How To Create A WordPress Plugin

If you've been using WordPress for a while, I believe every now and then, you often need to save your scripts in functions.php. I would strongly recommend you to save your scripts in the site-custom plugin instead of functions.php. You might want to read the advantages of saving scripts in the site-custom plugin compared to functions.php.

In this article, I will show you how to create a WordPress Plugin. I will also show you basic security practices and other information related to this article. This article is part of best useful tips for your WordPress.

What Is A WordPress Plugin?

WordPress Plugin is a script written in PHP programming language that allows you to alter, customize, enhance or even add new features to your website.

What Should You Know Before Creating A Plugin?


Before you create a WordPress Plugin, the most important thing to keep in mind is security. Especially if you plan to distribute your plugin to the public. You definitely don't want to mess with other people website and let it vulnerable to SQL injection, XSS (Cross-site Scripting) injection attack or such.

Below is 5 basic security practices you should implement in your plugin.

  1. Always prevent direct access to your PHP files.
  2. Conduct role capability checks to ensure website owner always have control over their website or what logged-in user can do or can't do. Check out this handy current_user_can() function from WordPress Codex.
  3. Always escape your SQL queries to protect your website against  SQL injection.
  4. Always validate and sanitize your input to protect against XSS (Cross-site Scripting) injection. You might want to read Validating Sanitizing and Escaping User Data and Validation and Sanitation functions from WordPress Codex.
  5. Make sure every submission is done by the authenticated user to prevent Cross-site Request Forgery (CSRF). Take a look at this WordPress function called Nonce which is used to protect your URLs and forms from certain types of misuse, malicious or otherwise.


When you play around with codes, there are chances for your codes to have errors. Errors can break your site. Although sometimes some of the errors aren't visible, you have to make sure that your codes are truly error-free. Luckily with WordPress, you can easily detect errors with adding a PHP constant called WP_DEBUG to your wp-config.php. You might want to take a look at Debugging in WordPress for more info.

Create A WordPress Plugin From Scratch

Create A Plugin Folder

All the steps below are done via FTP connection. You may want to read how to upload files and folders using FTP client.

Believe it or not, to create a WordPress Plugin, all you need to do is create one folder and one PHP file. And this file and folder will be placed in the plugins directory in your WordPress installation. Easy right? Please keep in mind that your plugin name and folder name must be unique and does not conflict with other existing plugins.

First, connect to your FTP client and navigate to the wp-content/plugins folder. Then, create a new folder using a unique name. For the sake of this tutorial, I will name this plugin as 'Jebat Demo' and name our folder as 'jebat-demo'. Please refer to the image below.

How To Create A WordPress Plugin
Create a plugin folder.

Insert Code Into PHP File

Next, create new file using any text editor and add the following lines. You can use any text editor you like such as Notepad, Notepad++ or Sublime but not a word processor like Microsoft Word.

Let's break this code into smaller parts:-

  1. Plugin Name: Name of your plugin. Must be unique to avoid conflict with other existing plugins.
  2. Plugin URI: Link to your plugin official website.
  3. Description: A description of your plugin.
  4. Version: Current version of your plugin.
  5. Author: Name of plugin creator. Can be individual, group or company name.
  6. Author URI: Link to the plugin author website. Can be different or same as the Plugin URI above.
  7. License: License type of your plugin.

Don't forget to make your own adjustment on the code above. Once you finish, save the file using PHP format and using the same name as your plugin folder. Or as in my case, I save it as 'jebat-demo.php'. After that, upload this file into your plugin folder. Please see the image below.

How To Create A WordPress Plugin
Create a PHP file.

Activating Your Plugin

Once you finish uploading the file, please log in to your WordPress backend and navigate to Plugins » Installed Plugins. You will see your site-custom plugin is available there. And finally, click on activate to enable your site-custom plugin. Please refer to the image below to see where the above code goes to your plugin. And please note that Licenses(7) are not shown in the Plugins list.

How To Create A WordPress Plugin
Activating your site-custom plugin.

Congratulations! You have now successfully created your first WordPress plugin. This plugin still has no functionality yet because there are currently no functions added.

But before that, before you start celebrating your first successful plugin or before you start adding new functions to this plugin. There’s something amiss. Can you guess it? Let’s continue reading.

Prevent Direct Access

Do you remember the five basic security practices I mentioned earlier? Yes, most tutorials on internet forgot to include this in their tutorial. But I want to remind you how important this practice is.

Before you start adding any of functions, please do not forget to prevent direct access to your PHP files. It is first from 5 security practices I mentioned above. You can easily do this by adding defined('ABSPATH') or die(); before any other codes.

By adding this constant, you can prevent direct access by public users to your plugin files while allowing WordPress to load this files internally. Please refer to the code below.

Creating Sub-directories Or Multiple PHP Files Within Plugin Folder

Sometimes you may want to separate your plugin into several sections. Probably you want your plugin to look neat, divide your codes into specific PHP files or perhaps for other unknown reasons. Here I will show you how to create sub-directories and multiple PHP files for your plugin and link it all together.

Assuming you want to separate your plugin into 3 different folders, for example, php, images, and styles. And also you want to divide your codes into specific PHP files, let say shortcodes.php and functions.php.

First, create 3 new folders and name is as php, images, and styles. Next, open your php folder and create 2 new PHP files and name it as shortcodes.php and functions.php. After you done, your directory tree should look like below.

How To Create A WordPress Plugin

Structure of your plugin folder

Next, what you need to do is change the code in your PHP file and connect it together. Please refer to the code below.

Maintenance And Cleaning

I often find so many plugins leaving unnecessary data around after it is uninstalled. This mess if not removed will become dead weight on the website and will cause it start to slow down. I personally believe this should not be done.

A wise man said, with great power comes great responsibility. As a plugin author, it is our responsibility not only to ensure our plugin is secure and safe to use but also to make sure it does not leave any leftover after uninstallation unless it is opt-in by the user.

For this matter, it can be easily handled by these 3 WordPress hooks:-

  1. register_activation_hook() - By using this hook, it will allow you to run functions when your plugin is activated. This hook is frequently used by plugin developers to create database tables for their plugin or to showing users to their plugin welcome page and much more.
  2. register_deactivation_hook() - This hook, on the other hand, will allow you to run functions when your plugin is deactivated by users. Examples of usage for this hook by plugin developers is to display a feedback/suggestion form, new irresistible deals, or a thank you note.
  3. register_uninstall_hook() - This hook's name says it all. This hook allows you to perform a function when your plugin is uninstalled. This is the best hook to remove all the unnecessary data from your plugin. Some plugin will give you options whether to delete or retain data when the plugin is uninstalled. This is for re-installation purposes to avoid users from having to reconfigure plugin settings. However, there is a drawback for this hook and also a way to fix it. You can read about it here for more information.


I hope this article will give you a basic understanding of how to create a WordPress plugin, 5 basic security practices, and its importance as well as other related matters. I'm sure by this time, you have successfully created your plugin. Please share with us in the comments section about your plugin. I'm looking forward to it.

  • If you think your friends would find this useful, please share it with them. It will allow us help more people.
  • To get more of our latest update, please subcribe to our newsletter.
  • You can also print this article for reference.
This article has been printed from

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.