Shortcode
A bracket-enclosed tag like [gallery] that WordPress replaces with dynamic content when rendering a page.
A shortcode is a small piece of text wrapped in square brackets that WordPress swaps out for something more complex when your page loads. Think of it as a placeholder. You type [gallery] in your post editor, and WordPress renders a full image gallery on the front end. The shortcode itself never appears to your visitors — only the output it generates.
WordPress has shipped with a handful of built-in shortcodes since version 2.5. Plugins and themes register their own. That one-line tag in your editor can produce anything from a contact form to an embedded video player to a pricing table.
How It Works
Under the hood, a shortcode is a PHP callback function registered with WordPress using add_shortcode(). When WordPress parses your post content, it scans for anything matching the [tag] pattern, runs the associated function, and replaces the tag with whatever HTML that function returns.
Here’s a minimal example:
function wpschool_cta_shortcode( $atts ) {
$atts = shortcode_atts( array(
'text' => 'Sign Up Now',
'url' => 'https://example.com',
), $atts );
return '<a href="'. Esc_url( $atts['url'] ). '" class="cta-button">'
. Esc_html( $atts['text'] ). '</a>';
}
add_shortcode( 'cta', 'wpschool_cta_shortcode' );
Drop [cta text="Get Started" url="https://example.com/pricing"] into any post, and WordPress outputs a styled link. Notice the esc_url() and esc_html() calls — shortcode output that skips escaping is an injection vulnerability waiting to happen. I’ve seen it exploited on production sites more than once.
Shortcodes also support enclosing content:
[highlight]This text gets a yellow background.[/highlight]
The wrapped text is passed to your callback as a second parameter. WordPress handles the parsing; you handle the output.
Common Use Cases
Contact forms. Plugins like WPForms and Contact Form 7 generate a shortcode for each form you build. Paste [wpforms id="123"] on any page, and the form appears. This is still how most form plugins work, even in the block editor era.
Embedding dynamic content. Need to display the current year in a footer so your copyright notice never goes stale? A three-line shortcode handles that. Same idea applies to pulling in recent posts, user counts, or product listings from WooCommerce.
Restricting content by role. Membership plugins use shortcodes like [members_only]Premium content here[/members_only] to gate sections of a page. The shortcode checks the user’s role and either renders the content or shows a login prompt.
Legacy plugin output. Many older plugins were built entirely around shortcodes before the block editor existed. If you’re maintaining a site that predates WordPress 5.0, you’ll find shortcodes everywhere — in posts, pages, widgets, and even template files via do_shortcode().
Why It Matters
Shortcodes are still everywhere. The block editor added a dedicated Shortcode block, so they’re not going away. If you manage a WordPress site, you’ll encounter them in plugin documentation, theme demos, and migration projects.
From a security standpoint, shortcodes deserve scrutiny. Every shortcode is executing PHP on your server. A poorly coded shortcode that doesn’t sanitize its attributes is an attack surface. Before installing a plugin that adds shortcodes, check whether the developer escapes output properly. If you’re writing your own, treat every attribute as untrusted input — because it is.
Performance matters too. A page loaded with ten shortcodes means ten callback functions running on every page load. Some plugins run database queries inside their shortcode callbacks. Stack enough of those on a single page and you’ll feel it in your load times. Caching helps, but knowing what your shortcodes actually execute is better.
The bottom line: shortcodes are a simple, powerful tool. But simple doesn’t mean safe. Validate input, escape output, and know what code runs behind every bracket on your site.
Related reading
- block-editor
- WPForms Review 2026: Is It Worth the Price?
- WPForms vs Gravity Forms (2026): Best Form Plugin?
- WPForms vs Ninja Forms: Which WordPress Form Plugin Wins in 2026?
- WooCommerce Review 2026: The Real Cost of Free Ecommerce on WordPress
- plugin
- WooCommerce vs Shopify (2026): Which E-Commerce Platform to Choose?
- theme