For security, only certain HTML tags are allowed in content and widgets on WordPress.com. However, with our Protected Embeds feature for VIPs, you are able to include iframes, objects and scripts. In addition, VIP Partners can create customized shortcodes – a type of placeholder tag that can optionally accept arguments.
For example, say you want to embed a video from a website that we do not support via one of our existing WordPress.com shortcodes, and does not work within our Protected Embeds feature. To include it, you would create your own shortcode for this embed with arguments for the video ID, width, height, and so forth.
Check with us before creating a shortcode as another VIP Partner may already have a shortcode for the same web service. We also like to review shortcodes before you commit them.
Shortcode Best Practices #
Shortcode names (and functions) should be prefixed to avoid future collisions with new WordPress.com-wide shortcodes. Using something related to your site is preferred. For example: if your company is called Fred’s Refrigerators, your shortcode should be named “fred-coolvideosite.”
As with all user supplied data (the shortcode parameters in this case), it should be thoroughly validated. If someone were able to guess your account’s password, you wouldn’t want them using your shortcode to do malicious things. If you’re expecting a number, then make sure you got a number. If you’re expecting a URL, then make sure you got one of those too.