Code Quality: the key to agility in software development

One of my pet projects at the school of public health has been to try to bring my team to use enterprise grade development techniques and processes. It was made a lot easier by our move to AWS, giving us a good excuse to start using code versioning and continuous integration and Harvard’s IT Academy  which was promoting and training us at using AGILE software development. It was a fantastic opportunity and a great experience. We started from scratch and worked it all out as a team. I will not cover the entire process as this would take several posts, I will rather focus on one specific topic that I researched a lot and I think is a too often overlooked while being critical: Code Quality.

What follows is a curated list of articles and blog posts about Code Quality that, I hope, will help you understand how critical it is for any team that wants to become truly AGILE.

Why Code Quality matters?

How to improve your Code Quality?

Bellow are 3 types of improvements you can implement that will greatly improve your code quality. I listed them by difficulty of implementation ( both technical and human).

Style-guides and coding standards

TL/DR: Take some time to find a style-guide/coding standard that you like, follow it to the letter, enforce it using a linter/sniffer tool.  Your entire code-base should look like a single developer wrote it.

I’ve read a lot of arguments in favor and against coding standards. I’m all in favor. Having your entire team follow the same syntax is the first step to code that is easy to understand, review, modify and optimize.

Some examples of Coding standards:

Code/peer reviews

TL/DR: Evidences are overwhelmingly in favor of code reviews, so please make them an essential part of your workflow.

Peer reviews have so many benefits that I wont list all them there. However I will point out that to be efficient and not a waste a time, everyone needs to take code reviews seriously.

Architecture, design patterns and general methodologies

TL/DR: This is going to be harder to implement, but is the final required step to create truly enterprise-grade software.

That’s where, IMO, it gets a little more complicated. Because  the cost vs benefit of these techniques and methodologies may vary depending on the project. This will also require some discussion at the team level and will require your entire team to do some research, learning and more importantly change the way they develop. Finally they are a million of them: List of software development philosophies.

I think the key here is to pick one or two, implement them and slowly add new paradigms as your team matures and your project grows.

Some of my favorites:

Finally embarrassing Object Oriented Development and Test Driven Development is probably a good idea too.

A few good reads to give a little more context:


If you are starting from scratch, there is a lot to be done, but take it easy. One step at a time, don’t try to refactor everything on day one. Remember that is is supposed to help you to be more efficient on the long run. Yes it will take you some extra efforts and time at the begging and yes there is never a good time to do this…Do this incrementally, test new ideas on smaller projects.

Summer 2017 – the Summer of Talks

In the summer of 2017, I gave several WordPress themed talks. Here are some of them:

Boston WP June 17 – Introduction to WordPress Multisite

WordPress high performance hosting on AWS – WPCampus 2017

WordPress in Higher Education – Panel – WordCamp Boston 2017

WP Rest API V1 vs V2 – Disable WordPress default routes and endpoints

TL;DR: Scroll down to the bottom to see the snippet

I have been using the WordPress REST API on a personal project for a little while now. However I was still using v1 of the plugin. With WordPress 4.4 on its way, shipping with half of the API included in Core, it was time for the project to move to v2 to ensure long time compatibility, and be able with WordPress 4.5 or 4.6 to get rid of the plugin.

This was not nearly as easy as I was expected, most functions were renamed and a fair amount of the logic of how to extend the API has changed a lot. Most changes are very logic and clearly made to ensure a smooth conflict free experience for most users.  But for me it meant refactoring a fair amount of my plugin.

On this project I use WordPress as the back-office of a web app, that has not much in common with your classic blog/website. So I had no interest in the default WordPress endpoints and was only using my custom endpoints.

Therefor, I was looking on ways to remove the default WordPress Endpoints, and here is what I found by digging into the source code of the plugin.

