KEMBAR78
Best Practices for Building WordPress Applications | PPTX
Taylor Lovett, profile picture
Uploaded byTaylor Lovett
PPTX, PDF6,618 views

Best Practices for Building WordPress Applications

This document provides best practices for WordPress applications, covering topics like caching, database reads/writes, search queries, maintainability, security, third-party code, teams, and workflows. It recommends tools and techniques to optimize performance, including using Redis for caching, Elasticsearch for complex queries, feature plugins, documentation, testing, linting, and managing dependencies with Composer.

Download to read offline
Best Practices for WordPress Applications
Who Am I? • My name is Taylor Lovett • VP of Engineering at 10up • WordPress plugin creator and core contributor • Open source community member @tlovett12
10up is hiring! @tlovett12 taylor.lovett@10up.com
https://10up.github.io/Engineering-Best-Practices/
C A C H I N G
Redis as a Persistent Object Cache • WP lets you drop in a custom object cache. • Redis lets you store things in memory for fast read/writes • Redis offers built in failover features that make it easier to scale than Memcached https://wordpress.org/plugins/wp-redis/
Page Caching • Page caching is the act of caching entire rendered HTML pages. • Pages can be stored in the object cache avoiding database queries entirely. https://wordpress.org/plugins/batcache/
Fragment Caching • All output involving a database read on the front end should be fragment cached aside from the main WP query. • For example, generated HTML from a feature post carousel should be cached since it uses a WP_Query
Remote Calls • Remote blocking calls can be a huge performance bottleneck • Cache remote calls as long as possible • Utilize non-blocking remote requests wherever possible
Prime Cache Asynchronously • Don’t make the user wait for a cache to be primed. • Re-prime after invalidation • Cleverly prime cached data asynchronously (async transients, cron, non-blocking AJAX, job queue, etc.) https://github.com/10up/Async-Transients
admin-ajax.php • Admin-ajax.php is for admin use only. It is not cached as aggressively as the front end. Page caching will not work.
Off the Shelf Caching Plugins • Can be difficult to install and even more difficult to remove. • Created for the general public and often bloated with features. • Keep it simple.
D A T A B A S E R E A D S A N D W R I T E S
Avoid Front End Writes • Database writes are slow • Avoid race conditions • Page caching makes them unreliable.
Understand WP_Query Parameters • 'no_found_rows' => true: Tells WordPress not to pass SQL_CALC_FOUND_ROWS to the database query. • 'update_post_meta_cache' => false: useful when post meta will not be utilized. • 'update_post_term_cache' => false: useful when taxonomy terms will not be utilized. • 'fields' => 'ids': useful when only the post IDs are needed. Avoids lots of extra preparation.
Understand WP Query Parameters • ‘posts_per_page’ => ‘…’: Sets the query limit to something other than -1 • ‘post__not_in’: Tells MySQL to run a NOT IN query which is inherently slow. Try to avoid.
Understand WP Query Parameters new WP_Query( array( 'no_found_rows' => true, 'fields' => 'ids', 'update_post_meta_cache' => false, 'update_post_term_cache' => false, 'posts_per_page' => 100, ) );
Autoloading Options • update_option() and add_option() take a 3rd parameter $autoload. • If you don’t need an option on every request, specify false for $autoload.
Job Queues for Heavy Lifting • For intense database or remote call activity such as a generating reports, expensive API calls, ingesting content, etc, use a job queue. • WP Minions - https://github.com/10up/wp- minions
S E A R C H A N D C O M P L E X Q U E R I E S
Elasticsearch/ElasticPre ss • ElasticPress empowers you to execute complex queries fast. • E.g. multidimensional taxonomy queries, multidimensional meta queries, etc. • On large databases, these types of queries are not feasible in MySQL. https://github.com/10up/ElasticPress
Elasticsearch/ElasticPre ss • ElasticPress is also a toolbox for vastly improving the search experience. • E.g. searching associated terms/meta, author search, autosuggest, geolocation, custom weightings, etc. https://github.com/10up/ElasticPress
M A I N T A I N A B I L I T Y A N D S T A B I L I T Y
Maintainable Code Improves Stability • Easily maintainable and extendible code bases are less susceptible to bugs. • Bugs in maintainable code are solved quicker • New features are more easily created in maintainable code. • Happy engineers are more productive (often overlooked).
Modern PHP Design Patterns • WordPress core is backwards compatible with PHP 5.2.4 (WP 5.2 will up minimum version to 5.6) • Your project does not need to be constrained by incredibly outdated software • Traits, composer, namespaces, etc.
