diff --git a/plugins/wporg-5ftf/includes/contributor.php b/plugins/wporg-5ftf/includes/contributor.php
index 75c6df8..a7eacae 100644
--- a/plugins/wporg-5ftf/includes/contributor.php
+++ b/plugins/wporg-5ftf/includes/contributor.php
@@ -66,7 +66,7 @@ function register_custom_post_type() {
 		'publicly_queryable'  => false,
 		'capability_type'     => 'page',
 		'capabilities'        => array(
-			'create_posts' => 'do_not_allow'
+			'create_posts' => 'do_not_allow',
 		),
 		'map_meta_cap'        => true,
 		'show_in_rest'        => false, // todo Maybe turn this on later.
@@ -317,7 +317,7 @@ function process_my_pledges_form() {
 	}
 
 	$contributor_post = get_post( $contributor_post_id );
-	if ( ! isset( $contributor_post->post_type ) || $contributor_post->post_type !== CPT_ID ) {
+	if ( ! isset( $contributor_post->post_type ) || CPT_ID !== $contributor_post->post_type ) {
 		return ''; // Return early, the form was submitted incorrectly.
 	}
 
@@ -326,8 +326,8 @@ function process_my_pledges_form() {
 		return ''; // User doesn't have permission to update this.
 	}
 
-	$pledge  = get_post( $contributor_post->post_parent );
-	$message = '';
+	$pledge     = get_post( $contributor_post->post_parent );
+	$message    = '';
 	$new_status = false;
 
 	if ( filter_input( INPUT_POST, 'join_organization' ) ) {
@@ -335,21 +335,21 @@ function process_my_pledges_form() {
 		wp_verify_nonce( $unverified_nonce, $nonce_action ) || wp_nonce_ays( $nonce_action );
 
 		$new_status = 'publish';
-		$message = "You have joined the pledge from {$pledge->post_title}.";
+		$message    = "You have joined the pledge from {$pledge->post_title}.";
 
 	} elseif ( filter_input( INPUT_POST, 'decline_invitation' ) ) {
 		$nonce_action = 'join_decline_organization_' . $contributor_post_id;
 		wp_verify_nonce( $unverified_nonce, $nonce_action ) || wp_nonce_ays( $nonce_action );
 
 		$new_status = 'trash';
-		$message = "You have declined the pledge invitation from {$pledge->post_title}.";
+		$message    = "You have declined the pledge invitation from {$pledge->post_title}.";
 
 	} elseif ( filter_input( INPUT_POST, 'leave_organization' ) ) {
 		$nonce_action = 'leave_organization_' . $contributor_post_id;
 		wp_verify_nonce( $unverified_nonce, $nonce_action ) || wp_nonce_ays( $nonce_action );
 
 		$new_status = 'trash';
-		$message = "You have left the {$pledge->post_title} pledge.";
+		$message    = "You have left the {$pledge->post_title} pledge.";
 	}
 
 	if ( 'publish' === $new_status && 'publish' !== $contributor_post->post_status ) {
diff --git a/plugins/wporg-5ftf/includes/email.php b/plugins/wporg-5ftf/includes/email.php
index 20ed688..9a4c1d9 100644
--- a/plugins/wporg-5ftf/includes/email.php
+++ b/plugins/wporg-5ftf/includes/email.php
@@ -34,7 +34,8 @@ defined( 'WPINC' ) || die();
 
 const TOKEN_PREFIX = '5ftf_auth_token_';
 
-// Longer than `get_password_reset_key()` just to be safe. See https://core.trac.wordpress.org/ticket/43546#comment:34
+// Longer than `get_password_reset_key()` just to be safe.
+// See https://core.trac.wordpress.org/ticket/43546#comment:34.
 const TOKEN_LENGTH = 32;
 
 add_action( 'wp_head', __NAMESPACE__ . '\prevent_caching_auth_tokens', 99 );
@@ -46,8 +47,9 @@ add_action( 'wp_head', __NAMESPACE__ . '\prevent_caching_auth_tokens', 99 );
  * etc could create situations where they're leaked to others.
  */
 function prevent_caching_auth_tokens() {
+	// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce not required, not processing form data.
 	if ( isset( $_GET['auth_token'] ) || isset( $_POST['auth_token'] ) ) {
-	    nocache_headers();
+		nocache_headers();
 	}
 }
 
@@ -65,7 +67,6 @@ function send_email( $to, $subject, $message, $pledge_id ) {
 	$headers = array(
 		'From: WordPress - Five for the Future <donotreply@wordpress.org>',
 		'Reply-To: support@wordcamp.org',
-			// todo update address when new one is created
 	);
 
