MarckDev
All articles

February 13, 2025 · 4 min read

Using Claude to generate secure PHP snippets for WordPress

Using Claude to generate secure PHP snippets for WordPress

You need a small change to your WordPress site: hiding a checkout field, adding a column to the dashboard, changing a theme behavior. An AI assistant like Claude writes the PHP snippet in seconds, but pasting code you don't understand into your site is the fastest way to open a security hole or break the page. Let's look at how to use Claude to generate secure PHP snippets for WordPress: how to phrase the request, which checks to run on the code and how to install it without risk.

Asking well: context matters more than the question

The quality of the snippet depends on how much context you provide. A request like "code to hide a checkout field" produces a generic answer; a complete request produces code suited to your site. Always include in the prompt:

  • The environment: WordPress and PHP versions, active theme, plugins involved (for example WooCommerce).
  • The insertion point: the child theme's functions.php, a snippet plugin or a mu-plugin. It changes how the code should be written.
  • The expected behavior and edge cases: what should happen and what must not change for other users or other pages.
  • The security requirements, spelled out: ask for code that uses WordPress's native functions, with checks on input and permissions.

An addition we always recommend: ask Claude to explain the code line by line and point out where problems could arise. The explanation serves you for the next step, verification.

Security checks on generated code

Before installing any snippet, run through the places where WordPress vulnerabilities are born. You don't need to be a developer for a first pass:

  • User input: any data coming from forms, URLs or requests must be cleaned with WordPress's sanitization functions (the ones prefixed sanitize_) before being used or saved.
  • Output on the page: data printed to the browser must go through the escaping functions (esc_ prefix), otherwise you open the door to XSS attacks.
  • Database queries: if the snippet queries the database, the queries must use $wpdb->prepare with placeholders, never concatenate variables into the SQL string.
  • Permissions: restricted actions must verify the user's capabilities with current_user_can, and forms must use WordPress nonces against forged requests.
  • No opaque calls: be wary of snippets that download content from external URLs, use eval or base64_decode, or disable security checks. If anything like that shows up, ask for an explanation or discard it.

An effective trick: paste the snippet into a new conversation and ask Claude to act as a security reviewer, listing the vulnerabilities. The model is often stricter as a reviewer than as an author, and the double pass catches quite a few problems.

Where to put the snippet (and where not to)

The most common wrong place is the parent theme's functions.php: at the first theme update, the change disappears. The correct options, in order of preference for a carefully managed site:

  1. A mu-plugin: a PHP file in the mu-plugins folder, always active, independent of the theme. It's the solution we use in the projects we manage for stable customizations.
  2. The child theme's functions.php: fine for theme-related changes, if the child theme already exists.
  3. A snippet management plugin: convenient because it lets you deactivate a single snippet from the admin panel if something goes wrong, useful for those who don't touch files via FTP.

Whichever route you choose, one snippet at a time: if the site errors out, you know right away which code is responsible.

Testing in staging, with a safety net

Even verified code should be tested outside production. The minimum procedure: back up the site, install the snippet in a staging environment, test the modified feature and the surrounding pages, check the PHP error log. Only then, deploy to production. If the site is an eCommerce store, also test the purchase path: snippets that touch the checkout are the ones that cost the most when they go wrong. And keep a notes file with every snippet installed, what it does and when you added it: your future self a year from now will be grateful.

When a snippet is no longer enough

Snippets are fine for touch-ups. When the requests become full-blown features, a members' area, an integration with your management system, a custom workflow, assisted copy-paste shows its limits and you need someone who designs and maintains the code over time. We build custom software, including dedicated WordPress plugins, with AI used as an accelerator and human review as the guarantee. Book a free call and tell us what you want your site to do: we'll tell you whether a snippet is enough or whether it's worth doing things in a structured way.

Related articles