WordPress PHP API Cheatsheet

Plugin Header

<?php
/**
 * Plugin Name: My Plugin
 * Description: Site-specific functionality.
 * Version: 1.0.0
 * Text Domain: my-plugin
 */

if (! defined('ABSPATH')) {
    exit;
}

Theme Setup

add_action('after_setup_theme', 'mytheme_setup');

function mytheme_setup(): void {
    add_theme_support('title-tag');
    add_theme_support('post-thumbnails');
    register_nav_menus([
        'primary' => __('Primary Menu', 'mytheme'),
    ]);
}

Common Hooks

Hook	Use
`plugins_loaded`	Plugin dependency loading
`init`	Register CPTs, taxonomies, shortcodes
`after_setup_theme`	Theme supports and menus
`wp_enqueue_scripts`	Front-end assets
`admin_enqueue_scripts`	Admin assets
`admin_menu`	Admin pages
`admin_init`	Settings registration
`pre_get_posts`	Modify main query
`template_redirect`	Redirects before template output
`rest_api_init`	REST routes

Enqueue Assets

wp_enqueue_style('mytheme-style', get_stylesheet_uri(), [], wp_get_theme()->get('Version'));
wp_enqueue_script('myplugin-script', MYPLUGIN_URL . 'assets/app.js', [], MYPLUGIN_VERSION, true);

Template Tags and Loop

Echoes	Returns
`the_title()`	`get_the_title()`
`the_permalink()`	`get_permalink()`
`the_excerpt()`	`get_the_excerpt()`
`bloginfo()`	`get_bloginfo()`

if (have_posts()) {
    while (have_posts()) {
        the_post();
        the_title('<h2>', '</h2>');
    }
}

Custom Data Types

register_post_type('book', [
    'label'        => __('Books', 'my-plugin'),
    'public'       => true,
    'has_archive'  => true,
    'show_in_rest' => true,
    'supports'     => ['title', 'editor', 'thumbnail'],
]);

register_taxonomy('genre', ['book'], [
    'label'        => __('Genres', 'my-plugin'),
    'public'       => true,
    'hierarchical' => true,
    'show_in_rest' => true,
]);

Metadata and Options

$value = get_post_meta($post_id, '_key', true);
update_post_meta($post_id, '_key', $value);

$settings = get_option('myplugin_settings', []);
update_option('myplugin_settings', $settings, false);

Register Meta and Settings

register_post_meta('book', '_isbn', [
    'type'              => 'string',
    'single'            => true,
    'show_in_rest'      => true,
    'sanitize_callback' => 'sanitize_text_field',
]);

register_setting('myplugin', 'myplugin_options', [
    'sanitize_callback' => 'myplugin_sanitize_options',
    'default'           => [],
]);

Shortcode

add_shortcode('latest_books', 'myplugin_latest_books_shortcode');

function myplugin_latest_books_shortcode(array $atts): string {
    $atts = shortcode_atts(['limit' => 5], $atts, 'latest_books');

    return '<div>' . esc_html(absint($atts['limit'])) . '</div>';
}

Security APIs

current_user_can('manage_options');
current_user_can('edit_post', $post_id);
wp_nonce_field('myplugin_save', 'myplugin_nonce');
check_admin_referer('myplugin_save', 'myplugin_nonce');

$title = sanitize_text_field(wp_unslash($_POST['title'] ?? ''));
echo esc_html($title);

AJAX and REST

add_action('wp_ajax_myplugin_action', 'myplugin_ajax_action');

function myplugin_ajax_action(): void {
    check_ajax_referer('myplugin_ajax', 'nonce');
    wp_send_json_success(['message' => __('Saved.', 'my-plugin')]);
}

register_rest_route('myplugin/v1', '/items', [
    'methods'             => 'GET',
    'callback'            => 'myplugin_rest_items',
    'permission_callback' => '__return_true',
]);

wpdb and HTTP API

global $wpdb;

$value = $wpdb->get_var(
    $wpdb->prepare(
        "SELECT meta_value FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = %s",
        $post_id,
        '_key'
    )
);

$response = wp_remote_get('https://api.example.com/items', ['timeout' => 5]);

Cron, Media, i18n

if (! wp_next_scheduled('myplugin_daily_job')) {
    wp_schedule_event(time(), 'daily', 'myplugin_daily_job');
}

add_action('myplugin_daily_job', 'myplugin_run_daily_job');

echo wp_get_attachment_image($image_id, 'large');
add_image_size('card', 640, 420, true);

esc_html_e('Read more', 'my-plugin');

Users, Multisite, WooCommerce

$user = wp_get_current_user();
$user_id = get_current_user_id();
$value = get_user_meta($user_id, 'myplugin_key', true);

$network_value = get_site_option('myplugin_network_setting');

switch_to_blog($blog_id);
restore_current_blog();

if (class_exists('WooCommerce')) {
    $order = wc_get_order($order_id);
    $product = wc_get_product($product_id);
}

Production WordPress Checklist

No direct core edits.
No raw request output.
No raw SQL variables.
No state-changing action without capability and nonce/auth checks.
No public REST route exposing private data.
No heavy remote call during page render without caching.
No rewrite flush on every request.
No missing wp_reset_postdata() after custom loops.
No missing restore_current_blog() after multisite switching.
No debug display on production.

Plugin Header​

Theme Setup​

Common Hooks​

Enqueue Assets​

Template Tags and Loop​

Custom Data Types​

Metadata and Options​

Register Meta and Settings​

Shortcode​

Security APIs​

AJAX and REST​

wpdb and HTTP API​

Cron, Media, i18n​

Users, Multisite, WooCommerce​

Production WordPress Checklist​

Plugin Header

Theme Setup

Common Hooks

Enqueue Assets

Template Tags and Loop

Custom Data Types

Metadata and Options

Register Meta and Settings

Shortcode

Security APIs

AJAX and REST

wpdb and HTTP API

Cron, Media, i18n

Users, Multisite, WooCommerce

Production WordPress Checklist