Don’t Obsess Over MVC PHP • MVC (model, view, and controller) is a great pattern in many situations. • WordPress is inherently not object oriented. We find that forcing MVC with tools like Twig ultimately leads to more confusing code that is harder to maintain.
Feature Plugins • Group distinct pieces of functionality into plugins as much as possible. • This separation simplifies deployments and enables you to reuse functionality on other projects. • Opt-in to functionality through usage of hooks
Documentation • Properly documented code is more quickly fixed and iterated upon • Make documentation a part of your code review process • PHP Documentation Standards: https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/php/ • JS Documentation Standards: https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/javascript/
Wrapping Wrappers • WordPress has a very rich, easy to use API with ways to create posts, send HTTP requests, create metaboxes, etc. • Creating wrappers around these core APIs more often than not just results in a layer of confusing code and another library to memorize.
Write Tests • Unit tests • WP Mock - https://github.com/10up/wp_mock • Acceptance Tests • WP Acceptance - https://github.com/10up/wpacceptance • Tests improve quality and stability through identification of issues. Decrease regression
Linting • Enforce linting rules. This keeps your code clean and makes it more maintainable. • PHPCS Rules - https://github.com/10up/phpcs- composer • ESLint Config - https://github.com/10up/eslint- config
Manage Dependencies with Composer • Manage plugins, themes, and WordPress with composer when possible. • This forces updates to be more deliberate and ensures everyone is running the same versions of dependencies. • Disable plugin install/updates in the WP dashboard. • See https://10up.github.io/Engineering-Best- Practices/structure/#dependencies
Manage Dependencies with Composer |- composer.json _________ # Define dependencies |- wp-config.php _________ # WordPress configuration |- wp/ ___________________ # Composer install WordPress here |- wp-content/ ___________ # Composer dependencies | |- themes/ ____________ # Themes directory | |- plugins/ ___________ # Plugins directory
S E C U R I T Y
Clean Input • Validate/sanitize data being inserted into the database to strip anything harmful.
Clean Input if ( ! empty( $_POST['option'] ) ) { update_post_meta( $post_id, 'option_key', true ); } else { delete_post_meta( $post_id, 'option_key' ); } update_post_meta( $post_id, 'key_name', sanitize_text
Secure Output • Escape data that is printed to the screen • Escape data as late as possible • Check out the esc_* functions in the codex. https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
Nonces • Ensure intent of important actions (database modifications) by associating them with a nonce • wp_create_nonce(), wp_verify_nonce(), wp_nonce_field()
Nonces <form> <?php wp_nonce_field( 'prefix-form-action', 'nonc ... </form> if ( empty( $_POST['nonce_field'] || wp_verify_nonce( $_POST['nonce_field'], 'prefix- form-action' ) { return false; }
Limit Login Attempts • Limit max number of login attempts to prevent password guessing.
Require Strong Passwords • Weak passwords are one of the most common ways attackers exploit websites. • Require your users create strong passwords. There are a few great plugins that do this automatically.
T H I R D P A R T Y C O D E
Review Code Over 40,000 community plugins • Plugins reviewed before submission • Plugin revisions not reviewed • Review guidelines not geared for high traffic
Review Code Thousands of community themes • More stringent review guidelines than plugins • Review guidelines not geared for high traffic • Performance not measured
T E A M S
Workflows • Keeping track of code history with version control is critical. At 10up, we use GitLab. • https://gitlab.com • Mandate workflow at the start of project to keep everyone on the same page. • 10up’s workflow in detail: https://10up.github.io/Engineering-Best- Practices/version-control/#workflows
Internal Code Reviews • Code reviews help ensure performance, security, maintainability, and scalability • Engineers improve skills by reviewing and receiving reviews. • All code should be reviewed by someone who didn’t write it.
Continuous Integration • At 10up we use GitLab and a variety of tools for continuous integration. • When merge requests are opened against master, those changes are tested automatically (unit tests, acceptance tests, syntax error checks, vulnerability database comparison, virus scan, etc.)
WP Snapshots • WP Snapshots is a tool that empowers teams to share codebases (database and files) quickly. It makes on boarding new engineers much faster. • https://github.com/10up/wpsnapshots
Q U E S T I O N S ? @ T L O V E T T 1 2 T A Y L O R . L O V E T T @ 1 0 U P . C O M

