December 01, 2016

ShortcodeWordPress shortcodes, which are part of WordPress Core and many plugins, can be a source of confusion for new WordPress users.

Shortcodes look like this:


Let’s take a look at the problems shortcodes solve and how they’re used.

The average WordPress page is a mixture of text and images entered into the content management system’s editor. But many also offer extra functionality like forms, media embeds, maps, and other dynamic content. Shortcodes allow WordPress users to add new dynamic content to posts and pages safely without requiring them to know how to code.

Under the hood, WordPress is written in a programming language called PHP. When a WordPress page is requested by a web browser, WordPress executes a series of PHP scripts which build a web page in the languages that web browsers understand — HTML, JavaScript, and CSS.

This is what gives WordPress its power: because the pages are built when they are loaded, the content can be dynamically changed for every page-load depending on a multitude of factors, such as when the page is loaded or which user is logged-in.

Adding HTML to a page is simple — you type it into the editor. So, if a WordPress site owner wants to add dynamic content that relies on PHP to their pages, the obvious solution is to insert some PHP code into the page itself. If they don’t need PHP, they might choose to embed some JavaScript instead.

But, as you probably already know, giving users the ability to add PHP or JavaScript code to a WordPress page is a very bad idea.

Firstly, it creates a massive security vulnerability; this is how cross-site scripting attacks are born. Secondly, there’s every chance that arbitrary code will stop the page, or the whole site, from working properly. And thirdly, most WordPress users can’t code, so there needs to be an easier way for them to add dynamic content.

Allowing users to add new features to WordPress pages is essential, but allowing them to add their own code is irresponsible. Shortcodes are the solution to this dilemma. A shortcode is essentially a macro: a snippet of text that is expanded into a larger code snippet.

Let’s say you wanted to embed a video using the default video shortcode.

[video src=""]

Shortcodes start and end with square brackets. The first bracket is followed by the name of the shortcode, which is followed by a series of attributes of the form attribute=”string”.

When WordPress builds the page, it comes across the shortcode and expands it into the code that, when executed, outputs the necessary HTML, CSS, and JavaScript for creating a video embed.

Adding new shortcodes to WordPress isn’t all that difficult if you have some knowledge of PHP. Each shortcode is defined in the site’s PHP code using the Shortcode API. Theme and plugin developers use this API to add functionality so that users can inject dynamic content within pages.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.