 	$result = wp_mail( $to, $subject, $message, $headers );
@@ -101,12 +102,10 @@ function send_email( $to, $subject, $message, $pledge_id ) {
  */
 function get_authentication_url( $pledge_id, $action, $action_page_id, $use_once = true ) {
 	$auth_token = array(
-		/*
-		 * This will create a CSPRN and is similar to how `get_password_reset_key()` and
-		 * `generate_recovery_mode_token()` work.
-		 */
+		// This will create a CSPRN and is similar to how `get_password_reset_key()` and
+		// `generate_recovery_mode_token()` work.
 		'value'      => wp_generate_password( TOKEN_LENGTH, false ),
-			// todo Ideally should encrypt at rest, see https://core.trac.wordpress.org/ticket/24783.
+		// todo Ideally should encrypt at rest, see https://core.trac.wordpress.org/ticket/24783.
 		'expiration' => time() + ( 2 * HOUR_IN_SECONDS ),
 		'use_once'   => $use_once,
 	);
@@ -132,7 +131,7 @@ function get_authentication_url( $pledge_id, $action, $action_page_id, $use_once
 	);
 
 	// todo include a "this lnk will expire in 10 hours and after its used once" message too?
-		//  probably, but what's the best way to do that DRYly?
+		// probably, but what's the best way to do that DRYly?
 
 	return $auth_url;
 }
@@ -177,7 +176,7 @@ function is_valid_authentication_token( $pledge_id, $action, $unverified_token )
 		$verified = true;
 
 		// Tokens should not be reusable -- to increase security -- unless explicitly required to fulfill their purpose.
-		if ( $valid_token['use_once'] !== false ) {
+		if ( false !== $valid_token['use_once'] ) {
 			delete_post_meta( $pledge_id, TOKEN_PREFIX . $action );
 		}
 	}
diff --git a/plugins/wporg-5ftf/includes/pledge-form.php b/plugins/wporg-5ftf/includes/pledge-form.php
index e00496e..0a21568 100755
--- a/plugins/wporg-5ftf/includes/pledge-form.php
+++ b/plugins/wporg-5ftf/includes/pledge-form.php
@@ -134,7 +134,10 @@ function process_pledge_confirmation_email( $pledge_id, $action, $unverified_tok
 
 	if ( $email_confirmed ) {
 		update_post_meta( $pledge_id, $meta_key, true );
-		wp_update_post( array( 'ID' => $pledge_id, 'post_status' => 'publish' ) );
+		wp_update_post( array(
+			'ID'          => $pledge_id,
+			'post_status' => 'publish',
+		) );
 		send_contributor_confirmation_emails( $pledge_id );
 	}
 
@@ -172,11 +175,11 @@ function send_contributor_confirmation_emails( $pledge_id, $contributor_id = nul
 		 * because there's no expiration.
 		 */
 		$message =
-			"Howdy $name, {$pledge->post_title} has created a Five for the Future pledge on WordPress.org and listed you as one of the contributors that they sponsor to contribute to the WordPress open source project. You can view their pledge at:" . "\n\n" .
+			"Howdy $name, {$pledge->post_title} has created a Five for the Future pledge on WordPress.org and listed you as one of the contributors that they sponsor to contribute to the WordPress open source project. You can view their pledge at:\n\n" .
 
 			get_permalink( $pledge_id ) . "\n\n" .
 
-			"To confirm that they're sponsoring your contributions, please review your pledges at:" . "\n\n" .
+			"To confirm that they're sponsoring your contributions, please review your pledges at:\n\n" .
 
 			get_permalink( get_page_by_path( 'my-pledges' ) ) . "\n\n" .
 
@@ -184,8 +187,7 @@ function send_contributor_confirmation_emails( $pledge_id, $contributor_id = nul
 
 			"https://profiles.wordpress.org/me/profile/edit/group/5/\n\n" .
 
-			"If {$pledge->post_title} isn't sponsoring your contributions, then you can ignore this email, and you won't be listed on their pledge."
-		;
+			"If {$pledge->post_title} isn't sponsoring your contributions, then you can ignore this email, and you won't be listed on their pledge.";
 
 		$user = get_user_by( 'login', $contributor->post_title );
 		Email\send_email( $user->user_email, $subject, $message, $pledge_id );
@@ -267,7 +269,6 @@ function process_manage_link_request() {
 		} else {
 			$result = new WP_Error( 'email_failed', __( 'There was an error while trying to send the email.', 'wporg-5ftf' ) );
 		}
-
 	} else {
 		$error_message = sprintf(
 			__( 'That\'s not the address that we have for this pledge, please try a different one. If none of the addresses you try are working, please <a href="%s">email us</a> for help.', 'wporg-5ftf' ),
@@ -303,11 +304,9 @@ function send_manage_pledge_link( $pledge_id ) {
 			$pledge_id,
 			'manage_pledge',
 			get_page_by_path( 'manage-pledge' )->ID,
-
 			// The token needs to be reused so that the admin can view the form, submit it, and view the result.
 			false
-		)
-	;
+		);
 
