Building Custom WordPress Themes with  ACF

Solid custom WordPress themes are built on the fundamentals, not page builders, bloated frameworks, or plugin abuse.

When you really understand WordPress at its core, you discover a surprisingly simple system of templates, fields, and functions that can power nearly any website. Combine that with ACF, and you get clean separation of content and design without the overhead that comes with modern drag-and-drop tools.

I’ve been building themes this way since 2012, and some of the custom themes I created over a decade ago are still running strong today. These methods are time-tested and stable, though they often get overlooked as developers reach for quick solutions that end up sacrificing long-term maintainability.

For a working reference, check out my starter theme: basic-wp.

Table of Contents

• Theme Structure
  • Core theme files
  • Page-level templates
  • Reusable template parts
  • Conditional tags for loading logic
• Custom Post Types & Taxonomies
• Custom Page Templates
• Pairing Templates with ACF Field Groups
• Working with ACF
• Auto-Versioned CSS & JS
  • Notes on Auto-versioning
• Template Tags & The Loop
  • Loop Basics
  • Pagination
  • Featured Images
  • Metadata
• Queries & Performance
  • Working with Queries
  • Performance Considerations
  • Key Functions & Hooks
• Menus, Images & Assets
  • Menus
  • Images
  • SVGs
  • Favicons & App Manifests
  • Best Practices
• Theme Support & Setup
  • Enable the essentials
  • Disable defaults you don’t need
  • Trim editor and block assets
  • Best practices
• Forms & Search
  • Forms
  • Search
  • Best Practices
• Security & Hardening
  • Output Escaping
  • Requests & Permissions
  • Reducing Attack Surface
• Admin Experience
  • Custom Fields & Options
  • Streamlining the Editor
  • Improving List Views
  • Best Practices
• Conclusion
• References
  • WordPress Documentation
  • Security & Performance
  • Tools & Plugins
  • Additional Resources

Theme Structure

The “theme structure” is your site’s skeleton. It’s how WordPress decides which file to load under different conditions, whether someone’s viewing a single post, a page, or an archive.

WordPress uses a template hierarchy to pick the right file. When you visit a product page, WordPress looks for single-product.php first, then falls back to single.php, and finally to index.php if nothing else matches.

Core theme files

These files define the foundation and global behavior of a WordPress theme.

• style.css defines theme metadata and global CSS styles
• functions.php registers theme features and custom functions
• index.php fallback template for all content types

Page-level templates

These templates control how different types of pages and archives are displayed.

• front-page.php displays the site’s static front page
• home.php shows the blog posts index page
• single.php default template for individual posts
• single-{post_type}.php template for a specific custom post type
• page.php default template for standard pages
• page-{slug}.php template for a page with a specific slug
• page-{id}.php template for a page with a specific ID
• archive.php default template for all archive pages
• archive-{post_type}.php template for a custom post type archive
• category.php template for category archive pages
• tag.php template for tag archive pages
• taxonomy-{taxonomy}.php template for a custom taxonomy archive
• search.php displays search result pages
• 404.php displays a page for not-found errors
• author.php template for author archive pages
• date.php template for date-based archive pages

Reusable template parts

These reusable components are included in various templates for consistency.

• get_header() includes the header template
• get_footer() includes the footer template
• get_sidebar() includes the sidebar template
• get_template_part() includes shared components like hero banners or cards

Conditional tags for loading logic

These tags let you control which templates or elements load based on the page type.

• is_front_page() checks if viewing the static front page
• is_home() checks if viewing the posts index page
• is_singular() checks if viewing a single post, page, or attachment
• is_post_type_archive() checks if viewing a custom post type archive
• is_tax() checks if viewing a custom taxonomy archive
• is_page_template() checks if a page uses a specific template file

Custom Post Types & Taxonomies

Custom Post Types and taxonomies let you model real-world content, like “Products,” “Events,” or “Resources”, instead of cramming everything into standard posts or pages.

Register CPTs with register_post_type() to set labels, visibility, archives, and permalinks. Register taxonomies with register_taxonomy() to group content, like product categories or event types. Just remember to flush permalinks with flush_rewrite_rules() only on theme activation to keep URLs working properly.

