wordpress best practices

Nícholas André • @nicholas_io • #WordCampFOR • nicholasandre.com.br

WordPress Best PracticesWordCamp Fortaleza 2016

http://www.nicholasandre.com.br

Who am I?

● My name is Nícholas André● I’m a Web Engineer at 10up● WordPress plugin developer &

WordPress core contributor● I embrace Open Source● WordPress passionate

https://10up.github.io/Engineering-Best-Practices/




Performance



Efficient Database Queries

• When using WP_Query make sure to pass the appropriated params.• 'no_found_rows' => true: useful when pagination is not needed.• 'update_post_meta_cache' => false: useful when post meta will

not be utilized.• 'update_post_term_cache' => false: useful when taxonomy

terms will not be utilized.• 'fields' => 'ids': useful when only the post IDs are needed (less

typical).• Do not use ‘posts_per_page’ => -1

• This is a performance hazard. What if we have 100,000 posts?




• Passing cache_results => false to WP_Query is usually not a good idea. (unless you have good reasons)

• DO NOT use query_posts(). • Use either pre_get_posts or WP_Query.



Search

• If you receive a lot of search traffic, consider using ElasticSearch.

• Search queries on WordPress are slow and sucks…• https://www.elastic.co/products/elasticsearch• https://github.com/10up/ElasticPress


https://www.elastic.co/products/elasticsearch

https://www.elastic.co/products/elasticsearch

https://github.com/10up/ElasticPress

https://github.com/10up/ElasticPress


General Tips

• Do not write to the database on frontend pages as doing so can result in major performance issues and race conditions.

• Store information in the correct place. (Post Meta, Options API, Object Cache, Transients API etc).

• Certain options are “autoloaded” or put into the object cache on each page load. When creating options you can pass false to create_option to disable autoloading for that option.



Writing efficient PHP Code

• Avoid using in_array(), instead create arrays that facilitates lookups by key.• The worst case scenario is O(n), this can be problematic if using

inside a loop.



Writing efficient PHP Code

• Avoid calling a function multiple times on a loop



Caching

• Caching is simply the act of storing computed data somewhere for later use, and is an incredibly important concept in WordPress.• Object Cache: cache in memory so data can be

retrieved quickly.• WP_Object_Cache and Transients API

• Page Cache: Cache the entire page output• Batcache is a simple WordPress plugin that uses

the Object Cache to cache page output.



Persistent Object Cache

• WordPress lets you drop in a custom object cache implementation (object-cache.php).

• Redis and Memcache let you store things in memory for fast read/write access.• https://wordpress.org/plugins/wp-redis/• https://wordpress.org/plugins/memcached/develope

rs/• Store things in memory is way faster than querying the

database.


https://wordpress.org/plugins/wp-redis/

https://wordpress.org/plugins/wp-redis/

https://wordpress.org/plugins/memcached/developers/




Fragment Caching

• Fragment caching differs from Page Caching as it does not cache the entire page, just a single fragment.

• Output generated from an expensive operation should be cached in a fragment cache.• E.g: The output of a list of posts coming from

multiples subsites on a multisite network should be cached.



What should you cache?

• Slow queries, external requests, expensive PHP functions etc.

• Remember to purge the cache whenever needed.



Ajax requests• Avoid using admin-ajax.php on the front-end. Use the Rewrite API

or create a custom rest api endpoint (preferable).



Ajax requests



Design Patterns

• If using PHP 5.3+ always namespace your files.

• When writing classes make sure it is atomic, well-design and fully documented.• In general you should not declare methods or

attributes as private, use protected instead.



Security



Input Sanitization and Validation

• To validate is to ensure the data you’ve requested of the user matches what they’ve submitted.

• Sanitization is a broader approach ensuring data conforms to certain standards such as an integer or HTML-less text.

• WordPress has a lot of validation and sanitization functions.• Escape All The things and Late Escaping

• https://vip.wordpress.com/documentation/vip/best-practices/security/validating-sanitizing-escaping/

• https://vip.wordpress.com/2014/06/20/the-importance-of-escaping-all-the-things/

• When writing custom SQL queries, always use $wpdb->prepare


https://vip.wordpress.com/documentation/vip/best-practices/security/validating-sanitizing-escaping/



https://vip.wordpress.com/2014/06/20/the-importance-of-escaping-all-the-things/




Input Sanitization and Validation



Late Escaping



Nonces

• “Number used once” - tool to prevent CSRF• Goal: Make every request unique so an action can

not be replayed.• The WordPress implementation is not strictly numbers

but serve the same purpose.• http://example.com/wp-admin/post.php?post=1&action=trash&_wpnonce=b192f

c4204

• Update and delete actions should require a valid nonce.


http://example.com/wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204




Nonces



Workflows & Version Control



Workflows

• Use version control (SVN, GIT)• Keep track of your code is important

• DO NOT use a CBVS (Comment Based Versioning System)• DO NOT commit commented out code• Use descriptive commit messages

• http://chris.beams.io/posts/git-commit/• https://vip.wordpress.com/documentation/commit-messages/

• Keep your commits “attomic”• One task, one fix, a single unit that actually does something• Some tasks can often be broken down in smaller tasks.• New Feature = feature branch = multiples commits

• Git-flow: http://nvie.com/posts/a-successful-git-branching-model/• Establish a Workflow at the beginning of the project. It’s best to

have a company-wide workflow set.


http://chris.beams.io/posts/git-commit/

http://chris.beams.io/posts/git-commit/

https://vip.wordpress.com/documentation/commit-messages/

https://vip.wordpress.com/documentation/commit-messages/

http://nvie.com/posts/a-successful-git-branching-model/


Code Reviews

• We are humans and we make mistakes. • Code Reviews can catch bugs, missing

escaping/validation and code that does not adhere to the Code standards.

• Code Reviews help ensure performance, security, maintainability and scalability.

• We learn when we review each other's code• DO NOT trust on every single plugin available out

there.• Most of them are not truly safe and weren’t built with

high traffic websites in mind.



WordPress Code Standards



Code Standards

• It’s important that all developers in a project follows the same code standards.• https://make.wordpress.org/core/handbook/best-practices/codi

ng-standards/php/• https://make.wordpress.org/core/handbook/best-practices/codi

ng-standards/html/• https://make.wordpress.org/core/handbook/best-practices/codi

ng-standards/accessibility-coding-standards/• https://make.wordpress.org/core/handbook/best-practices/codi

ng-standards/javascript/• https://make.wordpress.org/core/handbook/best-practices/codi

ng-standards/css/


https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/



https://make.wordpress.org/core/handbook/best-practices/coding-standards/html/



https://make.wordpress.org/core/handbook/best-practices/coding-standards/accessibility-coding-standards/



https://make.wordpress.org/core/handbook/best-practices/coding-standards/javascript/



https://make.wordpress.org/core/handbook/best-practices/coding-standards/css/




Documentation

• Documentation is important.



Tests



Unit Testing

• PHPUnit - PHP unit tests• WordPress Core Tests• WPMock

• https://github.com/10up/wp_mock• Mocha (Javascript tests)

• http://mochajs.org/


https://github.com/10up/wp_mock

https://github.com/10up/wp_mock

http://mochajs.org/

http://mochajs.org/


Modern Tools



Tools to facilitate your work

• Grunt, gulp - automated tasks• Bower, npm, composer• WP-CLI• Services

• Beanstalk - Git Service provider with automated deployments.

• Deploybot - Service that lets you automate your deployments and run build commands in the cloud.



Questions?


wordpress best practices

Software