TL
Uploaded byTaylor Lovett
PDF, PPTX12,273 views

Best Practices for WordPress

This document provides best practices for WordPress development including caching, database reads/writes, search, browser performance, maintainability, security, third party code, and teams. It recommends using Redis for caching, understanding WP_Query parameters, writing modular feature plugins, thorough documentation, testing, sanitizing inputs, using nonces, and conducting internal code reviews.

Embed presentation

Download as PDF, PPTX
Best Practices for WordPress
Who Am I? • My name is Taylor Lovett • Director of Web Engineering at 10up • WordPress plugin creator and core contributor • Open source community member @tlovett12
10up is hiring! @tlovett12 taylor.lovett@10up.com
https://10up.github.io/Engineering-Best-Practices/
C A C H I N G
Redis as a Persistent Object Cache • WP lets you drop in a custom object cache. • Redis lets you store things in memory for fast read/writes • Redis offers built in failover features that make it easier to scale than Memcached https://wordpress.org/plugins/wp-redis/
Page Caching • Page caching is the act of caching entire rendered HTML pages. • Pages can be stored in the object cache avoiding database queries entirely https://wordpress.org/plugins/batcache/
Fragment Caching • All output involving a database read on the front end should be fragment cached aside from the main WP query. • For example, generated HTML from a feature post carousel should be cached since it uses a WP_Query
Remote Calls • Remote blocking calls can be a huge performance bottleneck • Cache remote calls as long as possible • Utilize non-blocking remote requests wherever possible
Prime Cache Asynchronously • Don’t make the user wait for a cache to be primed. • Re-prime after invalidation • Cleverly prime cached data asynchronously (cron, non-blocking AJAX, etc.) https://github.com/10up/Async-Transients
admin-ajax.php • Admin-ajax.php is for admin use only. It is not cached as aggressively as the front end. Page caching will not work.
Off the Shelf Caching Plugins • Can be difficult to install and even more difficult to remove. • Created for the general public and often bloated with features. • Keep it simple.
D ATA B A S E R E A D S A N D W R I T E S
Avoid Front End Writes • Database writes are slow • Avoid race conditions • Page caching makes them unreliable. • If you really need to write data on the front end, use AJAX.
Understand WP_Query Parameters • 'no_found_rows' => true: Tells WordPress not to pass SQL_CALC_FOUND_ROWS to the database query. • 'update_post_meta_cache' => false: useful when post meta will not be utilized. • 'update_post_term_cache' => false: useful when taxonomy terms will not be utilized. • 'fields' => 'ids': useful when only the post IDs are needed (less typical). Avoids lots of extra preparation.
Understand WP Query Parameters • ‘posts_per_page’ => ‘…’: Sets the query limit to something other than -1 • ‘post__not_in’: Tells MySQL to run a NOT IN query which is inherently slow. Try to avoid.
Understand WP Query Parameters new WP_Query( array( 'no_found_rows' => true, 'fields' => 'ids', 'update_post_meta_cache' => false, 'update_post_term_cache' => false, 'posts_per_page' => 100, ) );
Autoloading Options • update_option() and add_option() take a 3rd parameter $autoload. • If you don’t need an option on every request, specify false for $autoload.
S E A R C H
Elasticsearch/ElasticPress • If you receive a lot of search traffic, use Elasticsearch and ElasticPress. • Search queries can be very taxing on MySQL https://github.com/10up/ElasticPress
B R O W S E R P E R F O R M A N C E
Use a CDN • CDN’s enable you to serve static assets from servers closer to your visitors while reducing load on your web server(s). • CDN recommendation is very unique to each project.
Reduce the Number and Size of HTTP Requests • Minify JS and CSS files • Concatenate JS and CSS files • Optimize images • HTTP 2?
M A I N TA I N A B I L I T Y A N D S TA B I L I T Y
Maintainable Code Improves Stability • Easily maintainable and extendible code bases are less susceptible to bugs. • Bugs in maintainable code are solved quicker • New features are more easily created in maintainable code. • Happy engineers are more productive (often overlooked).
Modern PHP Design Patterns • WordPress core is backwards compatible with PHP 5.2.4. • Your project does not need to be constrained by incredibly outdated software • Namespaces, traits, composer, etc.
Don’t Obsess Over MVC PHP • MVC (model, view, and controller) is a great pattern in many situations. • WordPress is inherently not object oriented. We find that forcing MVC with tools like Twig ultimately leads to more confusing code that is harder to maintain.
Modern JS Design Patterns • CommonJS • ES6-7 • Write modular code with tools like Webpack and Browserify • React
Feature Plugins • Group distinct pieces of functionality into plugins as much as possible. • This separation simplifies deployments and enables you to reuse functionality on other projects. • Opt-in to functionality through usage of hooks
Documentation • Properly documented code is more quickly fixed and iterated upon • Make documentation a part of your code review process • PHP Documentation Standards: 
 https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/php/ • JS Documentation Standards:
 https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/javascript/

