PHP Developer for Hire

As of 2026, PHP 8.1 or 8.2 are the recommended versions for WordPress sites. PHP 8.0 reached end-of-life in November 2023, meaning it no longer receives security patches. PHP 8.2 is the current stable release and is fully supported by WordPress core.nnMany hosting providers still default to PHP 7.4 for compatibility reasons. Running PHP 7.4 is a security risk and a performance penalty - PHP 8.x is significantly faster than 7.4 for WordPress workloads. You can change the PHP version in your hosting control panel, usually under PHP Configuration or PHP Manager. Always test on a staging environment before updating the PHP version on a live site, as some older plugins are not compatible with PHP 8.x.

Functions.php is a theme file - code added there is tied to the theme and disappears if the theme is changed or updated. It is appropriate for theme-specific functionality like registering nav menus, adding support for post thumbnails, and modifying the theme's own output.nnA custom plugin is theme-independent - its functionality remains active regardless of which theme is installed. Any code that adds features to the site rather than styling the theme - custom post types, custom shortcodes, REST API endpoints, WooCommerce customizations - should live in a plugin, not functions.php.nnThe practical rule: if removing the code would break the site's data or core functionality, it belongs in a plugin. If it only affects the visual presentation, functions.php in a child theme is acceptable.

WordPress hooks are the mechanism that allows code to interact with WordPress core, plugins, and themes without modifying their source files. There are two types.nnActions allow you to execute custom code at specific points in WordPress execution - when a post is saved, when a page loads, when WooCommerce processes an order, when a user logs in. You attach a function to an action with add_action().nnFilters allow you to intercept a value, modify it, and return the modified version - changing a page title, modifying a query before it runs, altering WooCommerce product data before display. You attach a function to a filter with add_filter().nnUsing hooks correctly is what makes WordPress code maintainable and upgrade-safe. Code that edits core WordPress files directly will be overwritten every time WordPress updates.

The first step is seeing the actual error. Enable debug mode by adding these lines to wp-config.php:ndefine('WP_DEBUG', true); define('WP_DEBUG_LOG', true); define('WP_DEBUG_DISPLAY', false);nnWith these settings, PHP errors are written to wp-content/debug.log instead of being shown to visitors. Check debug.log to see the exact error message, the file it occurred in, and the line number.nnCommon PHP errors on WordPress: Fatal error - function not found usually means a plugin is calling a function from another plugin that is deactivated. Deprecated warning means a function from an older PHP version is being used in PHP 8.x. Call to undefined method means a class method does not exist, usually because a plugin update changed its API. In all cases, the error log points you to exactly which file and line to investigate.

WP_Query is WordPress's class for constructing and executing database queries for posts, pages, and custom post types. It is the correct and safe way to query the WordPress database in custom PHP - it handles security, caching, and integration with WordPress's object cache automatically.nnYou use WP_Query when you need to retrieve posts that the current page's main query does not include - for example, showing the three most recent case studies on a services page, displaying related posts based on shared tags, or building a custom archive filtered by multiple meta values.nnThe key parameters are post_type, posts_per_page, meta_query for custom field filtering, tax_query for taxonomy filtering, orderby and order for sorting, and fields to limit what data is returned when you only need IDs. Always call wp_reset_postdata() after a custom WP_Query loop.

Yes. Custom plugin development is one of the most common PHP services I provide. The scope ranges from small utility plugins that add a single piece of functionality to complex plugins with their own admin pages, database tables, REST endpoints, and settings panels.nnBefore starting, I scope the plugin as a fixed deliverable - what it does, what it does not do, and where the boundaries are. This prevents scope creep and ensures both sides agree on what is being built.nnAll plugins I build are: properly namespaced to avoid conflicts with other plugins, structured as a class-based plugin following WordPress coding standards, documented with inline comments, and handed over with a brief usage guide. Contact me with your requirements for a fixed-price quote.

WordPress core is well-maintained for PHP 8.x compatibility. The problems almost always come from plugins and themes.nnAfter a PHP version upgrade, common errors are: Deprecated: Required parameter follows optional parameter - a change in PHP 8.0 that breaks functions with certain argument orders. Fatal error: Uncaught TypeError - PHP 8.0 introduced stricter type handling so code that was silently wrong in PHP 7 now throws fatal errors. Deprecated: Function create_function is deprecated - an old way of creating anonymous functions removed in PHP 8.0. Deprecated: Passing null to non-nullable parameters - PHP 8.1 change affecting functions that expect a string but receive null.nnThe fix is usually a one-line change in the plugin or theme code, but it requires access to the files and an understanding of what changed between PHP versions.

The WordPress REST API is a set of HTTP endpoints that expose WordPress data in JSON format. By default it provides endpoints for posts, pages, users, categories, tags, media, and settings.nnIt is used for: building headless WordPress frontends with React, Vue, or Next.js where the frontend is decoupled from WordPress; mobile apps that read and write WordPress content; JavaScript-powered interfaces inside WordPress admin pages (Gutenberg itself is built on the REST API); and third-party service integrations that need to push or pull data from WordPress.nnCustom REST API endpoints extend the default set - you can register endpoints that return any data from the WordPress database or trigger any server-side logic, with your own authentication requirements and response format.

My PHP work is focused on WordPress and WooCommerce. I do not typically take pure Laravel, Symfony, or general-purpose PHP application projects because WordPress is where my depth and track record are.nnWithin the WordPress context, there is very little that PHP cannot handle - custom post types and taxonomies, complex meta queries, REST API extensions, WooCommerce customizations, scheduled tasks, email triggers, third-party API integrations, user role and capability management, and any server-side business logic the project requires.nnIf your project is WordPress-based and needs custom PHP work, contact me with the details. If it is a framework-based PHP application outside WordPress, I can refer you to a better fit.

Security in WordPress PHP development follows a consistent pattern of: validate, sanitize, escape, and check capabilities.nnValidate - confirm the data is the correct type and format before using it. Sanitize - clean user input before storing it in the database using WordPress sanitize functions like sanitize_text_field(), sanitize_email(), absint(). Escape - encode output before rendering it in HTML using esc_html(), esc_attr(), esc_url(), and wp_kses_post(). Check capabilities - verify the current user has permission to perform the action using current_user_can() before executing any privileged operation.nnI also use nonces on all admin forms and AJAX requests to prevent CSRF attacks, and I never use direct database queries with unsanitized user input - always () when is needed.