Custom Page Templates

Custom page templates let you create unique layouts for specific pages, like landing pages or campaign hubs, without affecting the rest of your site.

Add a file header like this:

<?php
/**
 * Template Name: Landing Page
 */

Then select it in the page editor to apply that layout.

Pairing Templates with ACF Field Groups

Advanced Custom Fields (ACF) lets you define custom field groups tied to each template, turning a static template into a flexible CMS tool. For example, you can create a Landing Page field group with fields for hero text, background images, CTAs, and testimonials, and set it to appear only when the Landing Page template is selected.

Inside your template file, output these fields:

<?php the_field('hero_heading'); ?>
<?php the_field('cta_button_link'); ?>

This pairing allows non-technical editors to manage content visually through the WordPress admin while preserving the template’s layout and style, enabling scalable, highly-customizable landing pages, microsites, and campaign hubs.

Working with ACF

Advanced Custom Fields lets you define fields for custom content entry, which keeps structure separate from presentation.

Create field groups scoped to specific post types, templates, or pages. Use Flexible Content for section-based layouts that work like HubSpot-style modules. Use Repeaters for lists or grids, and Relationship fields to connect related content.

Key functions you’ll use constantly: have_rows(), the_row(), get_row_layout(), get_sub_field().

Don’t forget to add Options pages for global settings like headers, footers, or site-wide alerts.

Auto-Versioned CSS & JS

Keep styles and scripts fresh without manual cache-busting by using each file’s last-modified time as its version. This ensures browsers only reload when a file actually changes.

Enqueue assets in functions.php:

add_action('wp_enqueue_scripts', function () {
  $css_rel   = '/assets/css/app.css';
  $js_rel    = '/assets/js/app.js';
  $css_path  = get_stylesheet_directory() . $css_rel;
  $js_path   = get_stylesheet_directory() . $js_rel;
  $css_url   = get_stylesheet_directory_uri() . $css_rel;
  $js_url    = get_stylesheet_directory_uri() . $js_rel;
  $css_ver   = file_exists($css_path) ? filemtime($css_path) : null;
  $js_ver    = file_exists($js_path)  ? filemtime($js_path)  : null;

  wp_enqueue_style('theme', $css_url, [], $css_ver, 'all');
  wp_enqueue_script('theme', $js_url, ['jquery'], $js_ver, true);
});

Notes on Auto-versioning

• Use filemtime() with the local filesystem path, not the URL.
• Pair it with the matching URL from get_stylesheet_directory_uri() or get_template_directory_uri().
• Wrap it in file_exists() to prevent warnings when files aren’t deployed yet.
• null or false as the version lets WordPress omit the query string when a file is missing.
• Works only for local files, not remote or CDN-hosted assets.
• Ensures browsers fetch a new file only when the file’s modified time changes.
• Use get_stylesheet_directory*() for child theme compatibility.
• Pass dependencies to wp_enqueue_script() and load scripts in the footer when possible.
• Use wp_localize_script() to pass PHP data to JavaScript safely.

This ensures browsers always pull the latest version when you update a file.

Use dependencies properly, load scripts in the footer when possible, and pass PHP data to JavaScript with wp_localize_script().

add_action('wp_enqueue_scripts', function () {
  wp_localize_script('theme', 'ThemeData', [
    'ajaxUrl' => admin_url('admin-ajax.php'),
    'nonce'   => wp_create_nonce('theme'),
  ]);
});

Template Tags & The Loop

The Loop is how WordPress cycles through posts. Template tags control what to display within each iteration.

Loop Basics

• have_posts(): Checks if there are posts to display in the current query.
• the_post(): Sets up post data for each iteration of the loop.
• the_title(): Outputs the current post’s title.
• the_content(): Displays the full content of the current post.
• the_excerpt(): Displays the post’s excerpt instead of full content.
• the_permalink(): Outputs the URL of the current post.

Pagination

• the_posts_pagination(): Displays default paginated links for multi-page loops.
• paginate_links(): Generates customizable pagination links.