The V1 way, which was a little hacky, remove everything except the / and then make sure you create your own routes with a lower priority:

The V2 version based on V1 was simply changing the filter name:

However, while looking for something else I found a much cleaner way to do that, at least in V2, I discovered that all the default endpoints were created by an action, and all you had to do was remove the action the remove the endpoints:

Now my API in clean and ready to be extended with my custom endpoints!

My ultimate beginners guide to developing using WordPress

Recently a friend of mine, who’s also a web developer, called me and asked for advice on starting his first project using WordPress. After a long discussion on the phone I sent him an email summarizing our discussion and he suggested I should post it here. So here we go….

About WordPress

WordPress is an open source CMS, made for the LAMP stack, which powers roughly 25% (the number varies from 5% to 35% depending on who you ask) of the web page of the entire Internet. WordPress development is managed by the WordPress foundation (, however a company called Automattic (which was founded by one of WordPress’ co-creator) is exploiting WordPress commercially ( but is also contributing a lot to the project.

WordPress is not “secure”/”stable”/”logic”/…

In my experience most of these critics are made by people who don’t know WordPress well. WordPress, like any piece of software is not perfect, and like any complex system requires time to fully understand. But it is also actively supported by brilliant people and a vibrant community. Has one of the most detailed documentation for an open-source project I have ever seen and thanks to Automattic has a dedicated security team. Finally WordPress powers a lot of very large websites. In other words, done correctly, WordPress can do virtually anything. And while for each specific use case there might be a better suited CMS or Framework, in my experience you will get a better result ( user experience, security, maintainability, etc..) using a tool that you know very well but might not be the best for the job than working on a hard project while learning a new CMS or Framework.

Don’t get me wrong, there is plenty of things I hate about WordPress, but I still think that its versatility, large community, mind-blowing amount of available resources and services makes it the best current tool to takle almost any web app/service project.

How to start with WordPress?

I won’t write a full tutorial, a quick google search will give you plenty of great existing resources. However I would like to do a quick list of general concepts and WordPress features that are critical for you to understand before you start your first WordPress project.

1. The golden rule A: do it the WordPress way.

Developers can argue for hours about the best way to do something. If WordPress has a documented opinionated way to do something, you should do it this way, even if you think that it’s not ideal, slow or illogical.

2. The golden rule B: never modify core/ a plugin / a theme.

Never, ever, ever modify WordPress Core files or the code of a plugin or theme you’ve downloaded. This is never a good idea as this will inevitably break when you update ( therefor will prevent you to update ). WordPress offers plenty of solutions to fix a bug or alter a behavior you don’t like: create a plugin, create a child theme, use hooks and filters, etc…

3. Themes for layout and design, plugins for logic and content management

You should split the design and layout from the logic and the content management to make it easy for your customer to update their website in the future without rebuilding everything or losing content. For example if your theme uses Custom Post Types, you will register the CPT in a plugin called a utility plugin but the templates and CSS for the CPT will be located in your theme. The same goes for most other WordPress features:

Feature Utility Plugin Theme (functions.php)
Shortcodes always never
Custom Post Type always never
Custom Taxonomy always never
Custom Post Meta boxes always never
Customize Admin always never
Editor style never always
Customizer settings depends depends
Javascript & CSS depends depends
Register Sidebars never always
Register Nav Menu never always
Templates never always

Read more:

4. Understanding “The loop” and “Hooks: Filters and actions”

These 2 concepts are the cornerstone of any WordPress project. It is critical to understand them completely to create a well performing, secure and maintainable WordPress theme or plugin. The loop is how content is retrieved and displayed in WordPress. Hooks are allowing you to change almost any default behavior in WordPress. In fact you can change the behavior of the loop using hooks.

Read more:

5. Security, Security, Security

Like in any web project you should always: check user capabilities, validate and sanitize input, escape outputs as well as create and validate nonces.

