Are you pretty familiar with WordPress by now? Feel like you know all WordPress has to offer yet? Well after many years of WordPress development, I’m proud to say that I am still discovering new functions I’ve never used before or new capabilities behind functions I thought I knew. Since WordCamp here in New York is this weekend, clearly this is my rushed attempt to get something out there before then. Here are 10 WordPress dev tips before going into WCNYC this year. If you run into me this weekend, I’d love to hear if any of these helped you in some way.
Sanitization, escaping, and validation have become a regular part of my WordPress theme development within the last year. If those words confuse you, don’t worry, I’ve got another draft in my dashboard waiting to be finished. Eventually. 😉
But for those of you that do have a general idea of what these terms mean, perhaps you’ve faced the same nagging questions I had when it came to escaping WordPress template functions. At first, I was just applying escape functions mechanically, while not truly understanding what it was that I was doing, I knew that it was a best practice. Just like WordPress hooks, over time, my understanding became less fuzzy, but until these nagging questions could be answered, I couldn’t feel confident that I was escaping correctly.
Which WordPress template functions should be escaped? Which functions already have this built into core?
This becomes harder to figure out if, like me, you hadn’t truly dived into WordPress’ mysterious core files for browsing. Or maybe you have, but found it overwhelming to follow the rabbit hole and chain of functions while simultaneously trying to make sense of how WordPress does just one thing. It doesn’t help if your code editor doesn’t make the task any easier. I’m a huge fan of Sublime Text, but have recently been exploring PHP Storm. I won’t lie to you, I still prefer Sublime for my daily development needs, but PHP Storm has a feature that has made learning about WordPress core so much easier.
You can Shift (PC) or Command (Mac) click on any function, WordPress or not, and it will take you to the file and line where that function is written. So for WordPress core, instead of being overwhelmed by all the files in the wp-admin or wp-includes folder, PHP Storm teleports you instantly!
And so, via PHP Storm, I narrowed down which core functions actually needed escaping. I threw together a reference until it’s something I commit to memory, and thought it would be useful to share said reference with a blog post. In this post, I’ll also briefly review what escaping does for us, and how we would know if a template function needs escaping. Let’s get to it!
If there’s one thing I learned in the web development field, it’s that time is money. There are budgets to be faithful to, deadlines to aim for, and when you’re a developer who wants nothing more than to have the most beautiful and efficient code ever – sometimes those things can come at odds.
So what do you do? Do what you humanly can. Write the cleanest most awesome code you can, but be mindful of
doomsday the finish line. And try out these 5 WordPress tools and boilerplates!