With 10+ years of industry experience and over 30 WordPress plugins and add-ons under our belts, our team has mastered the art of plugin development. Part of our success is due to our strict adherence to development best practices and guidelines.
In this post, our WordPress plugin developers share some development best practices you should stick to (or make sure your development partner follows) when creating a new plugin. Following these guidelines is essential to building a plugin that meets your quality and performance expectations.
If you need help white-labeling a new WordPress plugin, you can also contact one of our WordPress developers to bring your idea to reality. We’ll scope out your feature requirements, complete the development, perform the quality assurance and deliver a finished product right on schedule! You can also check out our previous blog post on WordPress development best practices for additional tips.
WordPress Plugin Development Best Practices Every Developer Should Follow
Use Version Control
Version control, also known as source control, is the practice of tracking and managing changes to a plugin’s code. Version control systems are software tools that help software teams manage changes to source code over time. As development environments have accelerated, version control systems help software teams work faster and smarter.
It is safe to say that most code in the world resides on either GitLab or GitHub. For plugin development their tag feature can be useful for making certain deployments or releases for later reference.
Namespace Your Plugin
In the PHP world, namespaces work to solve two problems when creating reusable code elements such as classes or functions:
- They allow for better organization by grouping classes that work together to perform a task
- They allow the same name to be used for more than one class
Use Linting Tools
One of the biggest challenges in software development is time. It’s something we can’t easily get more of, but linting can help us make the most out of the time we have. Linting is a code-checking process that looks for errors in the source code, and flags potential bugs.
A linter is a tool that programmatically scans your code with the goal of finding issues that can lead to bugs or inconsistencies with code health and style. Linting tools can significantly help developers to write good quality, optimized code. Most linters use the static code analysis technique, which means the code is checked without being actually executed.
File and Directory Structure
A clear folder structure helps you and others working on your WordPress plugin keep similar files together. Simply keeping an organized file and directory structure can make a huge difference in helping your WordPress development team work efficiently and in organized fashion.
Here’s a sample of folder structure:
Extendable Plugin Development
There are times when, after using a plugin, we find ourselves wishing it did something differently. These unexpected feature requests can at times extend beyond the initial scope of the plugin. However, as a plugin developer you need to carefully decide which features you decide to implement to the code.
Ideally, developers should implement features that serve the majority of the plugin users. Most of the time, the majority of a plugin’s users will only take advantage of about 20% of the features. Therefore, we need to make sure that the features being added are highly requested. Added features should benefit most of your plugin’s users. Otherwise, we risk the plugin becoming too complicated and bloated, ultimately affecting performance — and nobody wants that.
The best way to overcome this issue while leaving room for additional features being added when needed is to make the plugin extensible by providing hooks (actions/filters) at key areas. This way your plugin can be easily extended through additional WordPress plugin development, whether it be to meet a customer’s request or to aid other developers.
In general, these are good areas to add hooks to your WordPress plugin:
- Around and within major processes/events
- When creating output HTML
- For modifying database queries
- Before returning values from functions.
Managing WordPress Nonces
WordPress defines nonces as “a ‘number used once’ to help protect URLs and forms from certain types of misuse, malicious or otherwise.” WordPress nonces aren’t numbers, but a hash made up of numbers and letters. While nonces are not used only once, they do have a limited “lifetime” and expire.
The primary purpose of a nonce is to protect your WordPress website from malicious attacks, such as Cross-Site Request Forgeries (CSRFs). This type of attack tricks users into submitting a form or clicking on a link that is harmful to your website. To protect your site, WordPress checks the nonce value, and only allows the action to complete if that value is correct. If the nonce is invalid, the user’s browser will redirect them to a 403 Forbidden error page. Security is vital to a stable website, and nonces add an extra layer of protection to the site where your custom developed plugin will be installed and running.
Security
Following WordPress Plugin development best practices, the plugin provides the expected features but also keeps the users’ information safe.
In the previous recommendation we discussed the importance of nonces. While creating and implementing nonces enhances site security, there are other security vulnerabilities that need to be taken care of in the process of WordPress plugin development.
Sanitize inputs
Sanitization is the process of cleaning or filtering your input data.
The easiest way to sanitize data is with built-in WordPress functions.
The sanitize_*() series of helper functions provide an effective way to ensure you end up with safe data, and they require minimal effort on your part.
Escape outputs
Escaping is the process of securing output by stripping out unwanted data, like malformed HTML or script tags, preventing this data from being seen as code.There are built in functions within WordPress that can be used.
Secure Database
Maybe you heard that almost all WordPress security problems come from badly-written themes and plugins. There is great responsibility when creating your own plugin. As a plugin developer, you run the risk of creating another security hole, like an ability of SQL-injection.
Please remember these simple tips to stay protected.
- Always use $wpdb to connect MySQL.
- It is required to run $wpdb->query(), $wpdb->get_col(), $wpdb->get_var(), $wpdb->get_row(), $wpdb->get_results() with $wpdb->prepare() !
- On the other hand, $wpdb->insert(), $wpdb->update(), $wpdb->replace(), $wpdb->delete() shouldn’t be wrapped with $wpdb->prepare() because it is already inside them.
Load Required Scripts Only
A plugin can have one or more CSS/JS scripts that need to be loaded for the plugin to function on both front and back end. Yet, it is important that we do not overload the plugin. We add checks to keep script loading only on the required sections. This avoids the scripts loading all over the website.
Overview: WordPress Plugin Development Best Practices
When developing a new WordPress plugin, applying the recommendations above and the WordPress development best practices listed on our previous blog post will help you maximize performance, prevent bugs, and guarantee data security. If you are looking to develop a new WordPress add-on and would like assistance, you can count on our experts to work as your development partners. Just reach out to our experienced WordPress plugin developers to get started scoping out your white-labeling project.