If you have ever pasted something like [contact-form-7 id="42"] into a WordPress page and watched a fully functional contact form appear, you have already used a shortcode. Shortcodes are one of WordPress's oldest and most useful features - and despite being partially superseded by the block editor, they remain widespread across thousands of themes and plugins.
What Shortcodes Actually Are
A shortcode is a bracketed tag that WordPress replaces with dynamic content or functionality when a page is rendered. Instead of embedding hundreds of lines of HTML or JavaScript directly into your content, you write a short, human-readable tag and WordPress handles the rest.
Shortcodes can be self-closing ([gallery]) or wrap around content ([caption]This is my photo[/caption]). They can also accept attributes that customize their output, like [gallery ids="1,2,3" columns="2"].
The mechanism behind them is simple: WordPress maintains a global registry of shortcode tags and the PHP functions that handle them. When WordPress finds a recognized shortcode in content, it calls the corresponding function and replaces the shortcode with whatever that function returns.
Built-In WordPress Shortcodes
WordPress ships with a small set of native shortcodes that have been part of the platform for years:
- [gallery] - displays a grid of images attached to the current post
- [caption] - wraps an image in a figure element with an accessible caption
- [audio] - embeds an HTML5 audio player
- [video] - embeds an HTML5 video player
- [playlist] - creates an audio or video playlist from uploaded media
These are reliable, well-maintained, and safe to use anywhere in your content.
Plugin Shortcodes
The real power of shortcodes comes from plugins. Almost every major WordPress plugin category uses shortcodes to place functionality inside content:
- Contact forms - Contact Form 7, WPForms, Gravity Forms
- Buttons and calls to action - MaxButtons, Shortcodes Ultimate
- Pricing tables - Easy Pricing Tables, ARPrice
- Testimonials, sliders, and portfolios - most theme frameworks include their own shortcode libraries
When you install one of these plugins, it registers its shortcodes automatically. You copy the shortcode from the plugin settings and paste it into any post, page, or widget that accepts content.
Shortcodes vs. Gutenberg Blocks
When WordPress introduced the block editor (Gutenberg) in version 5.0, it shifted the preferred paradigm from shortcodes to blocks. Blocks are visual, drag-and-drop, and display a live preview in the editor - a significant usability improvement over typing a shortcode and hoping for the best.
Many plugin developers now offer blocks alongside or instead of shortcodes. If your plugin offers both, the block is generally the better choice for new content: it is easier to configure, previews correctly in the editor, and does not depend on shortcode parsing.
That said, shortcodes are not going away. Millions of sites have shortcodes embedded in existing content, and many specialized plugins still use them as the primary integration method. WordPress continues to maintain backward compatibility, and a dedicated Shortcode block in Gutenberg lets you use old shortcodes inside the block editor.
Adding Custom Shortcodes
If you are comfortable with PHP, you can register your own shortcodes by adding a function to your theme's functions.php file or a custom plugin. The pattern is straightforward: define a function that returns a string, then register it with add_shortcode('your-tag', 'your_function'). Any time WordPress finds [your-tag] in content, it will call your function and display the result.
For anything beyond trivial customizations, a small site-specific plugin is a cleaner approach than editing functions.php - your code survives theme updates and is easier to manage independently.
The Security Risk You Must Know
Shortcodes execute PHP functions. This makes them powerful and also potentially dangerous if misused.
The most important rule: never enable shortcode processing on content submitted by untrusted users. If you run a site where visitors can submit posts, comments, or profile fields, and you apply do_shortcode() to that content, a malicious user could potentially craft a shortcode payload that executes unintended code or leaks information.
WordPress does not process shortcodes in comments by default - this is intentional. If you or a plugin enables shortcodes in comments or other user-generated content, apply strict input sanitization first. Stick to shortcodes in content areas that only trusted editors can modify.
Used correctly, shortcodes remain a practical, flexible tool in the WordPress ecosystem - especially when maintaining existing sites built before the block editor era.