Wrapping Wrappers • WordPress has a very rich, easy to use API with ways to create posts, send HTTP requests, create metaboxes, etc. • Creating wrappers around these core APIs more often than not just results in a layer of confusing code and another library to memorize.
Write Tests • PHPUnit for PHP • Core unit testing framework and WP Mock - https://github.com/10up/wp_mock • Mocha for JavaScript • Tests improve quality and stability through identification of issues. Decrease regression
S E C U R I T Y
Clean Input • Validate/sanitize data being inserted into the database to strip anything harmful.
Clean Input if ( ! empty( $_POST['option'] ) ) {
 update_post_meta( $post_id, 'option_key', true ); } else { delete_post_meta( $post_id, 'option_key' ); } update_post_meta( $post_id, 'key_name', sanitize_text_field( $_POST['description'] ) );
Secure Output • Escape data that is printed to the screen • Escape data as late as possible • Check out the esc_* functions in the codex. https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
Secure Output <section> <?php echo esc_html( get_post_meta( get_the_ID(), 'key_name', true ) ); ?> </section> <section class="<?php echo esc_attr( get_post_meta( get_the_ID(), 'key_name', true ) ); ?>"> ... </section>
innerHTML and jQuery Selectors • Don’t insert arbitrary data into innerHTML or jQuery selectors.
innerHTML and jQuery Selectors document.getElementsByClassName( 'class-name' ) [0].innerText = textString; var node = document.createElement( 'div' ); node.innerText = textString; document.getElementsByClassName( 'class-name' ) [0].appendChild( node ); jQuery( '.class-name-' + parseInt( index ) );
Nonces • Ensure intent of important actions (database modifications) by associating them with a nonce • wp_create_nonce(), wp_verify_nonce(), wp_nonce_field()
Nonces <form> <?php wp_nonce_field( 'prefix-form-action', 'nonce_field' ); ?> ... </form> if ( empty( $_POST['nonce_field'] || wp_verify_nonce( $_POST['nonce_field'], 'prefix- form-action' ) { return false; }
Limit Login Attempts • Limit max number of login attempts to prevent password guessing.
Require Strong Passwords • Weak passwords are one of the most common ways attackers exploit websites. • Require your users create strong passwords. There are a few great plugins that do this automatically.
T H I R D PA RT Y C O D E
Review Every Line of Code Over 40,000 community plugins • Plugins reviewed before submission • Plugin revisions not reviewed • Review guidelines not geared for high traffic
Review Every Line of Code Thousands of community themes • More stringent review guidelines than plugins • Review guidelines not geared for high traffic • Performance not measured
Understand Your Librarys • jQuery, Underscores, etc. are helpful tools but should not be used blindly. There is no substitute for a solid understand of JavaScript. • Encouraging engineers to understand the libraries they are using will improve overall code quality and decrease bugs.
T E A M S
Workflows • Keeping track of code history with version control is critical. • Mandate workflow at the start of project to keep everyone on the same page. • Use descriptive commit messages • Gitflow: http://nvie.com/posts/a-successful-git- branching-model/
Internal Code Reviews • Code reviews help ensure performance, security, maintainability, and scalability • Engineers improve skills by reviewing and receiving reviews.
Q U E S T I O N S ? @ T L O V E T T 1 2 TAY L O R . L O V E T T @ 1 0 U P. C O M TAY L O R L O V E T T. C O M

