- August
Posted By : Code Buddy
Comments Off on What Are the Best Practices for Coding with WordPress?
What Are the Best Practices for Coding with WordPress?

In a world like ours where WordPress powers 27% of the internet, you can’t afford to ignore these WordPress best practices to make your plugin or theme code readable and clear.

One of the greatest strengths of WordPress is its collaborative environment. Another strength is its adaptability. By adhering to the best practices and standards discussed below in this article, you can continue to uphold both of those strengths.

Keep reading to find out what you should and shouldn’t do in your WordPress lines of code.

Why Adhere To WordPress Best Practices?

These coding standards exist for a reason. WordPress, in addition to being the most used content management system (CMS), is also a collaborative environment. This means that other coders should be able to build off of the code you write.

In order for them to do so successfully and continue to benefit the end-user, code needs to be clear whether it’s written in CSS, HTML, JavaScript, or PHP. Though there are other coding languages, these four are most common on WordPress and dominate the coding standards.

The other main reason to adhere to these standards is to prevent errors and maximize the security of your code.

How Do You Adhere To The Coding Standards?

Now that you know why these standards and best practices are important, let’s dive into the nitty-gritty of this article and discuss ways you can ensure your code is up to snuff. We’ll cover everything from basic organization to securing your code.

Folder Structure

Folder structure best practices involve thinking about clear and logical organization. Think about it this way–if you’re trying to build off of someone’s code, it’s easiest if you can find where a particular line of code exists. You shouldn’t have to search through dozens of nested folders with no organization.

Function Name Collisions

A function name collision happens when a function bears a name identical to another function that’s already defined. It’s like telling someone a cat is an animal with two ears and a nose and then calling every other animal with two ears and a nose a cat. You can see why this would be confusing?

To avoid function name collisions, you can use a prefix for your functions. You can also wrap your functions within a class.

Code Comments

In the entirety of code that builds WordPress, 21% of that content are comments. That tells us that WordPress values code comments. Again, this comes back to the collaborative nature of this particular CMS.

If your code for your plugin or theme continues to grow, it can be confusing for contributing coders to know exactly what to do. How you fix this can depend on the coding language you’re using.

For example, if you’re writing in PHP, you can use PHPDoc sintax and Sublime + Docblockr to add comments to your code. If you’re using CSS, you can use comments to split your lines of code into sections.

In HTML, you can use “” at the end of a large block of code. This will keep the comment from getting lost. Make sure your code comments tick these boxes:

  • Inform what a function actually does
  • List any necessary parameters
  • Describe the return of the function

With this information, coding collaborators can work together to enhance and improve plugins and themes.

Prevent XSS Vulnerabilities

There are three ways you can keep XSS vulnerabilities from affecting your WordPress code. You can:

  • Sanitize data input
  • Sanitize output data
  • Validate your data

These three actions together will improve the security of your code. To sanitize data input, you might check for invalid UTF-8. You can take out all tags, octets, and unnecessary line breaks.

Sanitizing output data is as easy as using “esc_url”, “esc_html”, and “esc_js” code where appropriate.

Prevent Direct Access

Preventing direct file access is another security measure you can take to meet the coding standards on WordPress. All it takes is the use of two particular lines of code:

// exit if accessed directly

If ( !defined ( ‘ABSPATH’ ) ) exit;

Using these lines below your code will stop executions of scripts if the access is not through WordPress itself.

Remove Warnings and Notices

Deprecated functions can leave your code vulnerable to security risks. However, it’s not that difficult to catch them all. Simply code using the DEBUG mode to catch them and deal with them appropriately.

Nonce Values

Nonce, in coding, stands for “numbers used once.” Using nonce values is yet another security measure. In this case, you’ll be protecting your code–and the sites on which it dwells–against what’s known as cross-site request forgeries, or CSRF.

CSRF are unexpected requests–or sometimes duplicate requests. These requests have the ability to cause changes to a website and its database. What’s worse is those changes may be irreversible and therefore permanent.

The changes that come from CSRF are not often desired changes either. Protecting against them is your responsibility as a coder.

WordPress Functions And Libraries

Whether you’re new to coding plugins and themes for WordPress or a veteran, you should know about the WordPress functions and libraries, a store of code that’s already scrubbed for vulnerabilities by core contributors.

This can be a valuable resource for any coder seeking WordPress help, even if you’re writing code from scratch and want to continue to do so. You can use these as references for functions, code comments, and all the other best practices we discussed above.


The options for a website on WordPress, thanks to its themes and plugins, are limitless, constrained only by your imagination. Don’t think of these best practices or standards as fencing in your creative capabilities. Rather, think of them as empowering you to collaborate with other coders and improve upon existing code.