More Related Content

PDF
Best Practices for WordPress
byTaylor Lovett
 
PDF
You Got React.js in My PHP
byTaylor Lovett
 
PPTX
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
PDF
Isomorphic WordPress Applications with NodeifyWP
byTaylor Lovett
 
PPTX
Saving Time with WP-CLI
byTaylor Lovett
 
PDF
JSON REST API for WordPress
byTaylor Lovett
 
PDF
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
PDF
Transforming WordPress Search and Query Performance with Elasticsearch
byTaylor Lovett
 
Best Practices for WordPress
byTaylor Lovett
 
You Got React.js in My PHP
byTaylor Lovett
 
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
Isomorphic WordPress Applications with NodeifyWP
byTaylor Lovett
 
Saving Time with WP-CLI
byTaylor Lovett
 
JSON REST API for WordPress
byTaylor Lovett
 
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
Transforming WordPress Search and Query Performance with Elasticsearch
byTaylor Lovett
 

What's hot

PDF
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
PDF
Unlocking the Magical Powers of WP_Query
byDustin Filippini
 
KEY
WordPress APIs
bymdawaffe
 
PDF
Adobe AEM CQ5 - Developer Introduction
byYash Mody
 
PDF
Beyond The Browser - Creating a RESTful Web Service With WordPress
byChristopher Reding
 
PDF
OpenERP and Perl
byOpusVL
 
PDF
Theming in WordPress - Where do I Start?
byEdmund Turbin
 
PDF
Introduction to CQ5
byMichele Mostarda
 
PDF
Perl in the Real World
byOpusVL
 
PPTX
Caching, Scaling, and What I've Learned from WordPress.com VIP
byErick Hitter
 
PPT
SenchaCon 2016: LinkRest - Modern RESTful API Framework for Ext JS Apps - Rou...
bySencha
 
PDF
API Design & Security in django
byTareque Hossain
 
PDF
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
PDF
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
PDF
A Day of REST
byScott Taylor
 
PDF
Introduction to CouchDB
byOpusVL
 
PDF
PowerShell for SharePoint Developers
byBoulos Dib
 
PPTX
Getting started with WordPress development
bySteve Mortiboy
 
PDF
Effectively Deploying MongoDB on AEM
byNorberto Leite
 
PPTX
SenchaCon 2016: The Modern Toolchain - Ross Gerbasi
bySencha
 
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
Unlocking the Magical Powers of WP_Query
byDustin Filippini
 
WordPress APIs
bymdawaffe
 
Adobe AEM CQ5 - Developer Introduction
byYash Mody
 
Beyond The Browser - Creating a RESTful Web Service With WordPress
byChristopher Reding
 
OpenERP and Perl
byOpusVL
 
Theming in WordPress - Where do I Start?
byEdmund Turbin
 
Introduction to CQ5
byMichele Mostarda
 
Perl in the Real World
byOpusVL
 
Caching, Scaling, and What I've Learned from WordPress.com VIP
byErick Hitter
 
SenchaCon 2016: LinkRest - Modern RESTful API Framework for Ext JS Apps - Rou...
bySencha
 
API Design & Security in django
byTareque Hossain
 
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
A Day of REST
byScott Taylor
 
