PHP Syntax, Variables, and Control Flow

Learning Focus

WordPress executes PHP on the server before sending HTML to the browser. PHP decides what content, markup, scripts, and database results are included in the response.

PHP Blocks

PHP code is written between <?php and ?> tags. In pure PHP files, omit the closing tag to avoid accidental whitespace output.

<?php
$site_name = get_bloginfo('name');

In template files, PHP is often mixed with HTML.

<h1><?php echo esc_html(get_the_title()); ?></h1>

Variables

PHP variables start with $.

$post_id = get_the_ID();
$is_featured = true;
$limit = 10;
$title = 'Latest Articles';

Use descriptive names. Prefer $post_id over $id when the value identifies a WordPress post.

Strings

Single quotes are common for simple strings. Double quotes interpolate variables.

$status = 'publish';
$message = "Post {$post_id} is ready.";

For translated WordPress text, wrap user-facing strings in translation functions.

esc_html_e('Read more', 'my-plugin');

Conditionals

Use if, elseif, and else to control behavior.

if (is_user_logged_in()) {
    echo esc_html__('Welcome back.', 'my-plugin');
} else {
    echo esc_html__('Please sign in.', 'my-plugin');
}

Common WordPress conditionals include:

Function	Meaning
`is_front_page()`	Current request is the front page
`is_single()`	Current request is a single post
`is_page()`	Current request is a page
`is_admin()`	Current request is in the admin area
`is_user_logged_in()`	Visitor has an authenticated session

Loops

Use loops when rendering repeated values.

$links = ['About', 'Contact', 'Blog'];

foreach ($links as $label) {
    echo '<li>' . esc_html($label) . '</li>';
}

The most important WordPress loop is the post loop.

if (have_posts()) {
    while (have_posts()) {
        the_post();
        the_title('<h2>', '</h2>');
    }
}

Truthy and Falsy Values

PHP treats false, 0, '0', '', [], and null as falsy. Be explicit when it matters.

$value = get_option('my_plugin_limit');

if ($value === false) {
    $value = 10;
}

Use strict comparison (===) when checking specific return values from WordPress APIs.

Common Pitfalls

Closing ?> in plugin files and causing header or feed output problems
Echoing raw variables into HTML without escaping
Using loose comparison when WordPress can return 0, false, or an empty string
Placing business logic directly inside large template files

What's Next

Next: Arrays, Functions, and WordPress Naming

Deep WordPress Application

This lesson is most useful when applied to real WordPress code rather than isolated PHP examples. PHP Syntax, Variables, and Control Flow affects how a site behaves under plugins, themes, editors, logged-in users, guests, cached pages, REST requests, and production traffic.

PHP fundamentals become useful in WordPress when they are tied to template rendering, hook callbacks, request data, and option values.

A practical implementation should answer four questions before code is written:

Which WordPress request context will run this code?
Which API or hook owns the behavior?
Which data is trusted, and which data must be normalized?
What should happen when the expected data, permission, or dependency is missing?

WordPress API Anchor

For this topic, a common API or integration point is get_option(). The exact function may vary by feature, but the design principle is stable: use WordPress APIs before inventing custom plumbing.

A common hook or lifecycle point for this topic is init. Confirm the hook runs in the request type you care about before attaching expensive or state-changing logic.

Focused Code Pattern

function myplugin_normalize_limit($raw_limit): int {
    $limit = absint($raw_limit);

    if ($limit < 1) {
        return 10;
    }

    return min($limit, 50);
}

This pattern should still be adapted to the exact feature. Add capability checks for private data, nonces for browser-submitted state changes, and output escaping when rendering values.

Data Flow Walkthrough

Stage	What To Decide	WordPress Example
Source	Where the value comes from	Request data, option, post meta, user meta, REST parameter, remote API
Trust	Whether the value can be used directly	Treat external, request, and old saved values as untrusted
Normalize	How PHP converts the value into a safe shape	`absint()`, `sanitize_text_field()`, `sanitize_key()`, custom allow-list
Authorize	Who can read or change it	`current_user_can()` with a specific capability
Persist	Where the value belongs	Option, post meta, user meta, taxonomy term, custom table
Render	How the value leaves PHP	`esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses_post()`

Applied Practice

Create a small helper function, call it from a hook callback, and confirm that bad input falls back to a safe default.

When practicing, do not stop when the happy path works. WordPress code becomes reliable when the failure paths are equally deliberate.

