As you know from Getting Started, in order to keep the WordPress.com environment safe and performing to your high standards, we review in detail all plugins and themes. We also spot review all code before deploying it.
As you can imagine, this is not always easy. In order to minimize turnaround times, we have some guidelines which will help you keep your code clean, safe, fast, and easy to review.
- Avoid direct database queries. WordPress has built-in functionality for getting information in and out of the database. Using these functions wherever possible makes sure that you are benefiting from any optimizations or caching that is already implemented within those functions. See Database Queries for tips.
- Avoid direct calls to PHP scripts in your theme and do not try to load the WordPress environment on your own. Don’t include
wp-config.phpor the like. If you have scripts that need to be run like this, then make sure to create page templates or hook into the
parse_requestaction to intercept the request. See http://willnorris.com/2009/06/wordpress-plugin-pet-peeve-2-direct-calls-to-plugin-files for reference.
- Don’t leave unused code fragments as comments in the code. You can always look up old fragments via subversion.
- Make sure that your code and plugins do not write to the filesystem. You might want to use the exploit scanner plugin to assist you with this.
- Ensure that none of your scripts alter the database. This includes adding or altering database fields, and creating new tables.
- Remember that “Code is Poetry” and there is no poet who would publish his first notes. Avoid repeating code – if there is something you do more than twice, write a function for it and don’t just copy and paste the same block over and over again. This reduces review time and makes it easier to maintain for you. Try to stick to a consistent coding style and be sure to follow the WordPress Coding Standard.
- WordPress.com is a single install of WordPress Multisite with millions of blogs spread across thousands of server cores in multiple data centers using global user tables. These tables are enormous and should never be directly queried (
wpdb->users). Use the
get_users()and related API.
- Users registered through VIP-hosted websites are created as WordPress.com users. If you’d like to be able to query user data or create custom registration fields you’ll need to use a 3rd-party registration service; if this is of interest, please get in touch, as we work with a number of registration platforms and would be happy to facilitate an integration.