More Related Content

PDF
You Got React.js in My PHP
byTaylor Lovett
 
PPTX
Best Practices for Building WordPress Applications
byTaylor Lovett
 
PDF
Isomorphic WordPress Applications with NodeifyWP
byTaylor Lovett
 
PPTX
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
PPTX
Saving Time with WP-CLI
byTaylor Lovett
 
PDF
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
PDF
JSON REST API for WordPress
byTaylor Lovett
 
PDF
Transforming WordPress Search and Query Performance with Elasticsearch
byTaylor Lovett
 
You Got React.js in My PHP
byTaylor Lovett
 
Best Practices for Building WordPress Applications
byTaylor Lovett
 
Isomorphic WordPress Applications with NodeifyWP
byTaylor Lovett
 
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
Saving Time with WP-CLI
byTaylor Lovett
 
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
JSON REST API for WordPress
byTaylor Lovett
 
Transforming WordPress Search and Query Performance with Elasticsearch
byTaylor Lovett
 

What's hot

PDF
Fluxible
byTaylor Lovett
 
PDF
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
PDF
Unlocking the Magical Powers of WP_Query
byDustin Filippini
 
PDF
Here Be Dragons - Debugging WordPress
byRami Sayar
 
PPT
SenchaCon 2016: LinkRest - Modern RESTful API Framework for Ext JS Apps - Rou...
bySencha
 
PDF
JSON REST API for WordPress
byTaylor Lovett
 
PDF
Introduction to CQ5
byMichele Mostarda
 
PPTX
Caching, Scaling, and What I've Learned from WordPress.com VIP
byErick Hitter
 
PPTX
Enhance WordPress Search Using Sphinx
byRoshan Bhattarai
 
PDF
Adobe AEM CQ5 - Developer Introduction
byYash Mody
 
PDF
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
PDF
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
PDF
OpenERP and Perl
byOpusVL
 
PDF
Perl in the Real World
byOpusVL
 
PDF
PowerShell for SharePoint Developers
byBoulos Dib
 
PPTX
SenchaCon 2016: The Modern Toolchain - Ross Gerbasi
bySencha
 
PPTX
Piecing Together the WordPress Puzzle
byBusiness Vitality LLC
 
PDF
SSDs are Awesome
byBarry Abrahamson
 
PPTX
SenchaCon 2016: Learn the Top 10 Best ES2015 Features - Lee Boonstra
bySencha
 
PDF
High Performance WordPress II
byBarry Abrahamson
 
Fluxible
byTaylor Lovett
 
Modernizing WordPress Search with Elasticsearch
byTaylor Lovett
 
Unlocking the Magical Powers of WP_Query
byDustin Filippini
 
Here Be Dragons - Debugging WordPress
byRami Sayar
 
SenchaCon 2016: LinkRest - Modern RESTful API Framework for Ext JS Apps - Rou...
bySencha
 
JSON REST API for WordPress
byTaylor Lovett
 
Introduction to CQ5
byMichele Mostarda
 
Caching, Scaling, and What I've Learned from WordPress.com VIP
byErick Hitter
 
Enhance WordPress Search Using Sphinx
byRoshan Bhattarai
 
Adobe AEM CQ5 - Developer Introduction
byYash Mody
 
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
Supercharging WordPress Development - Wordcamp Brighton 2019
byAdam Tomat
 
OpenERP and Perl
byOpusVL
 
Perl in the Real World
byOpusVL
 
PowerShell for SharePoint Developers
byBoulos Dib
 
SenchaCon 2016: The Modern Toolchain - Ross Gerbasi
bySencha
 
Piecing Together the WordPress Puzzle
byBusiness Vitality LLC
 
SSDs are Awesome
byBarry Abrahamson
 
SenchaCon 2016: Learn the Top 10 Best ES2015 Features - Lee Boonstra
bySencha
 
High Performance WordPress II
byBarry Abrahamson
 

Viewers also liked

PPTX
What You Missed in Computer Science
byTaylor Lovett
 
PDF
Wordpress search-elasticsearch
byTaylor Lovett
 
PPTX
The JSON REST API for WordPress
byTaylor Lovett
 
PDF
Updating WordPress Themes, Plugins, and Core Safely
byAngela Bowman
 
PPTX
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 
PDF
Security Webinar: Harden the Heart of Your WordPress SiteSe
byWP Engine
 
