Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Best Practices for Building WordPress Applications
Redis as a Persistent
• WP lets you drop in a custom object cache.
• Redis lets you store things in memory for fast
• Redis offers built in failover features that make it
easier to scale than Memcached
• Page caching is the act of caching entire
rendered HTML pages.
• Pages can be stored in the object cache avoiding
database queries entirely.
• All output involving a database read on the front
end should be fragment cached aside from the
main WP query.
• For example, generated HTML from a feature
post carousel should be cached since it uses a
• Remote blocking calls can be a huge
• Cache remote calls as long as possible
• Utilize non-blocking remote requests wherever
• Don’t make the user wait for a cache to be
• Re-prime after invalidation
• Cleverly prime cached data asynchronously
(async transients, cron, non-blocking AJAX, job
• Admin-ajax.php is for admin use only. It is not
cached as aggressively as the front end. Page
caching will not work.
Off the Shelf Caching
• Can be difficult to install and even more difficult
• Created for the general public and often bloated
• Keep it simple.
Avoid Front End Writes
• Database writes are slow
• Avoid race conditions
• Page caching makes them unreliable.
• 'no_found_rows' => true: Tells WordPress not to
pass SQL_CALC_FOUND_ROWS to the database
• 'update_post_meta_cache' => false: useful when
post meta will not be utilized.
• 'update_post_term_cache' => false: useful when
taxonomy terms will not be utilized.
• 'fields' => 'ids': useful when only the post IDs are
needed. Avoids lots of extra preparation.
Understand WP Query
• ‘posts_per_page’ => ‘…’: Sets the query limit to
something other than -1
• ‘post__not_in’: Tells MySQL to run a NOT IN
query which is inherently slow. Try to avoid.
• update_option() and add_option() take a 3rd
• If you don’t need an option on every request,
specify false for $autoload.
Job Queues for Heavy
• For intense database or remote call activity such
as a generating reports, expensive API calls,
ingesting content, etc, use a job queue.
• WP Minions - https://github.com/10up/wp-
• ElasticPress empowers you to execute complex
• E.g. multidimensional taxonomy queries,
multidimensional meta queries, etc.
• On large databases, these types of queries are
not feasible in MySQL.
• ElasticPress is also a toolbox for vastly improving
the search experience.
• E.g. searching associated terms/meta, author
search, autosuggest, geolocation, custom
M A I N T A I N A B I L I T Y
A N D S T A B I L I T Y
Maintainable Code Improves
• Easily maintainable and extendible code bases
are less susceptible to bugs.
• Bugs in maintainable code are solved quicker
• New features are more easily created in
• Happy engineers are more productive (often
Modern PHP Design
• WordPress core is backwards compatible with
PHP 5.2.4 (WP 5.2 will up minimum version to
• Your project does not need to be constrained by
incredibly outdated software
• Traits, composer, namespaces, etc.
Don’t Obsess Over
• MVC (model, view, and controller) is a great
pattern in many situations.
• WordPress is inherently not object oriented. We
find that forcing MVC with tools like Twig
ultimately leads to more confusing code that is
harder to maintain.
• Group distinct pieces of functionality into plugins
as much as possible.
• This separation simplifies deployments and
enables you to reuse functionality on other
• Opt-in to functionality through usage of hooks
• Properly documented code is more quickly fixed and
• Make documentation a part of your code review process
• PHP Documentation Standards:
• JS Documentation Standards:
• WordPress has a very rich, easy to use API with
ways to create posts, send HTTP requests,
create metaboxes, etc.
• Creating wrappers around these core APIs more
often than not just results in a layer of confusing
code and another library to memorize.
• Unit tests
• WP Mock - https://github.com/10up/wp_mock
• Acceptance Tests
• WP Acceptance -
• Tests improve quality and stability through
identification of issues. Decrease regression
• Enforce linting rules. This keeps your code clean
and makes it more maintainable.
• PHPCS Rules - https://github.com/10up/phpcs-
• ESLint Config - https://github.com/10up/eslint-
Manage Dependencies with
• Manage plugins, themes, and WordPress with
composer when possible.
• This forces updates to be more deliberate and
ensures everyone is running the same versions of
• Disable plugin install/updates in the WP dashboard.
• See https://10up.github.io/Engineering-Best-
• Escape data that is printed to the screen
• Escape data as late as possible
• Check out the esc_* functions in the codex.
• Ensure intent of important actions (database
modifications) by associating them with a nonce
• wp_create_nonce(), wp_verify_nonce(),
Limit Login Attempts
• Limit max number of login attempts to prevent
• Weak passwords are one of the most common
ways attackers exploit websites.
• Require your users create strong passwords.
There are a few great plugins that do this
• Keeping track of code history with version control
is critical. At 10up, we use GitLab.
• Mandate workflow at the start of project to keep
everyone on the same page.
• 10up’s workflow in detail:
Internal Code Reviews
• Code reviews help ensure performance, security,
maintainability, and scalability
• Engineers improve skills by reviewing and
• All code should be reviewed by someone who
didn’t write it.
• At 10up we use GitLab and a variety of tools for
• When merge requests are opened against
master, those changes are tested automatically
(unit tests, acceptance tests, syntax error checks,
vulnerability database comparison, virus scan,
• WP Snapshots is a tool that empowers teams to
share codebases (database and files) quickly. It
makes on boarding new engineers much faster.
Q U E S T I O N S ?
@ T L O V E T T 1 2
T A Y L O R . L O V E T T @ 1 0 U P . C O