WordPress powers much of the web, and it’s easy to build insecure, slow sites on it. These questions separate real developers from plugin-installers.
Hiring a WordPress developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.
Junior WordPress interview questions
0–2 years
Core concepts.
What is the difference between a theme and a plugin?
A theme controls presentation; a plugin adds functionality. Site behaviour belongs in a plugin, not the theme.
Puts business logic in the theme so it breaks on theme change.
What are hooks (actions and filters)?
Extension points: actions run code at events; filters modify data. They let you extend WordPress without editing core.
Edits core files instead of using hooks.
What is The Loop?
The construct that iterates over queried posts to render them; understanding it is fundamental to templating.
Cannot explain how posts get rendered.
What are custom post types and taxonomies?
Ways to model content beyond posts and pages (e.g. products, categories), registered via code.
Forces all content into default posts.
Why should you never edit WordPress core?
Updates overwrite changes and it breaks security patches; use hooks, child themes and plugins instead.
Edits core and loses changes on update.
What is a child theme and why use one?
A theme inheriting from a parent so you can customise safely without losing changes on parent updates.
Edits the parent theme directly.
What is functions.php for?
Theme-level code for hooks and setup; heavy or portable logic belongs in a plugin instead.
Dumps all site logic into functions.php.
How do you enqueue scripts and styles properly?
With wp_enqueue_script/wp_enqueue_style so dependencies and versions are managed, not hardcoded tags.
Hardcodes script tags in the template.
Mid-level WordPress interview questions
2–5 years
Data, security and APIs.
How do you query content safely and efficiently?
WP_Query with sensible arguments, avoiding query_posts and unbounded queries, and caching where needed.
Uses query_posts or fetches everything.
How do you prevent SQL injection in WordPress?
$wpdb->prepare() for any custom queries, never interpolating input directly.
Concatenates input into a $wpdb query.
What are nonces and why use them?
Tokens that protect actions against CSRF by verifying intent on form and AJAX requests.
Skips nonce verification on state-changing actions.
How do you sanitise and escape data?
Sanitise input on the way in and escape output on the way out (esc_html, esc_url, etc.) to prevent XSS.
Outputs user data unescaped.
How does the REST API work in WordPress?
Exposes content and custom endpoints over REST for headless or app integrations, with authentication and permission callbacks.
Exposes endpoints with no permission checks.
How do you handle custom fields and metadata?
Post meta (often via ACF) stored and queried appropriately, mindful of meta-query performance.
Overloads meta queries and slows the site.
How do transients and caching work?
Transients cache expensive results with expiry; object and page caches reduce load further.
Runs expensive queries on every page load.
How do you build a maintainable plugin?
Namespaced, well-structured code with hooks, avoiding global collisions and following coding standards.
Global functions and spaghetti in one file.
Senior WordPress interview questions
5+ years
Performance, security and scale.
How do you make a WordPress site fast?
Caching (page/object), a CDN, optimised queries and assets, minimal plugins, and a fast host — measured, not guessed.
Installs a caching plugin and calls it done.
How do you secure a WordPress site?
Least-privilege roles, updates, hardened config, security headers, limiting login attempts, and vetting plugins/themes.
Leaves everything default and installs random plugins.
How do you scale WordPress for high traffic?
Full-page caching, a CDN, object cache (Redis), database optimisation/replicas, and stateless app servers.
Assumes a single server handles any load.
How do you evaluate plugin quality and risk?
Review code, maintenance, reputation and security history; every plugin is attack surface and performance cost.
Installs any plugin that looks convenient.
How do you approach a headless WordPress build?
WordPress as a content API (REST/GraphQL) with a separate frontend, weighing the added complexity against the benefits.
Adopts headless with no reason and adds complexity.
How do you manage deployments and environments?
Version control, staging, and a deploy process rather than editing files on the live server (which is common and risky here).
Edits code directly on production.
How do you optimise the database on a large site?
Clean up post revisions, transients and autoloaded options, add indexes for custom queries, and monitor slow queries.
Lets the options table and meta grow unchecked.
How do you keep a large multisite or content-heavy install maintainable?
Modular plugins, coding standards, automated tests where possible, and disciplined update/backup processes.
Ad-hoc changes with no process or backups.
Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.