Stop using code snippet plugins

Glad it was helpful!

To be fair, any plugin can cause these kind of issues. However, snippet plugins offer redundent functionality that you can easily get by using a child theme or basic custom plugin. I have no issue for using them for development or testing, but they have the potential to just create one more avoidable issue in production.

what exactly is "epic" here?

I’m not a great php programmer either. There are enough resources, though, that it’s pretty simple to figure out with googles help
Mostly, I knew that I wanted to keep the snippets in separate files to turn them on and off easily, so I just needed to find the right way to do that in php. From there, it was just a matter of looking in the WP handbook for their plug-in guidelines on how to format the header properly.

I'm glad it helped. There really are no 100% right or wrong answers, just different ways of doing things with pros and cons to each.

Thanks, Man. I’ve always had problems speaking off the cuff, so it’s pretty nerve wracking for me. I’m going to try to do more of these for things when I’m not trying to show a step by step process, though. Maybe I’ll even have fewer than 300 “ums” to remove in post. (Special thanks to Descript for getting rid of most of them without too much extra effort!)

@@AdamLoweIO My 'um' alarm never went off. Great video and presented in a very authentic way! You can save yourself some scripting time in the future!

There were about 300 (no kidding) that I removed using the Descript video editor. It was appalling, especially since I used to do toastmasters years ago.

Yes, you are correct that themes are for design and design-related functions like enqueuing css or JavaScript. Any functionality-related plugins should be in a plugin (or mu-plugin). I didn’t go into all that nuance here since I wanted to try to keep it relatively simple and high level. As it is, this video started a shit storm in facebook comments since it goes against the way a lot of people have been doing things.

There is no real impact with child themes. Wordpress just sees the child theme files and uses them instead of the parent theme.

You hit the nail on the head. Those plugins essentially spit out a CSS file that gets enqueued in the builder and on the frontend. Some of them, like ACSS (not sure about Core), create the CSS file by compiling SASS but again, in the end it's just CSS that could be written and enqueued in your child theme.
I don't recommend putting your rules and variables in style.css, though. It's a much better practice to create a function that enqueues a separate file. (developer.wordpress.org/themes/core-concepts/including-assets/#including-css). The developer docs look complicated but it's actually quite simple. My latest block theme video on child themes briefly shows the actual code you can use.

@@AdamLoweIO Thanks, I'll go check it out. I'm coming in from a React-focused background, so the WordPress environment is still new to me.

WP Codebox has an alpha feature that attempts to address it by creating a standalone feature plugin with code signing. That’s probably the best implementation I’ve seen so far. Fluent also does a similar thing, although I believe they don’t have the code signing. I haven’t looked at it since it was released though, so things may have changed.
Both products have taken great steps to address security concerns. I would still consider foregoing the snippet plugins on production sites, however, unless you have a need to add or change snippets regularly. Putting them in a child theme or a custom plugin is just so much simpler.
(Remember, a custom plugin can be as simple as a single php file with a line to name the plugin followed by whatever snippets you want to include)

@@AdamLoweIO Thank you for your reply! I have been using Fluent snippets but now after learning about the issues you mentioned, I will start using my theme's child theme as suggested in your video. The custom plugin also a great idea that I will look more into. I really appreciate your time in getting back to me.

Yes, that plugin is very helpful and it’s a great starting point for creating block themes.

Sure, here is the github repo.
github.com/peakperformancedigital/wp-master-public

It sure is. Here is the link. github.com/peakperformancedigital/wp-master-public

@@AdamLoweIO Will you maybe update it with your current version, or upload it separately?

The get header and get footer thing is pretty standard Wordpress practice. It sounds like you might want to make a separate template for that post type and set it as a master page so it uses that header and footer.
If it’s just a small piece of code that changes, then you can probably wrap that in an “if …” action. Just be sure that it’s inside the part that gets output to header.php and not the body of the template.
I’m at WordCamp right now do I have very limited access to a computer. It sounds like this question might be worth posting to the Pinegrow forums.

Functionality Plugin: Save and execute code snippets from a functionality plugin without loading them from the database.

I haven’t experimented with v2 yet. If it has that capability, then that’s pretty sweet! It would take the leg work out of creating a plug-in.

@@maxziebell4013 I totally forgot that function existed. Going to have to try this out.

FYI: I gave it a look this afternoon and came away pretty impressed. Let’s make sure WPCB knows that this is something that’s important to us so it can get moved out of “experimental” status.

@@AdamLoweIO I tested it and like it. But I also found some bugs as well. I got this message from the developer today: "Yes, feedback for the FP is starting to come in. Based on this I will focus a few releases on getting it out of the experimental stage. - Ovidiu"

I was actually referring to a small custom plugin, not a commercial multi-purpose thing. For code snippets, it can be a couple of lines in a single PHP file or an enqueued script.
WP Codebox now lets you export your snippets as a small functionality plugin, which is a pretty cool feature. It just came out of beta this week so I haven’t had a chance to look at it yet, but it could be a good option for anyone who is intimidated by manually enqueuing css or js or who needs some minor conditionals.

