constant '{$this->constant}' is defined." );
 			return;
@@ -118,12 +123,21 @@ public function run() {
 		}
 	}
 
+	/**
+	 * @param mixed $value
+	 * @return string
+	 */
 	private static function human_value( $value ) {
 		if ( true === $value ) {
-			$value = 'true';
+			return 'true';
 		} elseif ( false === $value ) {
-			$value = 'false';
+			return 'false';
+		} elseif ( is_null( $value ) ) {
+			return 'null';
+		}
+		if ( is_scalar( $value ) ) {
+			return (string) $value;
 		}
-		return $value;
+		return gettype( $value );
 	}
 }
@@ -13,11 +13,17 @@ class Core_Update extends Check {
 	public function run() {
 		ob_start();
 		WP_CLI::run_command( array( 'core', 'check-update' ), array( 'format' => 'json' ) );
-		$ret       = ob_get_clean();
-		$updates   = ! empty( $ret ) ? json_decode( $ret, true ) : array();
+		$ret     = ob_get_clean();
+		$updates = ! empty( $ret ) ? json_decode( $ret, true ) : array();
+		if ( ! is_array( $updates ) ) {
+			$updates = array();
+		}
 		$has_minor = false;
 		$has_major = false;
 		foreach ( $updates as $update ) {
+			if ( ! is_array( $update ) || ! isset( $update['update_type'] ) ) {
+				continue;
+			}
 			switch ( $update['update_type'] ) {
 				case 'minor':
 					$has_minor = true;

@@ -10,11 +10,17 @@
  */
 class Core_Verify_Checksums extends Check {
 
+	/**
+	 * @param array<string, mixed> $options
+	 */
 	public function __construct( $options = array() ) {
 		parent::__construct( $options );
 		$this->set_when( 'before_wp_load' );
 	}
 
+	/**
+	 * @return void
+	 */
 	public function run() {
 		$return_code = WP_CLI::runcommand(
 			'core verify-checksums',

@@ -7,8 +7,14 @@
 
 abstract class Cron extends Check {
 
+	/**
+	 * @var array<array<string, mixed>>|null
+	 */
 	protected static $crons;
 
+	/**
+	 * @return array<array<string, mixed>>
+	 */
 	protected static function get_crons() {
 
 		if ( isset( self::$crons ) ) {
@@ -23,8 +29,13 @@ protected static function get_crons() {
 				'fields' => 'hook,args',
 			)
 		);
-		$ret         = ob_get_clean();
-		self::$crons = ! empty( $ret ) ? json_decode( $ret, true ) : array();
+		$ret     = ob_get_clean();
+		$decoded = ! empty( $ret ) ? json_decode( $ret, true ) : array();
+		if ( ! is_array( $decoded ) ) {
+			$decoded = array();
+		}
+		/** @var array<array<string, mixed>> $decoded */
+		self::$crons = $decoded;
 		return self::$crons;
 	}
 }
@@ -14,6 +14,9 @@ class Cron_Count extends Cron {
 	 */
 	protected $threshold_count = 50;
 
+	/**
+	 * @return void
+	 */
 	public function run() {
 		$crons = self::get_crons();
 		if ( count( $crons ) >= $this->threshold_count ) {

@@ -14,11 +14,17 @@ class Cron_Duplicates extends Cron {
 	 */
 	protected $threshold_count = 10;
 
+	/**
+	 * @return void
+	 */
 	public function run() {
 		$crons             = self::get_crons();
 		$job_counts        = array();
 		$excess_duplicates = false;
 		foreach ( $crons as $job ) {
+			if ( ! isset( $job['hook'] ) ) {
+				continue;
+			}
 			$key_data = array( $job['hook'], isset( $job['args'] ) ? $job['args'] : array() );
 			if ( function_exists( 'wp_json_encode' ) ) {
 				$key = wp_json_encode( $key_data );

@@ -12,7 +12,7 @@ abstract class File extends Check {
 	/**
 	 * File checks are run as their own group.
 	 */
-	protected $_when = false;
+	protected $_when = 'manual'; // Run manually via group
 
 	/**
 	 * File extension to check.
@@ -42,14 +42,14 @@ abstract class File extends Check {
 	/**
 	 * Any files matching the check.
 	 *
-	 * @var array
+	 * @var array<string|\SplFileInfo>
 	 */
 	protected $_matches = array();
 
 	/**
 	 * Get the options for this check
 	 *
-	 * @return string
+	 * @return array<string, bool|string>
 	 */
 	public function get_options() {
 		return array(
@@ -58,4 +58,12 @@ public function get_options() {
 			'path'            => $this->path,
 		);
 	}
+
+	/**
+	 * Check a specific file.
+	 *
+	 * @param \SplFileInfo $file File to check.
+	 * @return void
+	 */
+	abstract public function check_file( \SplFileInfo $file );
 }
@@ -12,9 +12,9 @@ class File_Contents extends File {
 	/**
 	 * Regex pattern to check against each file’s contents.
 	 *
-	 * @var string
+	 * @var string|null
 	 */
-	protected $regex;
+	protected $regex = null;
 
 	/**
 	 * Assert existence or absence of the regex pattern.
@@ -56,12 +56,19 @@ public function run() {
 		}
 	}
 
+	/**
+	 * @param SplFileInfo $file
+	 * @return void
+	 */
 	public function check_file( SplFileInfo $file ) {
 		if ( $file->isDir() || ! isset( $this->regex ) ) {
 			return;
 		}
 
 		$contents = file_get_contents( $file->getPathname() );
+		if ( false === $contents ) {
+			return;
+		}
 
 		if ( preg_match( '#' . $this->regex . '#i', $contents ) ) {
 			$this->_matches[] = $file;