What You Missed in Computer Science
byTaylor Lovett
 
Wordpress search-elasticsearch
byTaylor Lovett
 
The JSON REST API for WordPress
byTaylor Lovett
 
Updating WordPress Themes, Plugins, and Core Safely
byAngela Bowman
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
byWP Engine
 

Similar to Best Practices for WordPress

PDF
Best practices-wordpress-enterprise
byTaylor Lovett
 
PDF
Important Topics for wordPress Interview.pdf
byprepmagic3
 
PDF
23 Ways To Speed Up WordPress
byZero Point Development
 
PDF
Plugin Development @ WordCamp Norway 2014
byBarry Kooij
 
PDF
WordPress Architecture for Tech-Savvy Managers
byMario Peshev
 
PPTX
WCBos13 intermediate workshop
byBoston WordPress
 
PPT
WordPress Harrisburg Meetup - Best Practices
byryanduff
 
PPTX
A crash course in scaling wordpress
byGovLoop
 
PPTX
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
byWordPress Trivandrum
 
PPTX
Level Up: 5 Expert Tips for Optimizing WordPress Performance
byPantheon
 
PDF
Mastering the Art of WordPress: 13 Years of Advanced Tips and Tricks
byStanko Metodiev
 
PDF
eMusic: WordPress in the Enterprise
byScott Taylor
 
PDF
5 Free Ways to Bulletproof Your WordPress Site WordCamp Seattle 2009 Ignite P...
byEric Amundson
 
KEY
Word Camp Ph 2009 Word Press In The Wild
byrebelpixel
 
PDF
Optimizing WordPress for Performance - WordCamp Houston
byChris Olbekson
 
PPTX
WordCamp LA 2014- Writing Code that Scales
bySpectrOMTech.com
 
PDF
Php go vrooom!
byElizabeth Smith
 
PPT
WordCamp Philippines 2009: WordPress In The Wild
byrebelpixel
 
PPTX
Show Me The Cache!
byAndy Melichar
 
PPTX
Php rules
bychristopher mabunda
 
Best practices-wordpress-enterprise
byTaylor Lovett
 
Important Topics for wordPress Interview.pdf
byprepmagic3
 
23 Ways To Speed Up WordPress
byZero Point Development
 
Plugin Development @ WordCamp Norway 2014
byBarry Kooij
 
WordPress Architecture for Tech-Savvy Managers
byMario Peshev
 
WCBos13 intermediate workshop
byBoston WordPress
 
WordPress Harrisburg Meetup - Best Practices
byryanduff
 
A crash course in scaling wordpress
byGovLoop
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
byWordPress Trivandrum
 
Level Up: 5 Expert Tips for Optimizing WordPress Performance
byPantheon
 
Mastering the Art of WordPress: 13 Years of Advanced Tips and Tricks
byStanko Metodiev
 