You should also never make assumptions about data/function/parameters always sanitize early and escape late. Always validate data for what it should be not what it’s not:

if ( $email ) {} // Wrong
if ( is_email( $email ) ) {} // Correct

Read more:–wp-25536

6. Javascript and CSS

A few basic and simple rules:

Read more:

Boston WordCamp 2015 – Takeaways

The 2015 edition of Boston WordCamp was held on July 18th and 19th at Boston University. Like last year I attended the event and here is a little selection of my favorite talks :

WCB2015 XSS, CSRF, SQLI, WTH(?!?) – The Truth on Theme Security

By Michael Cain

Nothing that I didn’t knew but security is one of those topics where I feel like you should always welcome a reminder!

HTTP 2 and You

By Zack Tollman

Probably my favorite talk of this year’s edition. This talk made me realize how very little I knew about HTTP2 and how amazing it’s going to be.

Best Friend or Worst Enemy – Multisite Do’s and Don’ts

By Taylor McCaslin

I had very little experience with WordPress Multisites before working at Harvard. Taylor’s talk is definitely worth watching if you are considering using WordPress Networks.

Local and Staging for Multiperson Development

By William P. Davis

As a developer I always look for ways to improve my workflow and we’ve been discussing a lot with my colleagues how we could make our dev/test/deploy process easier and more efficient so I was very curious to listen to William’s presentation.

Boston Wordcamp 2014 – Takeaways

WordPress migrations? Challenge accepted!

By Daniel Kanchev

I finally understood why sometimes when I migrate websites using commercial themes some of the parameters do not migrate. The problems comes from PHP serializing. During migration what I usually do is open the SQL backup in my text editor and search/replace the old/new domaine. But for themes and plugins that use PHP Serialization to store data that’s not good enough because serialization also store strings length. So when you change the domaine name, the string length change and the way PHP Serialization works is that if the string length doesn’t match the string it simply ignores it.

The solution proposed by Daniel : Use WP-CLI that will perform search/replace while fixing Serialization issues.

TTL is not good enough because some providers may override the TTL so despite good planning/timing with the TTL some users may still be redirected to the old website. So on any website where users are generating content (post/orders/etc.) you should either use remote mysql so the old server use the new server’s DB or use IP tables on the old server to redirect to the new server’s IP address.

WordPress & APIs

By Sam Hotchkiss

Nothing really new especially since sam’s talk was an emergency talk as the original speaker was sick. However I really enjoyed on his slides that summarize pretty well where we are at with APIs : “The idea of controlling the presentation of your data is dying”.

Finding the speed bumps in your code

By Matthew Boynes

Transient cache & hot to use efficiently the debug bar.

And a lot more

Wordcamps are awesome…but you can’t assist to all the great presentations. So also watched a lot of other presentations during the following days.

The full playlist is here :

What I learned at yesterday’s Boston WordPress Meetup

Yesterday I attended to the monthly Boston WordPress Meetup. This month’s talk by Jesse Friedman (@professor) was dedicated to security.

I thought I would share here a few interesting things I learned.

You can use pass phrases as password in WordPress

What’s the easiest to remember? iuf8??Ui87ox# or in 2007 pigs were flying in Boston. And according to you which one is the most secure as a password? Well according to Jesse the latest is as good as the earliest if not better. Awesome right??

2 plugins you and I should try : BruteProtect and Clef

BruteProtect is developed by Jesse’s company Parka and offers :

a cloud-powered Brute Force attack prevention plugin. We leverage the millions of WordPress sites to identify and block malicious IPs.BruteProtect tracks failed login attempts across all installed users of the plugin. If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed.

Read more and install

Clef offers :

Secure, easy, passwordless 2-factor authentication in less than 10 minutes. Clef is a mobile app that replaces usernames and passwords with your smartphone.

Read more and install

And many other things

Jesse also shared a lot of other tricks and advices that I was already aware of but you might still want to learn so I encourage you to watch the full talk on BWPM website when it will be available.