Introduction to CouchDB
byOpusVL
 
PowerShell for SharePoint Developers
byBoulos Dib
 
Getting started with WordPress development
bySteve Mortiboy
 
Effectively Deploying MongoDB on AEM
byNorberto Leite
 
SenchaCon 2016: The Modern Toolchain - Ross Gerbasi
bySencha
 

Similar to Best Practices for Building WordPress Applications

PDF
Best practices-wordpress-enterprise
byTaylor Lovett
 
PDF
eMusic: WordPress in the Enterprise
byScott Taylor
 
PDF
Screaming Fast Wpmu
bydjcp
 
PDF
Important Topics for wordPress Interview.pdf
byprepmagic3
 
PPTX
Level Up: 5 Expert Tips for Optimizing WordPress Performance
byPantheon
 
PDF
WordPress Architecture for Tech-Savvy Managers
byMario Peshev
 
PPTX
A crash course in scaling wordpress
byGovLoop
 
PPTX
WCBos13 intermediate workshop
byBoston WordPress
 
PDF
All about word press
byDan Beil
 
PDF
Optimizing WordPress for Performance - WordCamp Houston
byChris Olbekson
 
PPT
WordPress Harrisburg Meetup - Best Practices
byryanduff
 
PDF
Unscrambling An Omelette - How Companies Can Use WordPress Better - Jeremy Ke...
byWordCamp Sydney
 
PDF
Plugin Development @ WordCamp Norway 2014
byBarry Kooij
 
PPTX
Php rules
bychristopher mabunda
 
PDF
Improve WordPress performance with caching and deferred execution of code
byDanilo Ercoli
 
PDF
Wordpress as a framework
byAggelos Synadakis
 
PDF
Mastering the Art of WordPress: 13 Years of Advanced Tips and Tricks
byStanko Metodiev
 
PDF
23 Ways To Speed Up WordPress
byZero Point Development
 
PDF
WordPress as an application framework
byDustin Filippini
 
PDF
Plugin Development - WP Meetup Antwerp
byBarry Kooij
 
Best practices-wordpress-enterprise
byTaylor Lovett
 
eMusic: WordPress in the Enterprise
byScott Taylor
 
Screaming Fast Wpmu
bydjcp
 
Important Topics for wordPress Interview.pdf
byprepmagic3
 
Level Up: 5 Expert Tips for Optimizing WordPress Performance
byPantheon
 
WordPress Architecture for Tech-Savvy Managers
byMario Peshev
 
A crash course in scaling wordpress
byGovLoop
 
WCBos13 intermediate workshop
byBoston WordPress
 
All about word press
byDan Beil
 
Optimizing WordPress for Performance - WordCamp Houston
byChris Olbekson
 
WordPress Harrisburg Meetup - Best Practices
byryanduff
 
Unscrambling An Omelette - How Companies Can Use WordPress Better - Jeremy Ke...
byWordCamp Sydney
 
Plugin Development @ WordCamp Norway 2014
byBarry Kooij
 
Php rules
bychristopher mabunda
 
Improve WordPress performance with caching and deferred execution of code
byDanilo Ercoli
 
Wordpress as a framework
byAggelos Synadakis
 
Mastering the Art of WordPress: 13 Years of Advanced Tips and Tricks
byStanko Metodiev
 
23 Ways To Speed Up WordPress
byZero Point Development
 
WordPress as an application framework
byDustin Filippini
 
Plugin Development - WP Meetup Antwerp
byBarry Kooij
 

Recently uploaded

PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PPTX
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
"Towards React Server Components in Clojure", Roman Liutikov
byFwdays
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 

