Coding Standards

• Always use single quotes, never double quotes
• Vertical space is poetry; curly braces on same line.
• Use whitespace for readability.

Avoid Raw SQL

• Use $wpdb object
• Use $wpdb->prepare() if SQL is needed.
• Use existing table if possible instead of custom tables.
• prepare() method handles santization and quotes. No reason not to use it.

Use the esc_* API

• Provides sanitization against XSS and SQL injection attacks.
• esc_html(), esc_attr(), esc_js(), esc_url() – uses are obvious.
• Trust no arbitrary data, even your own.

Use Nonces (Number Only Used Once)

• Use for single-use action (forms)
• Add wp_nonce_field() to all forms

Use The Shortcode API

• Allows javascripts/embeds in post safely.
• Functions: shortcode_atts() and add_shortcode()
• Shortcodes are wave of the future for WP.