Expanded Decision Guide

Decision	Prefer This	Avoid This
Where code lives	A plugin for durable behavior, a theme for presentation	Editing WordPress core or vendor plugin files
How data enters	A named request handler with validation	Reading superglobals deep inside templates
How data is stored	WordPress APIs with clear keys and types	Unstructured arrays with undocumented meanings
How output is printed	Escape at the final output context	Trusting saved data because it came from the database
How failures behave	Return early, log safely, show useful messages	Fatal errors, blank pages, or exposed stack details
How changes ship	Small reviewed changes with rollback notes	Large untested edits directly on production

Implementation Checklist

Use this checklist when applying the lesson in a real WordPress codebase.

Identify whether the code belongs in a plugin, child theme, block, mu-plugin, or deployment script.
Name functions, classes, options, actions, filters, and CSS hooks with a project-specific prefix.
Confirm which hook should run the code and whether that hook fires in admin, front end, AJAX, REST, cron, or CLI contexts.
Validate every value that comes from a request, database option, custom field, remote API, cookie, or file.
Sanitize before storing data and escape at the exact output boundary.
Check the narrowest useful capability before reading private data or changing state.
Add nonces or signed requests for state-changing browser actions.
Keep database queries narrow by requesting only the fields and post types needed.
Reset global WordPress state after custom queries, site switching, or temporary filters.
Add a short manual test note for the main success path and at least one failure path.

Extended Example Pattern

The following pattern is intentionally small. It demonstrates how to keep request handling, normalization, and output separate enough to review.

add_action('admin_post_myplugin_example_action', 'myplugin_handle_example_action');

function myplugin_handle_example_action(): void {
    if (! current_user_can('manage_options')) {
        wp_die(esc_html__('You are not allowed to do that.', 'my-plugin'));
    }

    check_admin_referer('myplugin_example_action', 'myplugin_nonce');

    $label = isset($_POST['label'])
        ? sanitize_text_field(wp_unslash($_POST['label']))
        : '';

    if ('' === $label) {
        wp_safe_redirect(add_query_arg('status', 'missing-label', wp_get_referer() ?: admin_url()));
        exit;
    }

    update_option('myplugin_example_label', $label, false);

    wp_safe_redirect(add_query_arg('status', 'saved', wp_get_referer() ?: admin_url()));
    exit;
}

Troubleshooting Matrix

Symptom	Likely Cause	First Check
Callback never runs	Wrong hook name, priority, or load context	Confirm the hook fires in this request type
Data saves incorrectly	Missing unslash, sanitization, or type normalization	Log sanitized values in development only
Output looks broken	Escaped for the wrong context or escaped too early	Check whether the output is text, HTML, URL, or attribute
Permission bug	Role check is too broad or capability is missing an object ID	Use `current_user_can()` with the specific operation
Slow page	Query, HTTP request, or loop work runs on every request	Profile with Query Monitor and add caching or batching
Works locally only	PHP version, plugin dependency, rewrite rule, or environment setting differs	Compare environment versions and enabled plugins

Practice Exercise

Recreate the smallest practical example from this lesson in a local WordPress site.
Add one valid input and one invalid input.
Confirm the invalid input fails safely without changing stored data.
Confirm the valid input is sanitized before storage.
Render the stored value in at least two contexts, such as text and attribute output.
Add a capability check and verify a lower-privilege user cannot perform the action.
Temporarily enable debug logging and confirm no PHP warnings appear.
Remove temporary logs before treating the example as complete.

Review Questions

What WordPress hook or API makes this lesson reliable in the right request context?
Which values in the example are untrusted at the moment they enter PHP?
Where should validation happen, and where should output escaping happen?
What user capability is required for the action, and why is that the narrowest useful choice?
What is the expected behavior when the required data is missing or malformed?
What would need to change before this code runs safely on a large production site?

Production Notes

Production WordPress PHP should be easy to audit under pressure. Keep the control flow direct, keep side effects visible, and prefer small functions that name the business rule they enforce. If a future maintainer cannot identify the request source, permission check, data normalization, and output boundary in a few minutes, the code is too implicit.

PHP Blocks​

Variables​

Strings​

Conditionals​

Loops​

Truthy and Falsy Values​

Common Pitfalls​

What's Next​

Deep WordPress Application​

WordPress API Anchor​

Focused Code Pattern​

Data Flow Walkthrough​

Applied Practice​

Expanded Decision Guide​

Implementation Checklist​

Extended Example Pattern​

Troubleshooting Matrix​

Practice Exercise​

Review Questions​

Production Notes​