Best Practices for Building WordPress Applications

  • 1.
  • 2.
    Who Am I? •My name is Taylor Lovett • VP of Engineering at 10up • WordPress plugin creator and core contributor • Open source community member @tlovett12
  • 3.
  • 4.
  • 5.
    C A CH I N G
  • 6.
    Redis as aPersistent Object Cache • WP lets you drop in a custom object cache. • Redis lets you store things in memory for fast read/writes • Redis offers built in failover features that make it easier to scale than Memcached https://wordpress.org/plugins/wp-redis/
  • 7.
    Page Caching • Pagecaching is the act of caching entire rendered HTML pages. • Pages can be stored in the object cache avoiding database queries entirely. https://wordpress.org/plugins/batcache/
  • 8.
    Fragment Caching • Alloutput involving a database read on the front end should be fragment cached aside from the main WP query. • For example, generated HTML from a feature post carousel should be cached since it uses a WP_Query
  • 9.
    Remote Calls • Remoteblocking calls can be a huge performance bottleneck • Cache remote calls as long as possible • Utilize non-blocking remote requests wherever possible
  • 10.
    Prime Cache Asynchronously • Don’tmake the user wait for a cache to be primed. • Re-prime after invalidation • Cleverly prime cached data asynchronously (async transients, cron, non-blocking AJAX, job queue, etc.) https://github.com/10up/Async-Transients
  • 11.
    admin-ajax.php • Admin-ajax.php isfor admin use only. It is not cached as aggressively as the front end. Page caching will not work.
  • 12.
    Off the ShelfCaching Plugins • Can be difficult to install and even more difficult to remove. • Created for the general public and often bloated with features. • Keep it simple.
  • 13.
    D A TA B A S E R E A D S A N D W R I T E S
  • 14.
    Avoid Front EndWrites • Database writes are slow • Avoid race conditions • Page caching makes them unreliable.
  • 15.
    Understand WP_Query Parameters • 'no_found_rows'=> true: Tells WordPress not to pass SQL_CALC_FOUND_ROWS to the database query. • 'update_post_meta_cache' => false: useful when post meta will not be utilized. • 'update_post_term_cache' => false: useful when taxonomy terms will not be utilized. • 'fields' => 'ids': useful when only the post IDs are needed. Avoids lots of extra preparation.
  • 16.
    Understand WP Query Parameters •‘posts_per_page’ => ‘…’: Sets the query limit to something other than -1 • ‘post__not_in’: Tells MySQL to run a NOT IN query which is inherently slow. Try to avoid.
  • 17.
    Understand WP Query Parameters newWP_Query( array( 'no_found_rows' => true, 'fields' => 'ids', 'update_post_meta_cache' => false, 'update_post_term_cache' => false, 'posts_per_page' => 100, ) );
  • 18.
    Autoloading Options • update_option()and add_option() take a 3rd parameter $autoload. • If you don’t need an option on every request, specify false for $autoload.
  • 19.
    Job Queues forHeavy Lifting • For intense database or remote call activity such as a generating reports, expensive API calls, ingesting content, etc, use a job queue. • WP Minions - https://github.com/10up/wp- minions
  • 20.
    S E AR C H A N D C O M P L E X Q U E R I E S
  • 21.
    Elasticsearch/ElasticPre ss • ElasticPress empowersyou to execute complex queries fast. • E.g. multidimensional taxonomy queries, multidimensional meta queries, etc. • On large databases, these types of queries are not feasible in MySQL. https://github.com/10up/ElasticPress
  • 22.
    Elasticsearch/ElasticPre ss • ElasticPress isalso a toolbox for vastly improving the search experience. • E.g. searching associated terms/meta, author search, autosuggest, geolocation, custom weightings, etc. https://github.com/10up/ElasticPress
  • 23.
    M A IN T A I N A B I L I T Y A N D S T A B I L I T Y
  • 24.
    Maintainable Code Improves Stability •Easily maintainable and extendible code bases are less susceptible to bugs. • Bugs in maintainable code are solved quicker • New features are more easily created in maintainable code. • Happy engineers are more productive (often overlooked).
  • 25.
    Modern PHP Design Patterns •WordPress core is backwards compatible with PHP 5.2.4 (WP 5.2 will up minimum version to 5.6) • Your project does not need to be constrained by incredibly outdated software • Traits, composer, namespaces, etc.
  • 26.
    Don’t Obsess Over MVCPHP • MVC (model, view, and controller) is a great pattern in many situations. • WordPress is inherently not object oriented. We find that forcing MVC with tools like Twig ultimately leads to more confusing code that is harder to maintain.
  • 27.
