Things to Keep in Mind While Creating a WordPress Plugin From Scratch

creating a wordpress plugin

A WordPress Plugin is actually a single file or group of files which extends or enhances the functionality of a WordPress site.

Every new developer knows “How to Code?”, But when creating a plugin in WordPress then developer must remember the some basic requirements to create  WordPress plugin in addition to code quality, security and functionality.

This guide describes important steps to keep in mind when creating WordPress plugins from scratch.

In WordPress plugins, a critical thing to understand is WordPress Hooks, e.g. actions and filters. Hooks allow the plugins to run with defined functionality at specific times within the WordPress functions.

List of action hooks : https://codex.wordpress.org/Plugin_API/Action_Reference


define( 'WP_DEBUG', true );
--- The WP_DEBUG option was added in WordPress Version 2.3.1.
--- By default, it is assumed that it is false. However, it is usually set to true in the wp-config.php file.

–>  Add a plugin specific information header to our newly created file in Plugin folder.

 Plugin Name: Testimonial Post type
 Plugin URI: https://wordpress.org/plugins/testimonial-post-type/
 Description: Create a Testimonial post types, it’s Taxonomy & Tags.
 Version: 1.0
 Author: Elsner Technologies Pvt. Ltd.
 Author URI: http://www.elsner.com
 Text Domain: testimonial-post-type
 Domain Path: /languages

Related : Elsner’s Recently Launched WordPress Plugin: Posts Slider Shortcode–> All plugins must have unique function names, defines, and classnames.

This prevents your plugin from conflicting with other plugins or themes.

–> Don’t use __ (double underscores), wp_ , or _ (single underscore) as a prefix.

Those are reserved for WordPress itself. You can use them inside your classes, but not as stand-alone function

–> Please secure your plugin from the Direct file access.

if ( ! defined( 'ABSPATH' ) ) exit;   // Exit if accessed directly

— You can avoid direct file access by putting this code at the top of all php files:

–> Please add a nonce to your POST calls to prevent unauthorized access.

nonce (number used once)

WordPress nonces aren’t numbers, but are a hash made up of numbers and letters. Nor are they used only once, but have a limited “lifetime” after which they expire.

Normally we generate a url like this that delete post_id 174

This url is perfect, But not a secure. Suppose, An attacker  know the id of the posts, Then attacker can delete the posts with this url without your knowledge.

Adding a nonce will prevent this. For example when using a nonce, the url that WordPress generate for the user look like this:

$nonce = wp_create_nonce( 'my-action_trash' );

— This simply returns the nonce value itself.

— This value you can put in a URL like


— Verifying a nonce which is passed in URL

wp_verify_nonce( $_REQUEST['_wpnonce'], 'my-action_trash' );

Related : How to Submit Your Plugin to WordPress Plugin Directory?–> Please sanitize, escape, and validate your POST calls

Sanitize : Cleaning User Input
One must never have a raw data inserted within the database, not even by a update function or with a prepare() call.

Sanitizing your POST data when used to make action calls, or URL redirects will lessen the possibility of XSS vulnerabilities.

— The data can be sanitized using the above function.
— Behind the scenes, the function does the below mentioned things:
Checks for invalid UTF-8
Converts single < characters to entity
Strips all tags
Remove line breaks, tabs and extra white space
Strip octets
— sanitize_*() class of helper functions

Validate : Checking User Input
In addition to sanitization, you should validate all your calls. If a $_POST call should only be a number, ensure it’s an int() before you pass it through anything. Any time you are adding data to the database, it should be the right data.

intval( $_POST['post'] );
--- if $_POST['post']

has a numeric value, it will return true. If it is not, then false.

Escape : Securing Output
Escaping is to take the data you already have, and to secure it before rendering it for the end user.

Escaping/casting on output just removes any ambiguity, and adds to the clarity.

<h4> <?php echo esc_html( $title ); ?> </h4>
--- esc_html()

should be used at times when the HTML element encloses a section of data whose output we are having.

esc_html ( string $text )

Escaping for HTML blocks.

esc_html_e ( string $text )

Display translated text that has been escaped for safe use in HTML output.

esc_html__ ( string $text )

Retrieve the translation of $text and escapes it for safe use in HTML output.

<img alt="" src="<?php echo esc_url( $picture_url ); ?>
--- esc_url()

should be used on each URL, including the ones in the ‘src’ and ‘href’ attributes of an HTML element.

<?php echo esc_js( $value ); ?>
--- esc_js()

is intended for inline Javascript.

<ul class="<?php echo esc_attr( $stored_class ); ?>">
--- esc_attr()

is usable on everything else that is printed into an attribute of the HTML element.

Note :-
Please check the below link to understand where the folders are and how best to call them

If possible, save data to the wp_options tables.

The conclusive goal of all this is to assure that invalid and insecure data does not come in process or display ever. Clean, check, escape everything. Also, never put faith in the users to always have input sane data.

Related:  How to Customize the WordPress Login Page

Interested & Talk More?

Let's brew something together!

WhatsApp Image