Remember that a plug-in is just a piece of code that is run by Wordpress. A single-file plug-in that you create with nothing more than a header and a few lines of snippets carries a lot less risk than a 2MB plugin that stores snippets in the database (SQL injection risk) and has a lot of other code where things could potentially go wrong.

So much depends on your workflow. Plugins like this are fantastic for development, testing, and staging when you are constantly adding code and need to compile Sass regularly. In production, though, it's worth moving all that code to a child theme or plugin. If you find yourself needing to change CSS regularly on production sites, then it might be worth using an import directive to reference one vanilla CSS file to hold those changes. I don't think there is a one-size-fits-all solution. As always, "it depends." (Yes, I hate that answer too!)

@@AdamLoweIO It's become complex after all this in the FB groups and here.
You're a fine and trustworthy person as always to address stability and maintablity with an approach most likely not wanted.
I would love from you If possible if all got sorted soon with WPCodeBox to address and how to move things towards the child theme like this case.
Again I'm one of those who rely on styling entirely the website with manual code even with advanced page builders like Bricks using BEM and SASS.
P.S. I still didn't continue your Pinegrow course with my tight life schedule. I wanted to do it ASAP.
Also,
Please consider Core Framework with Pinegrow as you didi with ACSS.

Yeah, the title is pretty clickbaity I’ll admit. I hate that titles like this work, but they do. That’s why I clarified in the description that these plugins do have a place, but that place isn’t on a production website.
WP Codebox is a special case, especially since they are working on that experimental feature plug-in setting which offloads the snippets to their own plugin for production. It still requires users to know about the issue though and take action.

@@AdamLoweIO I added WP Codebox on inherited production site only last week. It's ability to add HTML and CSS via shortcode snippets let me replace a plugin removed from the repo for security issues and several heavy plugins. It's there to allow HTML content changes.
Also, with agile work on live sites involving JS or PHP having WP Codebox ability to detect errors and stop outputting them can be safer than updating a plugin or changing the theme.

The ability to detect errors and stop the execution is s nice feature. You comment about changing code in production is certainly a topic for a much broader discussion (hard core security people would say that using a dev > staging > production workflow is the best way to go).
Your comment about having a snippet plug-in that only allows modification of CSS and HTML is also an interesting concept. Off the top of my head it seems that something like that would not have the same security problems as having the ability to also execute php or js code, but I’m sure a security researcher would find a reason to disagree with me there.
As with anything, there are going to be trade offs between performance, security, and convenience.
I am very eager to see the WPCB “functionality plugin” feature come out of experimental status. From what I can tell, it would give people the ability to use WPCB to write and manage their snippets, but would then write them to the file system as a standalone plugin and disable the main IDE plugin. Essentially doing what I advocated for in the 2nd part of this video.

@@AdamLoweIO Ovidiu is a good person to talk to. I think this plugin may have come out of him scratching his own itch. He's always stuck me as one of those old school plugin authors who is more concerned with the work than the profits. He's very thoughtful.

He and I have spoken. I hope he doesn’t mind me quoting something he wrote when he said that everyone wanted code snippets so he decided to “make the best code snippets plug-in.” FWIW, I think he succeeded there.

That's a totally valid question. The issue isn't so much that "plugins are bad" as much as it is that code snippet plugins have a lot of moving pieces and the ability to run arbitrary code that's stored in your WordPress database. A custom plugin, on the other hand, can be nothing more than a single file with a line declaring the plugin name followed by your snippet. Since it runs from the file system it loads faster than anything from the database, plus it can't be changed unless someone has file system access to your server. Contrast that to a code snippet plugin with thousands of lines of code, remote repositories, etc. and I think it's pretty obvious which one is going to be more secure.
Of course, using a snippet plugin is exponentially more convenient so it's all about trade offs. That's why I advocate for using those snippet plugins during development and testing, then offloading them to custom plugins and css files when you go into production.
Here is a good article from Smashing Magazine showing you how to make a simple plugin. If you know how to use a snipplet plugin or edit your functions file, then you'll probably find that this is just as easy once you know what to do. www.smashingmagazine.com/2011/09/how-to-create-a-wordpress-plugin/

@@AdamLoweIOgot it.. thanks for the thorough response.

Yes, I think WPCB’s functionality plug-in may be a good compromise once it’s out of experimental status. Right now it has a lot of rough edges that need to be addressed.

Yes, this is a basic function of child themes. You know that, and I know that, but a surprising number of people don't. Looking at various forums and social media threads, it was becoming alarming how many people were using code snippet plugins simply because they didn't know better. As for the reasons why it's not a good practice, as a DEVELOPER you should hopefully understand that snippet plugins introduce the potential security issues since they store the code in the database where it can be easily modified or overwritten. Those plugins also add unnecessary overhead to production systems, but that's a lesser concen.