 	$result = Email\send_email( $admin_email, $subject, $message, $pledge_id );
 
@@ -327,7 +326,7 @@ function send_manage_pledge_link( $pledge_id ) {
  */
 function process_form_manage() {
 	$submission = get_form_submission();
-	$has_error = check_invalid_submission( $submission );
+	$has_error  = check_invalid_submission( $submission );
 	if ( $has_error ) {
 		return $has_error;
 	}
diff --git a/plugins/wporg-5ftf/includes/pledge-meta.php b/plugins/wporg-5ftf/includes/pledge-meta.php
index 770205f..240aca8 100755
--- a/plugins/wporg-5ftf/includes/pledge-meta.php
+++ b/plugins/wporg-5ftf/includes/pledge-meta.php
@@ -76,7 +76,7 @@ function get_pledge_meta_config( $context = 'all' ) {
 			'sanitize_callback' => 'absint',
 			'show_in_rest'      => false,
 		),
-		'pledge-total-hours' => array(
+		'pledge-total-hours'            => array(
 			'single'            => true,
 			'sanitize_callback' => 'absint',
 			'show_in_rest'      => false,
@@ -259,10 +259,7 @@ function save_pledge( $pledge_id, $pledge ) {
 		return;
 	}
 
-	if ( ! current_user_can( 'edit_pledge', $pledge_id ) ) {
-		// todo re-enable once setup cap mapping or whatever.
-		//return;
-	}
+	// if ( ! current_user_can( 'edit_pledge', $pledge_id ) ) {} -- todo re-enable once setup cap mapping or whatever.
 
 	if ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) || 'auto-draft' === $pledge->post_status ) {
 		return;
@@ -388,7 +385,7 @@ function maybe_update_single_cached_pledge_data( $new_status, $old_status, WP_Po
  *
  * This is saved so that it can be easily queried against, and also to make stats calculations easier.
  *
- * @param $pledge_id
+ * @param int $pledge_id
  */
 function update_single_cached_pledge_data( $pledge_id ) {
 	$pledge_data = XProfile\get_aggregate_contributor_data_for_pledge( $pledge_id );
diff --git a/plugins/wporg-5ftf/includes/pledge.php b/plugins/wporg-5ftf/includes/pledge.php
index 45d19d0..750a33e 100755
--- a/plugins/wporg-5ftf/includes/pledge.php
+++ b/plugins/wporg-5ftf/includes/pledge.php
@@ -95,7 +95,7 @@ function register_custom_post_type() {
 		'publicly_queryable'  => true,
 		'capability_type'     => 'page',
 		'capabilities'        => array(
-			'create_posts' => 'do_not_allow'
+			'create_posts' => 'do_not_allow',
 		),
 		'map_meta_cap'        => true,
 		'show_in_rest'        => false, // todo Maybe turn this on later.
@@ -153,12 +153,16 @@ function add_list_table_columns( $columns ) {
 function populate_list_table_columns( $column, $post_id ) {
 	switch ( $column ) {
 		case 'contributor_counts':
-			$contribs = Contributor\get_pledge_contributors( $post_id, 'all' );
-			printf(
-				wpautop( '%1$d confirmed' . "\n" . '%2$d unconfirmed' ),
-				count( $contribs['publish'] ),
-				count( $contribs['pending'] )
+			$contribs    = Contributor\get_pledge_contributors( $post_id, 'all' );
+			$confirmed   = sprintf(
+				_n( '%s confirmed', '%s confirmed', count( $contribs['publish'] ), 'wporg-5ftf' ),
+				number_format_i18n( count( $contribs['publish'] ) )
 			);
+			$unconfirmed = sprintf(
+				_n( '%s unconfirmed', '%s unconfirmed', count( $contribs['pending'] ), 'wporg-5ftf' ),
+				number_format_i18n( count( $contribs['pending'] ) )
+			);
+			printf( '%s<br />%s', esc_html( $confirmed ), esc_html( $unconfirmed ) );
 			break;
 		case 'domain':
 			$domain = get_post_meta( $post_id, META_PREFIX . 'org-domain', true );
@@ -181,7 +185,6 @@ function create_new_pledge( $name ) {
 		'post_status' => 'draft',
 	);
 
-
 	$pledge_id = wp_insert_post( $args, true );
 	// The pledge's meta data is saved at this point via `save_pledge_meta()`, which is a `save_post` callback.
 
