Escaping WordPress Template Functions. To do or not to do?

Reading Time: 7 mins

Sanitization, escaping, and validation have become a regular part of my WordPress theme development within the last year. If those words confuse you, don’t worry, I’ve got another draft in my dashboard waiting to be finished. Eventually. ūüėČ

But for those of you that do have a general idea of what these terms mean, perhaps you’ve faced the same nagging questions I had when it came to escaping WordPress template functions. At first, I was just applying escape functions mechanically, while not truly understanding what it was that I was doing, I knew that it was a best practice. Just like WordPress hooks, over time, my understanding became less fuzzy, but until these nagging questions could be answered, I couldn’t feel confident that I was escaping correctly.

Which WordPress template functions should be escaped? Which functions already have this built into core?

By template functions, I mean functions that are regularly used throughout theme development to call content from the dashboard. Like the_title(), the_permalink(), and the_excerpt() to name a few.

This becomes harder to figure out if, like me,¬† you hadn’t truly dived into WordPress’ mysterious core files for browsing. Or maybe you have, but found it overwhelming to follow the rabbit hole and chain of functions while simultaneously trying to make sense of how WordPress does just one thing. It doesn’t help if your code editor doesn’t make the task any easier. I’m a huge fan of Sublime Text, but have recently been exploring PHP Storm. I won’t lie to you, I still prefer Sublime for my daily development needs, but PHP Storm has a feature that has made learning about WordPress core so much easier.

You can Shift (PC) or Command (Mac) click on any function, WordPress or not, and it will take you to the file and line where that function is written. So for WordPress core, instead of being overwhelmed by all the files in the wp-admin or wp-includes folder, PHP Storm teleports you instantly!

A power ranger teleporting.

And so, via PHP Storm, I narrowed down which core functions actually needed escaping. I threw together a reference until it’s something I commit to memory, and thought it would be useful to share said reference with a blog post. In this post, I’ll also briefly review what escaping does for us, and how we would know if a template function needs escaping. Let’s get to it!

Continue reading Escaping WordPress Template Functions. To do or not to do?

Required WordPress Theme Files vs “Required”

Not sure if required or will just impress other devs
Reading Time: 6 mins

The Required WordPress Theme Files

There are only 2 files that are actually required in a WordPress theme for it to be detected and applicable in WordPress. Those 2 files are style.css and index.php.

And then there are those “unsaid” files¬†– those “secret” requirements that become the scuttlebutt amongst developers and are¬†the difference between a good quality theme or “What noob built this thing?!”

So how far do you go? Aside from the required WordPress theme files, what files should actually be present in a theme regardless of whether they’re literally required and why?¬†Well I’ve gone through a fair share of WordPress builds, and I’d like to share my thoughts on that.

Continue reading Required WordPress Theme Files vs “Required”