Featured Images

• has_post_thumbnail(): Checks if a post has a featured image assigned.
• the_post_thumbnail(): Outputs the featured image for the current post.

Metadata

• get_the_date(): Returns the formatted publication date of the current post.
• the_author(): Outputs the display name of the post’s author.
• the_terms(): Displays linked taxonomy terms (like categories or tags) for the post.

Queries & Performance

When you need to display something other than the default post loop—like a featured article slider, a list of related posts, or custom archive layouts—you’ll reach for WP_Query. It’s the backbone of WordPress querying and gives you fine-grained control over which posts you fetch and how they’re displayed.

WP_Query is ideal for building custom loops, while get_posts() is a lighter alternative for simple, one-off lists. If you need to adjust the main archive or search results, use the pre_get_posts hook. This hook lets you modify the query before it runs, preserving pagination and performance. Avoid query_posts() entirely; it overwrites the main query, breaks pagination, and can lead to confusing bugs.

Working with Queries

When creating secondary loops—for example, to showcase featured posts—instantiate WP_Query directly. Always call wp_reset_postdata() after the custom loop to restore the global $post object. For archive modifications, rely on pre_get_posts to change parameters such as post types or categories without disrupting WordPress’s default logic.

Performance Considerations

Queries can be one of the biggest performance bottlenecks on busy sites. Cache expensive queries with transients (set_transient() / get_transient()) for short-term storage, or use persistent object caching solutions like Redis or Memcached to avoid hitting the database repeatedly. If you don’t need pagination, set no_found_rows => true to skip unnecessary counting queries. Narrow parameters as much as possible—restrict by post_type, avoid broad meta_query filters, and limit returned fields.

During development, enable SAVEQUERIES or use the Query Monitor plugin to inspect and benchmark your queries. Reducing query complexity and caching frequently used results can significantly improve page load times and overall scalability.

Key Functions & Hooks

• WP_Query: Build custom queries for posts, pages, or custom post types.
• get_posts(): Lightweight helper for quick lists of posts.
• pre_get_posts: Modify the main query before it executes.
• wp_reset_postdata(): Restore global state after a custom loop.

Menus, Images & Assets

Navigation and media aren’t just decoration—they shape how users experience your site. Clean, accessible menus guide visitors, and properly optimized images keep pages fast while looking sharp on every device.

Menus

A theme should define menu locations up front so site owners can manage them in the dashboard. Register them in functions.php:

add_action('after_setup_theme', function () {
  register_nav_menus([
  'primary' => 'Primary Navigation',
  'footer' => 'Footer Links',
  ]);
});

Render them where needed using wp_nav_menu():

<?php
wp_nav_menu([
  'theme_location' => 'primary',
  'container' => false,
  'menu_class' => 'nav-primary',
]);
?>

Keep menu labels short, use a flat hierarchy for mobile usability, and ensure the markup is wrapped in a <nav> element with proper ARIA attributes.

Images

Every image you output should be generated at the optimal size. Declare sizes with add_image_size() so WordPress can crop and serve the right dimensions:

add_action('after_setup_theme', function () {
  add_image_size('hero', 1600, 600, true);
  add_image_size('card', 400, 300, true);
});

Display them with responsive markup via wp_get_attachment_image() or the_post_thumbnail():

<?php echo wp_get_attachment_image($image_id, 'card'); ?>

This automatically includes srcset and sizes attributes for modern responsive loading. Compress and optimize all images—prefer WebP or AVIF if supported.

SVGs

SVG graphics scale crisply at any size but can contain malicious code if uploaded directly. Sanitize them before use with a plugin like Safe SVG or a custom filter that strips unsafe tags and attributes. Avoid trusting raw user-uploaded SVGs.

Favicons & App Manifests

Add favicons for multiple devices to maintain a professional appearance. For PWAs, include a site.webmanifest file that defines icons, theme colors, and splash screens for mobile devices. You can upload favicons via Appearance → Customize → Site Identity, or enqueue them manually in your for full control.