eMusic: WordPress in the Enterprise
byScott Taylor
 
5 Free Ways to Bulletproof Your WordPress Site WordCamp Seattle 2009 Ignite P...
byEric Amundson
 
Word Camp Ph 2009 Word Press In The Wild
byrebelpixel
 
Optimizing WordPress for Performance - WordCamp Houston
byChris Olbekson
 
WordCamp LA 2014- Writing Code that Scales
bySpectrOMTech.com
 
Php go vrooom!
byElizabeth Smith
 
WordCamp Philippines 2009: WordPress In The Wild
byrebelpixel
 
Show Me The Cache!
byAndy Melichar
 
Php rules
bychristopher mabunda
 

Recently uploaded

PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 

Best Practices for WordPress

  • 1.
  • 2.
    Who Am I? •My name is Taylor Lovett • Director of Web Engineering at 10up • WordPress plugin creator and core contributor • Open source community member @tlovett12
  • 3.
  • 4.
  • 5.
    C A CH I N G
  • 6.
    Redis as aPersistent Object Cache • WP lets you drop in a custom object cache. • Redis lets you store things in memory for fast read/writes • Redis offers built in failover features that make it easier to scale than Memcached https://wordpress.org/plugins/wp-redis/
  • 7.
    Page Caching • Pagecaching is the act of caching entire rendered HTML pages. • Pages can be stored in the object cache avoiding database queries entirely https://wordpress.org/plugins/batcache/
  • 8.
    Fragment Caching • Alloutput involving a database read on the front end should be fragment cached aside from the main WP query. • For example, generated HTML from a feature post carousel should be cached since it uses a WP_Query
  • 9.
    Remote Calls • Remoteblocking calls can be a huge performance bottleneck • Cache remote calls as long as possible • Utilize non-blocking remote requests wherever possible
  • 10.
    Prime Cache Asynchronously •Don’t make the user wait for a cache to be primed. • Re-prime after invalidation • Cleverly prime cached data asynchronously (cron, non-blocking AJAX, etc.) https://github.com/10up/Async-Transients
  • 11.
    admin-ajax.php • Admin-ajax.php isfor admin use only. It is not cached as aggressively as the front end. Page caching will not work.
  • 12.
    Off the ShelfCaching Plugins • Can be difficult to install and even more difficult to remove. • Created for the general public and often bloated with features. • Keep it simple.
  • 13.
    D ATA BA S E R E A D S A N D W R I T E S
  • 14.
    Avoid Front EndWrites • Database writes are slow • Avoid race conditions • Page caching makes them unreliable. • If you really need to write data on the front end, use AJAX.
  • 15.
    Understand WP_Query Parameters •'no_found_rows' => true: Tells WordPress not to pass SQL_CALC_FOUND_ROWS to the database query. • 'update_post_meta_cache' => false: useful when post meta will not be utilized. • 'update_post_term_cache' => false: useful when taxonomy terms will not be utilized. • 'fields' => 'ids': useful when only the post IDs are needed (less typical). Avoids lots of extra preparation.
  • 16.
    Understand WP QueryParameters • ‘posts_per_page’ => ‘…’: Sets the query limit to something other than -1 • ‘post__not_in’: Tells MySQL to run a NOT IN query which is inherently slow. Try to avoid.
  • 17.
    Understand WP QueryParameters new WP_Query( array( 'no_found_rows' => true, 'fields' => 'ids', 'update_post_meta_cache' => false, 'update_post_term_cache' => false, 'posts_per_page' => 100, ) );
  • 18.
    Autoloading Options • update_option()and add_option() take a 3rd parameter $autoload. • If you don’t need an option on every request, specify false for $autoload.
  • 19.
    S E AR C H
  • 20.
    Elasticsearch/ElasticPress • If youreceive a lot of search traffic, use Elasticsearch and ElasticPress. • Search queries can be very taxing on MySQL https://github.com/10up/ElasticPress
  • 21.
    B R OW S E R P E R F O R M A N C E
  • 22.
    Use a CDN •CDN’s enable you to serve static assets from servers closer to your visitors while reducing load on your web server(s). • CDN recommendation is very unique to each project.
  • 23.
    Reduce the Numberand Size of HTTP Requests • Minify JS and CSS files • Concatenate JS and CSS files • Optimize images • HTTP 2?
  • 24.
    M A IN TA I N A B I L I T Y A N D S TA B I L I T Y
  • 25.
    Maintainable Code ImprovesStability • Easily maintainable and extendible code bases are less susceptible to bugs. • Bugs in maintainable code are solved quicker • New features are more easily created in maintainable code. • Happy engineers are more productive (often overlooked).
  • 26.
    Modern PHP DesignPatterns • WordPress core is backwards compatible with PHP 5.2.4. • Your project does not need to be constrained by incredibly outdated software • Namespaces, traits, composer, etc.
  • 27.
    Don’t Obsess OverMVC PHP • MVC (model, view, and controller) is a great pattern in many situations. • WordPress is inherently not object oriented. We find that forcing MVC with tools like Twig ultimately leads to more confusing code that is harder to maintain.
  • 28.
    Modern JS DesignPatterns • CommonJS • ES6-7 • Write modular code with tools like Webpack and Browserify • React
  • 29.
    Feature Plugins • Groupdistinct pieces of functionality into plugins as much as possible. • This separation simplifies deployments and enables you to reuse functionality on other projects. • Opt-in to functionality through usage of hooks
  • 30.
    Documentation • Properly documentedcode is more quickly fixed and iterated upon • Make documentation a part of your code review process • PHP Documentation Standards: 
 https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/php/ • JS Documentation Standards:
 https://make.wordpress.org/core/handbook/best- practices/inline-documentation-standards/javascript/

