Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for Building WordPress Applications


Published on

Learn about modern best practices for building enterprise-ready WordPress applications.

Published in: Technology
  • Be the first to comment

Best Practices for Building WordPress Applications

  1. 1. Best Practices for WordPress Applications
  2. 2. Who Am I? • My name is Taylor Lovett • VP of Engineering at 10up • WordPress plugin creator and core contributor • Open source community member @tlovett12
  3. 3. 10up is hiring! @tlovett12
  4. 4.
  5. 5. C A C H I N G
  6. 6. Redis as a Persistent Object Cache • WP lets you drop in a custom object cache. • Redis lets you store things in memory for fast read/writes • Redis offers built in failover features that make it easier to scale than Memcached
  7. 7. Page Caching • Page caching is the act of caching entire rendered HTML pages. • Pages can be stored in the object cache avoiding database queries entirely.
  8. 8. Fragment Caching • All output involving a database read on the front end should be fragment cached aside from the main WP query. • For example, generated HTML from a feature post carousel should be cached since it uses a WP_Query
  9. 9. Remote Calls • Remote blocking calls can be a huge performance bottleneck • Cache remote calls as long as possible • Utilize non-blocking remote requests wherever possible
  10. 10. Prime Cache Asynchronously • Don’t make the user wait for a cache to be primed. • Re-prime after invalidation • Cleverly prime cached data asynchronously (async transients, cron, non-blocking AJAX, job queue, etc.)
  11. 11. admin-ajax.php • Admin-ajax.php is for admin use only. It is not cached as aggressively as the front end. Page caching will not work.
  12. 12. Off the Shelf Caching Plugins • Can be difficult to install and even more difficult to remove. • Created for the general public and often bloated with features. • Keep it simple.
  13. 13. D A T A B A S E R E A D S A N D W R I T E S
  14. 14. Avoid Front End Writes • Database writes are slow • Avoid race conditions • Page caching makes them unreliable.
  15. 15. Understand WP_Query Parameters • 'no_found_rows' => true: Tells WordPress not to pass SQL_CALC_FOUND_ROWS to the database query. • 'update_post_meta_cache' => false: useful when post meta will not be utilized. • 'update_post_term_cache' => false: useful when taxonomy terms will not be utilized. • 'fields' => 'ids': useful when only the post IDs are needed. Avoids lots of extra preparation.
  16. 16. Understand WP Query Parameters • ‘posts_per_page’ => ‘…’: Sets the query limit to something other than -1 • ‘post__not_in’: Tells MySQL to run a NOT IN query which is inherently slow. Try to avoid.
  17. 17. Understand WP Query Parameters new WP_Query( array( 'no_found_rows' => true, 'fields' => 'ids', 'update_post_meta_cache' => false, 'update_post_term_cache' => false, 'posts_per_page' => 100, ) );
  18. 18. Autoloading Options • update_option() and add_option() take a 3rd parameter $autoload. • If you don’t need an option on every request, specify false for $autoload.
  19. 19. Job Queues for Heavy Lifting • For intense database or remote call activity such as a generating reports, expensive API calls, ingesting content, etc, use a job queue. • WP Minions - minions
  20. 20. S E A R C H A N D C O M P L E X Q U E R I E S
  21. 21. Elasticsearch/ElasticPre ss • ElasticPress empowers you to execute complex queries fast. • E.g. multidimensional taxonomy queries, multidimensional meta queries, etc. • On large databases, these types of queries are not feasible in MySQL.
  22. 22. Elasticsearch/ElasticPre ss • ElasticPress is also a toolbox for vastly improving the search experience. • E.g. searching associated terms/meta, author search, autosuggest, geolocation, custom weightings, etc.
  23. 23. M A I N T A I N A B I L I T Y A N D S T A B I L I T Y
  24. 24. Maintainable Code Improves Stability • Easily maintainable and extendible code bases are less susceptible to bugs. • Bugs in maintainable code are solved quicker • New features are more easily created in maintainable code. • Happy engineers are more productive (often overlooked).
  25. 25. Modern PHP Design Patterns • WordPress core is backwards compatible with PHP 5.2.4 (WP 5.2 will up minimum version to 5.6) • Your project does not need to be constrained by incredibly outdated software • Traits, composer, namespaces, etc.
  26. 26. Don’t Obsess Over MVC PHP • MVC (model, view, and controller) is a great pattern in many situations. • WordPress is inherently not object oriented. We find that forcing MVC with tools like Twig ultimately leads to more confusing code that is harder to maintain.
