I go to the school of hard knocks.  Part of the reason is the pace of change in technology is so dizzying that formal education often won’t offer much as it is outdated by the time it’s become packaged and sold.  So here are some WordPress development lessons I learned the hard way, so you don’t have to!

Always back up your WordPress installs.  This can be accomplished by a plugin like BackWPUp.  Also make sure to have it do off site backups, perhaps to your Dropbox.  The reason this has become more important is malware attacks have become more rampant.  One insecure plugin or theme and your whole site could be a goner.  Also backing up the content using Tools > Export is a good way to keep the site’s content in case something happens to the entire install.

One site per server.  If you are hosting multiple sites, make sure each WordPress install is on a separate server instance (for example each one has its own cPanel).  A lot of hosts offer multi site plans and you should take advantage of these.  This way if one of your sites gets infected the infection won’t cascade to the others.

The Less WordPress plugins the better.  Every plugin can turn into an engine for malware at any moment.  The less of them you have the less likely your site will be compromised.  The ones you do have should be updated regularly.  WordPress auto updates but plugins do not.  Also be on the lookout for plugins that haven’t been updated in a while.  Googling the plugin name sometimes will give you information.

Make sure your theme is up to date.  Themes can spread malware as well.  This is particularly true with older versions of popular themes as those are the most likely worth the effort to make an exploit for.

These tips might take a little work but could be a life saver.

After searching for hours trying to figure out why the WordPress WYSIWYG code editor TinyMCE kept changing my PHP code I came upon a thread that was a somewhat helpful.   Basically it let me set TinyMCE’s configuration in the WordPress theme which is great for all kinds of things, like if you want more HTML tags in your posts.

What I needed to do however was get TinyMCE to not touch my code when it was inside PHP code or the insert_php shortcode.  To do that I had to modify the protect option in TinyMCE.  Then I had to create a JavaScript regular expression to exempt certain blocks of code from TinyMCE’s parser.  Below is the code I came up with, just add it in the functions.php section of your WordPress theme:

function schema_TinyMCE_init($in)
{
// more things modifying TinyMCE can go here

// for PHP tag and insert_php shortcode (JavaScript regular expressions)
$in['protect'] = "[
/\<\?php[\s\S]*?\?\>/g,
/\[insert_php\][\s\S]*?\[\/insert_php\]/g
]";
return $in;
}
add_filter('tiny_mce_before_init', 'schema_TinyMCE_init' );

It’s got room for improvement, the line breaks don’t always line up correctly.  For the <?php one for some reason you need to put an > on the first line.  So for example the opening line of code would be  <?php  //>   after doing this the editor doesn’t touch the line breaks.

With the knowledge of JavaScript regular expressions you could do things to exempt all kinds of code, not just PHP.

This was tested on WordPress 4.5.3, your mileage may vary for versions further from this.

I just created a plugin based on this you can access here.  Please note that you cannot use the plugin and this fix at the same time.