@@ -204,11 +207,10 @@ function create_new_pledge( $name ) {
 function send_pledge_confirmation_email( $pledge_id, $action_page_id ) {
 	$pledge = get_post( $pledge_id );
 
-	$message =
-		"Thanks for pledging your organization's time to contribute to the WordPress open source project! Please confirm this email address in order to publish your pledge:" . "\n\n" .
-
+	$message = sprintf(
+		"Thanks for pledging your organization's time to contribute to the WordPress open source project! Please confirm this email address in order to publish your pledge:\n\n%s",
 		Email\get_authentication_url( $pledge_id, 'confirm_pledge_email', $action_page_id )
-	;
+	);
 
 	return Email\send_email(
 		$pledge->{'5ftf_org-pledge-email'},
@@ -233,12 +235,12 @@ function filter_query( $query ) {
 	$hours_count_key       = META_PREFIX . 'pledge-total-hours';
 
 	// Set up meta queries to include the "valid pledge" check, added to both search and pledge archive requests.
-	$meta_queries = (array) $query->get( 'meta_query' );
+	$meta_queries   = (array) $query->get( 'meta_query' );
 	$meta_queries[] = array(
-		'key' => $contributor_count_key,
-		'value' => 0,
+		'key'     => $contributor_count_key,
+		'value'   => 0,
 		'compare' => '>',
-		'type' => 'NUMERIC',
+		'type'    => 'NUMERIC',
 	);
 
 	// Searching is restricted to pledges with contributors only.
@@ -271,6 +273,7 @@ function filter_query( $query ) {
 		}
 	}
 
-	// todo remove this when `rand` pagination fixed, see https://github.com/WordPress/five-for-the-future/issues/70#issuecomment-549066883
+	// todo remove this when `rand` pagination fixed
+	// see https://github.com/WordPress/five-for-the-future/issues/70#issuecomment-549066883.
 	$query->set( 'posts_per_page', 100 );
 }
diff --git a/plugins/wporg-5ftf/tests/test-email.php b/plugins/wporg-5ftf/tests/test-email.php
index ba2fc51..eb18051 100644
--- a/plugins/wporg-5ftf/tests/test-email.php
+++ b/plugins/wporg-5ftf/tests/test-email.php
@@ -7,6 +7,7 @@ use const WordPressDotOrg\FiveForTheFuture\Pledge\CPT_ID as PLEDGE_POST_TYPE;
 defined( 'WPINC' ) || die();
 
 class Test_Email extends WP_UnitTestCase {
+	// phpcs:ignore PSR2.Classes.PropertyDeclaration.Multiple
 	protected static $valid_pledge, $valid_action, $valid_action_page, $valid_action_url, $valid_token;
 
 	/**
@@ -29,8 +30,7 @@ class Test_Email extends WP_UnitTestCase {
 
 		self::$valid_pledge = get_post( $valid_pledge_id );
 
-
-		$valid_action_page_id = self::factory()->post->create( $valid_action_page_params );
+		$valid_action_page_id    = self::factory()->post->create( $valid_action_page_params );
 		self::$valid_action_page = get_post( $valid_action_page_id );
 
 		self::$valid_action = 'confirm_pledge_email';
@@ -44,7 +44,7 @@ class Test_Email extends WP_UnitTestCase {
 	/**
 	 * Verify whether or not the fixtures were setup correctly.
 	 *
-	 * @return bool
+	 * @return void
 	 */
 	protected static function verify_before_class_fixtures() {
 		self::assertSame( 'object',         gettype( self::$valid_action_page ) );
@@ -85,7 +85,7 @@ class Test_Email extends WP_UnitTestCase {
 		$this->assertTrue( $verified );
 
 		// todo test that `view` and `update` contexts work as well, when those are added
-			// maybe need to test some failures for that too
+			// maybe need to test some failures for that too.
 	}
 
 	/**
@@ -118,11 +118,11 @@ class Test_Email extends WP_UnitTestCase {
 			'wrong-data-type'    => array( 'this string is not an array' ),
 			'wrong-array-items'  => array( 'this' => "doesn't have `value` and `expiration` items" ),
 