Best Practices

• Register menus for all navigation areas and keep their structure shallow for mobile-first usability.
• Use WordPress image functions to automatically generate responsive srcset markup.
• Only register image sizes you actually use to avoid cluttering storage.
• Sanitize all SVGs before rendering them inline.
• Add favicons and manifests to give the site a polished, app-like presence.
• Always optimize and compress media to reduce load times and improve Core Web Vitals.

Theme Support & Setup

A theme’s setup defines which WordPress features are enabled and how lean your front end runs. Turn on the essentials to keep things modern, and strip out defaults you don’t use to reduce requests, bytes, and complexity.

Enable the essentials

Use add_theme_support() inside after_setup_theme to enable core features your design actually needs.

add_action('after_setup_theme', function () {
    add_theme_support('title-tag');
    add_theme_support('post-thumbnails');
    add_theme_support('html5', [
        'search-form',
        'comment-form',
        'comment-list',
        'gallery',
        'caption',
        'script',
        'style'
    ]);
    add_theme_support('automatic-feed-links');
    add_theme_support('custom-logo');
    add_theme_support('align-wide');
    add_theme_support('editor-styles');
});

Disable defaults you don’t need

Remove built-in features that add noise or network requests you’re not using.

add_action('init', function () {
    remove_action('wp_head', 'print_emoji_detection_script', 7);
    remove_action('wp_print_styles', 'print_emoji_styles');
    remove_action('wp_head', 'wp_generator');
    remove_action('wp_head', 'rsd_link');
    remove_action('wp_head', 'wlwmanifest_link');
    remove_action('wp_head', 'wp_shortlink_wp_head');
    add_filter('xmlrpc_enabled', '__return_false');
});

Trim editor and block assets

If you’re not using core block styles or embeds globally, dequeue them late to avoid unnecessary CSS/JS.

add_action('wp_enqueue_scripts', function () {
    wp_dequeue_style('wp-block-library');
    wp_dequeue_style('wp-block-library-theme');
    wp_dequeue_style('classic-theme-styles');
    wp_dequeue_style('global-styles');
    wp_deregister_script('wp-embed');
}, 100);

Best practices

• Enable only the features your theme uses; revisit as WordPress evolves.
• Keep setup logic isolated in after_setup_theme for clarity and testability.
• Audit front-end assets in production; remove unused styles/scripts to improve Core Web Vitals.
• Prefer theme.json/editor settings over custom code when possible to reduce maintenance.

Forms & Search

Forms capture leads, drive conversions, and collect user input—security and reliability are critical. Search is often overlooked but directly impacts how quickly users find what they need.

Forms

For most sites, start with a battle-tested plugin like Gravity Forms. It offers advanced field types, conditional logic, spam protection, and secure storage of submissions. Pair it with server-side validation and enable nonces to prevent CSRF attacks. Keep the plugin up to date and review data retention policies to stay compliant with privacy regulations.

If you’re using a third-party CRM or marketing platform, such as HubSpot, integrate its embedded forms directly or through their WordPress plugin. This approach lets leads flow into your CRM automatically for nurturing and tracking. Always test these integrations end to end—look for field mapping issues and confirm that submissions are recorded in both WordPress and the CRM.

For custom projects that demand a fully branded experience, build your own lead-generation forms with a JavaScript framework like Vue. Handle front-end validation in Vue for a fast, seamless UX, then send submissions to a secure WordPress REST API endpoint protected by nonces and wp_verify_nonce(). Store the data in custom tables or forward it to your CRM of choice. This hybrid approach provides the most control over design and performance while keeping the data pipeline secure.

Search

The default WordPress search often falls short—it’s basic and ranks results by date, not relevance. Use a plugin like Relevanssi or an external service like Algolia to provide weighted indexes, fuzzy matching, and the ability to index PDFs and custom fields. Improving search makes content easier to find and improves engagement.

Best Practices

• Validate and sanitize all form input, regardless of the tool you use.
• Add reCAPTCHA or hCaptcha to protect public forms from spam.
• For CRM integrations, confirm field mapping and data compliance settings.
• Use REST endpoints with proper nonces when creating custom Vue-based forms.
• Replace default search with a relevance-based engine for better UX.

