Do’s and don’ts of WordPress theme development
With WordPress theme development there’s almost always more than one way to accomplish a certain task, these quick tips will help you out on developing themes the correct way. These are aimed at being “quick tips” so I won’t be going into lots of detail, however (when possible) I have linked to the WordPress documentation reference. This is one of the best resources available for theme development.
Don’t hack the core
Rule number one of any development within WordPress, do not hack/modify the core! This might seem obvious but there are so many “quick fixes” around the Internet it’s difficult to know what advice to follow.
If you see yourself needing to hack the core, you are most likely doing something wrong. If you feel the core needs to be modified, then submit a patch on trac, that way other developers can look into this and if it’s beneficial, it may be added into the core.
Here are some reasons why you shouldn’t modify the core:
- Each update released for WordPress will overwrite your changes; you will have to manually re-add these each time
- The changes you make could break plugins or other aspects of WordPress
- Your change could pose a security risk to the website
Almost 90% of the time there will be a hook/action which will allow you to modify the functionality you require, take a look at the WordPress Action Reference, or for a more complete list browse the WordPress Hooks Database.
Do Enqueue scripts and styles
This is bad:
function my_script() { ?> <script type="text/javascript" src="<?php bloginfo('template_url'); ?>/js/script.js"></script> <?php } add_action('init', 'my_script'); ?>
This is good
function my_script() { //Load script which depends on jQuery wp_enqueue_script('custom-script', get_template_directory_uri().'/js/script.js', array('jquery')); } add_action('wp_enqueue_scripts', 'my_script');
Letting WordPress handle the queuing of files ensures that they are loaded at the correct time, along with the dependencies the file requires. Adding resources directly into the init action is bad for several reasons; firstly there are no checks if the file has already been loaded, secondly; the scripts/styles will be loaded on every page using the init call, thirdly; the file could cause conflicts with other plugins. Loading speeds are also reduced as the file is only loaded on the page it is needed on. More information can be found on the WordPress function reference page.
Do use WordPress core options
Theme options are so easy to integrate into your theme, but aren’t used often enough. One simple change you can make to your theme is to use the date_format option in place of any custom date/time formatting. For example you can easily use the users preferred date/time format on comments:
Before:
the_time('F jS, Y');
After:
the_time( get_option( 'date_format' ) );
This simple change lets your users have more control over how their theme should look, without requiring you to hardcode the format in yourself.
See the full list of theme options on the option reference.
Don’t hardcode URLs
For obvious reasons don’t hardcode URLs into your theme, always use the actions available to you, most commonly;
get_bloginfo('template_url');
Do use nonces for form validation
Nonces (number only used once) are a great way to validate that the submitted form came from where you expected it to. Nonces are regenerated when the page is refreshed, so this can help with duplicate submissions.
They are extremely useful protecting against Cross-Site Request Forgery (CSRF) when performing a sensitive action, such as deleting a post . You can create/verify a nonce using the two following simple functions:
wp_create_nonce('my_theme_nonce'); wp_verify_nonce('my_theme_nonce');
An introduction to nonces can be found on Pippins plugins and on WordPress codex.
Don’t use plain text emails
To help prevent spam bots its a good idea to convert email addresses into HTML entities, instead of plain text which can be easily harvested by spam bots.
Fortunately WordPress has a built in function to take care of this “antispambot“;
echo antispambot('email@example.com');
For more details refer to the antispambot page on WordPress.