My favorite WordPress plugins

While I was slowly getting back to WordPress and as soon as I wanted to do something new, people were answering me : “there is a plugin for this…and there is also a plugin for that!”.

While I have to admit that it’s cool that a lot of people can heavily customize their WordPress installation without writing a single line of code, for me being a developer, plugins are usually synonyms of bugs, frustration and dissatisfaction.

I also agree that code recycling is not a bad thing and that you can’t reinvent the wheel each time you develop a website therefore plugins are a necessity and can be useful. In the list that follows you’ll find all the plugins that I use in most of my projects, that I’ve deeply tested and that I love hoping that it will help a developer like me getting into WordPress’s awesomeness!

Feel free to bookmark and come back as I will update this list as I discover new useful plugins

Advanced Custom Fields

What it is:
Fully customize WordPress edit screens with powerful fields. Boasting a professional interface and a powerful API, it’s a must have for any web developer working with WordPress. Field types include: Wysiwyg, text, textarea, image, file, select, checkbox, page link, post object, date picker, color picker and more!

Why I love it:
I use this plugin on nearly all my projects. It allows you to effortlessly leverage one of WordPress most useful features: Custom fields. Mix it with custom posts (another amazing WordPress feature) and you have a tailor made WordPress install for your project with incredibly User Friendly back-office.

WordPress Multilingual Plugin

What is it:
WPML makes it easy to build multilingual sites and run them.It’s powerful enough for corporate sites, yet simple for blogs.

Why I love it:
I haven’t tested all the multilingual plugins out there but WPML is certainly a great one. It includes most of what your can expect and is a very powerful and well maintained plugin. It certainly worth the investment if you are going to build several multilingual websites.

Yoast WordPress SEO

What is it:
The first true all-in-one SEO solution for WordPress, including on-page content analysis, XML sitemaps and much more.

Why I love it:
If you are not a SEO specialist but you still know what you’re doing, this is an amazing plugin! All the SEO basics are covered.

Regenerate Thumbnails

What is it:
Regenerate Thumbnails allows you to regenerate the thumbnails for all of your image attachments. This is very handy if you’ve changed any of your thumbnail dimensions (via Settings → Media) after previously uploading images.

Why I love it:
This plugin had a really missing WordPress feature. If you decide to change or add an image format/size won’t automatically regenerate the thumbnails. But the real problem is that there is no way to easily do it manually either! This is why is plugin exists and is incredibly useful!

How to clear/flush Google Chrome internal DNS cache

If you directly want to see how to clear/flush chrome’s DNS cache go the last part of the article.


Recently I started using Safari as my “personal” browser. In recent versions Apple did a great job and corrected most of the frustrating UX problems and since Apple is still preventing anyone to correctly integrate another browser into iOS I was already using it a lot. Plus I like to know that they are not scanning and analyzing my any single move on the web.

I was originally using Firefox but it became so slow on the mac that I ended up using Chrome. This last one is an amazing browser and it’s not a surprise to me that it gained so much marketshare so fast. However as usual with Google, the privacy policy are a bit “awkward” and “suspicious” and since I’m already an heavy GSearch/Gmail/GMaps user I decided that Google already knew enough about myself.

However I still use  Chrome as my development and professional browser. I really prefer chrome’s development console and most the best development extensions are only available for Chrome and Firefox.

How to clear/flush Google Chrome internal DNS cache

As a developer I open new hosting  and domain names, and modify existing ones, hundred of times every year. A lot of times I have to do a little bit of DNS tweaking to make things works properly. And most of the time I loose some time because I did everything right but chrome still shows me the old web server or some other nonsense.  This is happening because Chrome uses it own DNS caching system to speed up page loading. And today i discovered how to easily flush this cache! This is very simple:

  1. Go to chrome://net-internals/#dns
  2. Press the “Clear host cache” button

And you’re done! Refresh your new url and you’ll get fresh DNS records resolving.

Read more about Chrome’s various network features in its documentation.