  27. 27. Feature Plugins • Group distinct pieces of functionality into plugins as much as possible. • This separation simplifies deployments and enables you to reuse functionality on other projects. • Opt-in to functionality through usage of hooks
  28. 28. Documentation • Properly documented code is more quickly fixed and iterated upon • Make documentation a part of your code review process • PHP Documentation Standards: practices/inline-documentation-standards/php/ • JS Documentation Standards: practices/inline-documentation-standards/javascript/
  29. 29. Wrapping Wrappers • WordPress has a very rich, easy to use API with ways to create posts, send HTTP requests, create metaboxes, etc. • Creating wrappers around these core APIs more often than not just results in a layer of confusing code and another library to memorize.
  30. 30. Write Tests • Unit tests • WP Mock - • Acceptance Tests • WP Acceptance - • Tests improve quality and stability through identification of issues. Decrease regression
  31. 31. Linting • Enforce linting rules. This keeps your code clean and makes it more maintainable. • PHPCS Rules - composer • ESLint Config - config
  32. 32. Manage Dependencies with Composer • Manage plugins, themes, and WordPress with composer when possible. • This forces updates to be more deliberate and ensures everyone is running the same versions of dependencies. • Disable plugin install/updates in the WP dashboard. • See Practices/structure/#dependencies
  33. 33. Manage Dependencies with Composer |- composer.json _________ # Define dependencies |- wp-config.php _________ # WordPress configuration |- wp/ ___________________ # Composer install WordPress here |- wp-content/ ___________ # Composer dependencies | |- themes/ ____________ # Themes directory | |- plugins/ ___________ # Plugins directory
  34. 34. S E C U R I T Y
  35. 35. Clean Input • Validate/sanitize data being inserted into the database to strip anything harmful.
  36. 36. Clean Input if ( ! empty( $_POST['option'] ) ) { update_post_meta( $post_id, 'option_key', true ); } else { delete_post_meta( $post_id, 'option_key' ); } update_post_meta( $post_id, 'key_name', sanitize_text
  37. 37. Secure Output • Escape data that is printed to the screen • Escape data as late as possible • Check out the esc_* functions in the codex.
  38. 38. Nonces • Ensure intent of important actions (database modifications) by associating them with a nonce • wp_create_nonce(), wp_verify_nonce(), wp_nonce_field()
  39. 39. Nonces <form> <?php wp_nonce_field( 'prefix-form-action', 'nonc ... </form> if ( empty( $_POST['nonce_field'] || wp_verify_nonce( $_POST['nonce_field'], 'prefix- form-action' ) { return false; }
  40. 40. Limit Login Attempts • Limit max number of login attempts to prevent password guessing.
  41. 41. Require Strong Passwords • Weak passwords are one of the most common ways attackers exploit websites. • Require your users create strong passwords. There are a few great plugins that do this automatically.
  42. 42. T H I R D P A R T Y C O D E
  43. 43. Review Code Over 40,000 community plugins • Plugins reviewed before submission • Plugin revisions not reviewed • Review guidelines not geared for high traffic
  44. 44. Review Code Thousands of community themes • More stringent review guidelines than plugins • Review guidelines not geared for high traffic • Performance not measured
  45. 45. T E A M S
  46. 46. Workflows • Keeping track of code history with version control is critical. At 10up, we use GitLab. • • Mandate workflow at the start of project to keep everyone on the same page. • 10up’s workflow in detail: Practices/version-control/#workflows
  47. 47. Internal Code Reviews • Code reviews help ensure performance, security, maintainability, and scalability • Engineers improve skills by reviewing and receiving reviews. • All code should be reviewed by someone who didn’t write it.
  48. 48. Continuous Integration • At 10up we use GitLab and a variety of tools for continuous integration. • When merge requests are opened against master, those changes are tested automatically (unit tests, acceptance tests, syntax error checks, vulnerability database comparison, virus scan, etc.)
  49. 49. WP Snapshots • WP Snapshots is a tool that empowers teams to share codebases (database and files) quickly. It makes on boarding new engineers much faster. •
  50. 50. Q U E S T I O N S ? @ T L O V E T T 1 2 T A Y L O R . L O V E T T @ 1 0 U P . C O M