    Feature Plugins • Groupdistinct pieces of functionality into plugins as much as possible. • This separation simplifies deployments and enables you to reuse functionality on other projects. • Opt-in to functionality through usage of hooks
  • 28.
    Documentation • Properly documentedcode is more quickly fixed and iterated upon • Make documentation a part of your code review process • PHP Documentation Standards: https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/php/ • JS Documentation Standards: https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/javascript/
  • 29.
    Wrapping Wrappers • WordPresshas a very rich, easy to use API with ways to create posts, send HTTP requests, create metaboxes, etc. • Creating wrappers around these core APIs more often than not just results in a layer of confusing code and another library to memorize.
  • 30.
    Write Tests • Unittests • WP Mock - https://github.com/10up/wp_mock • Acceptance Tests • WP Acceptance - https://github.com/10up/wpacceptance • Tests improve quality and stability through identification of issues. Decrease regression
  • 31.
    Linting • Enforce lintingrules. This keeps your code clean and makes it more maintainable. • PHPCS Rules - https://github.com/10up/phpcs- composer • ESLint Config - https://github.com/10up/eslint- config
  • 32.
    Manage Dependencies with Composer •Manage plugins, themes, and WordPress with composer when possible. • This forces updates to be more deliberate and ensures everyone is running the same versions of dependencies. • Disable plugin install/updates in the WP dashboard. • See https://10up.github.io/Engineering-Best- Practices/structure/#dependencies
  • 33.
    Manage Dependencies with Composer |-composer.json _________ # Define dependencies |- wp-config.php _________ # WordPress configuration |- wp/ ___________________ # Composer install WordPress here |- wp-content/ ___________ # Composer dependencies | |- themes/ ____________ # Themes directory | |- plugins/ ___________ # Plugins directory
  • 34.
    S E CU R I T Y
  • 35.
    Clean Input • Validate/sanitizedata being inserted into the database to strip anything harmful.
  • 36.
    Clean Input if (! empty( $_POST['option'] ) ) { update_post_meta( $post_id, 'option_key', true ); } else { delete_post_meta( $post_id, 'option_key' ); } update_post_meta( $post_id, 'key_name', sanitize_text
  • 37.
    Secure Output • Escapedata that is printed to the screen • Escape data as late as possible • Check out the esc_* functions in the codex. https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
  • 38.
    Nonces • Ensure intentof important actions (database modifications) by associating them with a nonce • wp_create_nonce(), wp_verify_nonce(), wp_nonce_field()
  • 39.
    Nonces <form> <?php wp_nonce_field( 'prefix-form-action','nonc ... </form> if ( empty( $_POST['nonce_field'] || wp_verify_nonce( $_POST['nonce_field'], 'prefix- form-action' ) { return false; }
  • 40.
    Limit Login Attempts •Limit max number of login attempts to prevent password guessing.
  • 41.
    Require Strong Passwords • Weakpasswords are one of the most common ways attackers exploit websites. • Require your users create strong passwords. There are a few great plugins that do this automatically.
  • 42.
    T H IR D P A R T Y C O D E
  • 43.
    Review Code Over 40,000community plugins • Plugins reviewed before submission • Plugin revisions not reviewed • Review guidelines not geared for high traffic
  • 44.
    Review Code Thousands ofcommunity themes • More stringent review guidelines than plugins • Review guidelines not geared for high traffic • Performance not measured
  • 45.
    T E AM S
  • 46.
    Workflows • Keeping trackof code history with version control is critical. At 10up, we use GitLab. • https://gitlab.com • Mandate workflow at the start of project to keep everyone on the same page. • 10up’s workflow in detail: https://10up.github.io/Engineering-Best- Practices/version-control/#workflows
  • 47.
    Internal Code Reviews •Code reviews help ensure performance, security, maintainability, and scalability • Engineers improve skills by reviewing and receiving reviews. • All code should be reviewed by someone who didn’t write it.
  • 48.
    Continuous Integration • At10up we use GitLab and a variety of tools for continuous integration. • When merge requests are opened against master, those changes are tested automatically (unit tests, acceptance tests, syntax error checks, vulnerability database comparison, virus scan, etc.)
  • 49.
    WP Snapshots • WPSnapshots is a tool that empowers teams to share codebases (database and files) quickly. It makes on boarding new engineers much faster. • https://github.com/10up/wpsnapshots
  • 50.
    Q U ES T I O N S ? @ T L O V E T T 1 2 T A Y L O R . L O V E T T @ 1 0 U P . C O M