-			'invalid-value' => array(
+			'invalid-value'      => array(
 				array(
 					'value'      => 'Valid tokens will never contain special characters like !@#$%^&*()',
 					'expiration' => time() + HOUR_IN_SECONDS,
-				)
+				),
 			),
 		);
 	}
@@ -167,8 +167,8 @@ class Test_Email extends WP_UnitTestCase {
 	 */
 	public function test_valid_token_rejected_for_other_actions() {
 		// Setup another valid token for the other action.
-		$other_valid_action     = 'confirm_contributor_participation';
-			// todo update this when the action for that step is created, so that they match and show that valid actions
+		$other_valid_action = 'confirm_contributor_participation';
+		// todo update this when the action for that step is created, so that they match and show that valid actions.
 		$other_valid_action_url = get_authentication_url( self::$valid_pledge->ID, $other_valid_action, self::$valid_action_page->ID );
 
 		// Intentionally mismatch the token and action.
diff --git a/plugins/wporg-5ftf/views/form-pledge-confirm-email.php b/plugins/wporg-5ftf/views/form-pledge-confirm-email.php
index a603687..8163539 100755
--- a/plugins/wporg-5ftf/views/form-pledge-confirm-email.php
+++ b/plugins/wporg-5ftf/views/form-pledge-confirm-email.php
@@ -18,7 +18,7 @@ use WP_Post;
 			<?php
 			printf(
 				wp_kses_post( __( "Thank you for confirming your address! We've emailed confirmation links to the contributors you mentioned, and your pledge will show up in <a href=\"%s\">the directory</a> once one contributor confirms their participation.", 'wporg' ) ),
-				 esc_url( $directory_url )
+				esc_url( $directory_url )
 			);
 			?>
 		</p>
@@ -45,13 +45,11 @@ use WP_Post;
 	<div class="notice notice-error notice-alt">
 		<p>
 			<?php
-			/*
-			 * There could be other reasons it failed, like an invalid token, but this is the most common reason,
-			 * and the only one that normal users should experience, so we're assuming it in order to provide
-			 * the best UX.
-			 */
+			// There could be other reasons it failed, like an invalid token, but this is the most common reason,
+			// and the only one that normal users should experience, so we're assuming it in order to provide
+			// the best UX.
+			esc_html_e( 'Your confirmation link has expired, please obtain a new one:', 'wporg-5ftf' );
 			?>
-			Your confirmation link has expired, please obtain a new one:
 		</p>
 
 		<form action="" method="get">
diff --git a/plugins/wporg-5ftf/views/form-pledge-request-manage-link.php b/plugins/wporg-5ftf/views/form-pledge-request-manage-link.php
index e7a4119..d0a94ad 100644
--- a/plugins/wporg-5ftf/views/form-pledge-request-manage-link.php
+++ b/plugins/wporg-5ftf/views/form-pledge-request-manage-link.php
@@ -9,6 +9,7 @@ defined( 'WPINC' ) || die();
  */
 
 // Hide it if it hasn't submitted, but show success/error messages if it was submitted.
+// phpcs:ignore
 $hidden = empty( $errors ) && empty( $_POST['get_manage_pledge_link'] ) ? 'hidden' : '';
 
 ?>
diff --git a/plugins/wporg-5ftf/views/log.php b/plugins/wporg-5ftf/views/log.php
index 5351d08..2f8ae09 100644
--- a/plugins/wporg-5ftf/views/log.php
+++ b/plugins/wporg-5ftf/views/log.php
@@ -38,6 +38,7 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 						$user = get_user_by( 'id', $entry['user_id'] );
 
 						if ( $user ) {
+							// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sanitize_user prevents unsafe characters.
 							echo sanitize_user( $user->user_login );
 						} elseif ( ! empty( $entry['user_id'] ) ) {
 							echo esc_html( $entry['user_id'] );
@@ -52,9 +53,7 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 
 	<?php else : ?>
 
-		<p>
-			There are no log entries.
-		</p>
+		<p>There are no log entries.</p>
 
 	<?php endif; ?>
 </div>
diff --git a/plugins/wporg-5ftf/views/partial-result-messages.php b/plugins/wporg-5ftf/views/partial-result-messages.php
index c3d5135..6782117 100644
--- a/plugins/wporg-5ftf/views/partial-result-messages.php
+++ b/plugins/wporg-5ftf/views/partial-result-messages.php
@@ -24,9 +24,9 @@ defined( 'WPINC' ) || die();
 
 	<?php if ( ! empty( $errors ) ) : ?>
 		<div id="error-messages" class="notice notice-error notice-alt">
-			<?php foreach ( $errors as $error ) : ?>
+			<?php foreach ( $errors as $error_message ) : ?>
 				<p>
-					<?php echo wp_kses_post( $error ); ?>
+					<?php echo wp_kses_post( $error_message ); ?>
 				</p>
 			<?php endforeach; ?>
 		</div>