7 WordPress Best Practices For Real Engineers

This article will go over 7 WordPress best practices you can adpot into your workflow.

As of the time of writing, WordPress is almost 20 years old. While the core code is shows its age and not up to date with modern "best practices", its largely the same as it was 20 years ago. Over the years lots of bugs have been fixed and improvements made. If you took a site made with WordPress 1.0, you could probably get it to run in WordPress 6.0.1 with minimal changes.

The main strength of WordPress is its platform, built on PHP. WordPress is based on a formula that works, which is why it powers 43% of sites and new sites are being made all the time, including this site.

I was part of a team at News Corp which built the worlds largest commercial WordPress deployment, with over 500 million monthly pageviews hitting a multi-tenant WordPress platform, supported by a few microservices.

This article is intended for real engineers who care about WordPress best practices and/or want to push the platform to its limits, or seasoned engineers who simply want to get better. Beginners who are just starting out with WordPress, especially if they are not skilled in coding may get confused by some of the concepts here and would be better served learning the basics of PHP and WordPress before reading on.


Because of the older codebase, simple things like SQL injection vulnerabilities can come up from time to time. While writing code you don't automatically get the same protections from simple vulnerabilities like SQL injection and XSS as you would with modern frameworks, so you need to be aware of these things and actively try to prevent them. Filter your inputs and escape your output.

WordPress core often has security updates you'll need to install. If you don't update WordPress when there are security updates available, the likelyhood of your site being hacked is quite high. Because of the popularity of WordPress, bad actors scan the internet for vulnerable WordPress sites they can exploit. You can stay one step ahead of most of these bad actors by installing updates as they become available.

Caching, caching, caching

The average WordPress install in its default configuration will fall over the moment you send even a moderately large sized amount of traffic to it.

However, think about what WordPress does - serve static HTML in the form of pages and articles. These articles don't change every second, so your WordPress site shouldn't need to render every request. Most experienced engineers will be able to see that this type of content is very well suited to being cached.

Like Software Engineering Standard, you should put a CDN in front of your WordPress site. Check the lock in your browsers address bar and you'll see I've put Cloudflare in front of this site. That means if the site suddenly goes viral and gets the Hacker News or reddit "kiss of death", the CDN will absorb most of the load. For most sites, a simple network level cache should be enough. But if you get even half of the scale of scale of 500 million pageviews per month, you should also do server side caching.

On the server level, you can use plugins like Batcache , connected to Memcache. If you are writing custom plugins, you can cache complex operations in Memcache or Redis.

Basically, I can tell you that the way we scaled WordPress to 500 million monthly pageviews is caching, caching, caching.

Let WordPress be WordPress

If you use WordPress and you're a seasoned engineer, you may be tempted to write complex plugins that change the functionality significantly, or use things like Twig for rendering views. Generally, its best to avoid this and let WordPress be WordPress. On its own it can do quite alot and you'll get the benefit of updates without having to rewrite your plugins.

Remember that plugins are plugins, they should make minor customizations but not change the nature of the software they are plugging into.

With that in mind, to get what you need done you should use these tools in the following preference

  • CSS
  • HTML
  • PHP
  • JavaScript

I put the real programming languages last. The idea is you should try to get what you need done while writing the minimal amount of custom code.

Despite the capabilities that come with my experience, I deliberately tried to use a minimal amount of custom PHP code when creating this site.

Follow modern best practices in your code

Just because WordPress core is 20 years old and doesn't follow modern "Best Practices" doesn't mean your code shouldn't. WordPress does nothing to stop you from using modern PHP best practices namespaces, classes, composer, dependency injection and following the PSR Coding Standard.

There is nothing preventing you from following best practices like SOLID, YANGI and DRY in your own code. You can still write PHPUnit tests.

Some tools that can help are:

  • Composer
  • PHP-DI
  • Namespaces
  • OOP and classes for anything more than simple plugins

I highly recommend PHP-DI with Autowiring, use it in a plugin and you'll get "Framework like" Dependency Injection.

Dont reinvent the wheel

WordPress has been around long enough that plugins are available for most things that you would want to do. As a capable seasoned engineer, you may be tempted to write code yourself. But why do that if someone else has already done all of the work for you?

Embrace the open source movement. Use plugins and when you find issues, fix them and send back pull requests to the main project.

Composer is also great for any PHP libraries that you might need. It has everything from CSV parsers to REST clients. Don't write these yourself, use composer.

Keep it simple

Just because you are capable of writing complex code and following every best practice there is doesn't mean you should do this or that you should take your principles to the extremes.

If all your plugin needs is one function like this, don't bother with composer or classes. Just keep it simple.

add_filter('some_filter', function() {
    // Do something in 5 lines or less

Thats it, one line to change something about WordPress you want to customise. No classes or anything complicated.

Speaking of which, if you can get away with just using CSS and no PHP or JavaScript, do this.

What not to use WordPress for

WordPress is a CMS. Its great for content based websites such as news sites or blogs such as this one. Its not so great for more complex software like

  • Ecommerce sites
  • Web applications
  • Custom software

If you use WordPress for any of these things, you are using it for things it was never intended for. Instead, look into building on top of modern frameworks like Symfony. If you need a mix of the above and some CMS functionality, WordPress has a great REST API other applications can plug into. So you can get the great CMS foundation of WordPress with the customizability of a modern framework.


WordPress out of the box has most of the things you will need. As a seasoned engineer, your biggest challenge is not getting in its way. Use it as a base and build on top of it.

If you need more complex functionality, consider using a modern web framework like Symfony.

WordPress has been around for almost 20 years and will probably be around for much longer. As long as you use it for what it was intended for and don't try to get in its way it will perform well.

Happy coding!