WordPress is a very customisable CMS and probably part of the reason that it powers over 35% of all websites on the internet. There are a lot of different plugins and themes available which makes it really easy to extend its functionality.
There are times that despite the colossal catalogue of third-party plugins available within the WordPress ecosystem, one plugin just simply doesn’t have all of the functionality that you need. At that point, your only option is to develop some custom functionality.
It’s important that we, as developers, do this in the best possible way because without following best practice you're risking your website serving as a gateway to your code where attackers may embed malicious scripts.
Ever lost sleep worrying about how attackers might access your site through vulnerabilities you've created?
By following our best practices below for extending the functionality of your WordPress site, you can reduce the risk of your website being the victim of an attack and sleep like a baby at night.
Extending Functionality The Right Way
It’s important to note that as proficient WordPress developers, we should NEVER extend (or rather hack) the functionality of existing plugins. This causes a multitude of issues including risking the security of your site in the future through that particular plugin.
It's a mistake anyone could make, if the plugin you have used is found to have any vulnerabilities this would mean the plugin needs to be updated to fix these or it will leave your site unsecure. If the plugin is updated, your custom modifications are lost.
There are two generally accepted ways to perform these functional enhancements:
1. Create a Child-theme and edit your theme’s Functions.php file.
A lot of developers who are new to WordPress start by just modifying their core theme. This is possibly one of the easiest developer ‘fails’ that we can avoid by creating a child theme. This way, you can ensure that as you update the main theme files, the child theme is left as-is.
This method requires some additional custom functionality to be added into the child-theme so that when the theme is activated, so will the extra functionality. To create a child-theme, you must install the original theme, then create a “child theme” from it.
You can learn more about creating and using child themes in the official WordPress documentation.
By developing in this way, your customised code won’t break when the original theme is updated, which reduces the risk of vulnerabilities and security incidents on your site. If you are used to working with WordPress, creating a child theme is as simple as creating the child theme directory in your /wp-content/themes/ folder, and adding a functions.php file.
2. Create a custom plugin
For those that are well versed with WordPress development, adding a custom (sometimes site-specific) plugin is sometimes the route that is used to ensure that custom functionality is achieved in a modular way. By doing it this way, you have the ability to switch the functionality on or off by simply activating and deactivating the custom plugin. This also mitigates the need to worry about theme and core updates affecting your custom code (unless of course there are deprecated methods in the code).
Another big benefit of creating a custom plugin for custom WordPress functionality is that you can change the theme without having to worry about replicating the custom code to your other themes when switching or updating the look of your website.