Security & Hardening

Security should be woven into every template, query, and interaction. A few small practices can prevent most common attacks.

Output Escaping

Escape all dynamic output to prevent XSS vulnerabilities:
– Use esc_html() for plain text.
– Use esc_attr() for attribute values inside tags.
– Use esc_url() for links.
– Use wp_kses() to allow only specific HTML tags in user-submitted content.

Never echo raw data without first escaping or sanitizing it.

Requests & Permissions

All forms and AJAX requests should be protected with nonces:

check_admin_referer('form_action');
wp_verify_nonce($_POST['nonce'], 'form_action');

For front-end submissions, pair nonces with capability checks like current_user_can() before processing any data. Always validate and sanitize $_POST and $_GET values server-side even if you do it client-side.

Reducing Attack Surface

Limit what’s exposed by default:

• Disable unused REST API endpoints or restrict them to authenticated users.
• Remove or disable XML-RPC if not needed.
• Restrict file editing via the dashboard with define('DISALLOW_FILE_EDIT', true);.
• Keep WordPress core, plugins, and themes updated.
• Use a WAF (Web Application Firewall) and enforce strong admin passwords and 2FA.

Admin Experience

A thoughtful admin experience saves time and prevents errors for editors and clients.

Custom Fields & Options

Use Advanced Custom Fields (ACF) Options Pages to centralize global settings like logos, contact details, or site-wide alerts:

if (function_exists('acf_add_options_page')) {
    acf_add_options_page([
        'page_title' => 'Site Settings',
        'menu_title' => 'Site Settings',
        'menu_slug'  => 'site-settings',
        'capability' => 'edit_posts',
        'redirect'   => false,
    ]);
}

Scope field groups by post type, page template, or user role so editors only see fields that apply to their work.

Streamlining the Editor

Remove unused metaboxes and clutter:

add_action('admin_menu', function () {
    remove_meta_box('trackbacksdiv', 'post', 'normal');
    remove_meta_box('slugdiv', 'page', 'normal');
});

You can also hide unnecessary dashboard widgets and disable comments on content types where they’re not needed.

Improving List Views

Add custom columns to list tables for key ACF data or post meta that helps editors see important info at a glance:

add_filter('manage_post_posts_columns', function ($columns) {
    $columns['featured'] = 'Featured';
    return $columns;
});

add_action('manage_post_posts_custom_column', function ($column, $post_id) {
    if ($column === 'featured') {
        echo get_field('featured', $post_id) ? 'Yes' : 'No';
    }
}, 10, 2);

Best Practices

• Keep admin screens focused on what editors actually need to see.
• Use roles and capabilities to limit access to sensitive settings.
• Audit plugin UI elements that clutter the editing experience.
• Prioritize security by default; escaping, nonces, and permission checks should be part of every new feature.

Conclusion

A custom theme built on these fundamentals using templates, custom post types, ACF, and WordPress’s template hierarchy properly is fast, stable, and maintainable.

I’ve been using these practices for over a decade because they work. They outlast design trends and plugin churn, giving you a rock-solid foundation that keeps content separate from design and your sites reliable for years to come.

References

WordPress Documentation

• Template Hierarchy – Official WordPress guide to template selection
• Theme Development – Complete WordPress theme development handbook
• Custom Post Types – Register and work with custom post types
• WP_Query Class Reference – Complete documentation for custom queries

Security & Performance

• Data Validation – WordPress security best practices
• Escaping Output – Proper output sanitization techniques
• WordPress Performance – Official performance optimization guide

Tools & Plugins

• Advanced Custom Fields – Complete ACF documentation and tutorials
• Relevanssi – WordPress search improvement plugin documentation
• WordPress Coding Standards – Official coding standards and best practices

Additional Resources

• WordPress Template Tags – Complete list of available template functions
• Conditional Tags – All WordPress conditional functions for theme logic
• Plugin API/Action Reference – WordPress hooks and actions for theme development