  • 31.
    Wrapping Wrappers • WordPresshas a very rich, easy to use API with ways to create posts, send HTTP requests, create metaboxes, etc. • Creating wrappers around these core APIs more often than not just results in a layer of confusing code and another library to memorize.
  • 32.
    Write Tests • PHPUnitfor PHP • Core unit testing framework and WP Mock - https://github.com/10up/wp_mock • Mocha for JavaScript • Tests improve quality and stability through identification of issues. Decrease regression
  • 33.
    S E CU R I T Y
  • 34.
    Clean Input • Validate/sanitizedata being inserted into the database to strip anything harmful.
  • 35.
    Clean Input if (! empty( $_POST['option'] ) ) {
 update_post_meta( $post_id, 'option_key', true ); } else { delete_post_meta( $post_id, 'option_key' ); } update_post_meta( $post_id, 'key_name', sanitize_text_field( $_POST['description'] ) );
  • 36.
    Secure Output • Escapedata that is printed to the screen • Escape data as late as possible • Check out the esc_* functions in the codex. https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
  • 37.
    Secure Output <section> <?php echoesc_html( get_post_meta( get_the_ID(), 'key_name', true ) ); ?> </section> <section class="<?php echo esc_attr( get_post_meta( get_the_ID(), 'key_name', true ) ); ?>"> ... </section>
  • 38.
    innerHTML and jQuerySelectors • Don’t insert arbitrary data into innerHTML or jQuery selectors.
  • 39.
    innerHTML and jQuerySelectors document.getElementsByClassName( 'class-name' ) [0].innerText = textString; var node = document.createElement( 'div' ); node.innerText = textString; document.getElementsByClassName( 'class-name' ) [0].appendChild( node ); jQuery( '.class-name-' + parseInt( index ) );
  • 40.
    Nonces • Ensure intentof important actions (database modifications) by associating them with a nonce • wp_create_nonce(), wp_verify_nonce(), wp_nonce_field()
  • 41.
    Nonces <form> <?php wp_nonce_field( 'prefix-form-action', 'nonce_field'); ?> ... </form> if ( empty( $_POST['nonce_field'] || wp_verify_nonce( $_POST['nonce_field'], 'prefix- form-action' ) { return false; }
  • 42.
    Limit Login Attempts •Limit max number of login attempts to prevent password guessing.
  • 43.
    Require Strong Passwords •Weak passwords are one of the most common ways attackers exploit websites. • Require your users create strong passwords. There are a few great plugins that do this automatically.
  • 44.
    T H IR D PA RT Y C O D E
  • 45.
    Review Every Lineof Code Over 40,000 community plugins • Plugins reviewed before submission • Plugin revisions not reviewed • Review guidelines not geared for high traffic
  • 46.
    Review Every Lineof Code Thousands of community themes • More stringent review guidelines than plugins • Review guidelines not geared for high traffic • Performance not measured
  • 47.
    Understand Your Librarys •jQuery, Underscores, etc. are helpful tools but should not be used blindly. There is no substitute for a solid understand of JavaScript. • Encouraging engineers to understand the libraries they are using will improve overall code quality and decrease bugs.
  • 48.
    T E AM S
  • 49.
    Workflows • Keeping trackof code history with version control is critical. • Mandate workflow at the start of project to keep everyone on the same page. • Use descriptive commit messages • Gitflow: http://nvie.com/posts/a-successful-git- branching-model/
  • 50.
    Internal Code Reviews •Code reviews help ensure performance, security, maintainability, and scalability • Engineers improve skills by reviewing and receiving reviews.
  • 51.
    Q U ES T I O N S ? @ T L O V E T T 1 2 TAY L O R . L O V E T T @ 1 0 U P. C O M TAY L O R L O V E T T. C O M