Shortcode - WordPress Glossary

A shortcode is a small piece of text wrapped in square brackets that WordPress swaps out for something more complex when your page loads. Think of it as a placeholder. You type [gallery] in your post editor, and WordPress renders a full image gallery on the front end. The shortcode itself never appears to your visitors — only the output it generates.

WordPress has shipped with a handful of built-in shortcodes since version 2.5. Plugins and themes register their own. That one-line tag in your editor can produce anything from a contact form to an embedded video player to a pricing table.

How It Works

Under the hood, a shortcode is a PHP callback function registered with WordPress using add_shortcode(). When WordPress parses your post content, it scans for anything matching the [tag] pattern, runs the associated function, and replaces the tag with whatever HTML that function returns.

Here’s a minimal example:

function wpschool_cta_shortcode( $atts ) {
 $atts = shortcode_atts( array(
 'text' => 'Sign Up Now',
 'url' => 'https://example.com',
 ), $atts );

 return '<a href="'. Esc_url( $atts['url'] ). '" class="cta-button">'
. Esc_html( $atts['text'] ). '</a>';
}
add_shortcode( 'cta', 'wpschool_cta_shortcode' );

Drop [cta text="Get Started" url="https://example.com/pricing"] into any post, and WordPress outputs a styled link. Notice the esc_url() and esc_html() calls — shortcode output that skips escaping is an injection vulnerability waiting to happen. I’ve seen it exploited on production sites more than once.

Shortcodes also support enclosing content:

[highlight]This text gets a yellow background.[/highlight]

The wrapped text is passed to your callback as a second parameter. WordPress handles the parsing; you handle the output.

Common Use Cases

Contact forms. Plugins like WPForms and Contact Form 7 generate a shortcode for each form you build. Paste [wpforms id="123"] on any page, and the form appears. This is still how most form plugins work, even in the block editor era.

Embedding dynamic content. Need to display the current year in a footer so your copyright notice never goes stale? A three-line shortcode handles that. Same idea applies to pulling in recent posts, user counts, or product listings from WooCommerce.

Restricting content by role. Membership plugins use shortcodes like [members_only]Premium content here[/members_only] to gate sections of a page. The shortcode checks the user’s role and either renders the content or shows a login prompt.

Legacy plugin output. Many older plugins were built entirely around shortcodes before the block editor existed. If you’re maintaining a site that predates WordPress 5.0, you’ll find shortcodes everywhere — in posts, pages, widgets, and even template files via do_shortcode().

Why It Matters

Shortcodes are still everywhere. The block editor added a dedicated Shortcode block, so they’re not going away. If you manage a WordPress site, you’ll encounter them in plugin documentation, theme demos, and migration projects.

From a security standpoint, shortcodes deserve scrutiny. Every shortcode is executing PHP on your server. A poorly coded shortcode that doesn’t sanitize its attributes is an attack surface. Before installing a plugin that adds shortcodes, check whether the developer escapes output properly. If you’re writing your own, treat every attribute as untrusted input — because it is.

Performance matters too. A page loaded with ten shortcodes means ten callback functions running on every page load. Some plugins run database queries inside their shortcode callbacks. Stack enough of those on a single page and you’ll feel it in your load times. Caching helps, but knowing what your shortcodes actually execute is better.

The bottom line: shortcodes are a simple, powerful tool. But simple doesn’t mean safe. Validate input, escape output, and know what code runs behind every bracket on your site.

How It Works

Common Use Cases

Why It Matters

Related reading