Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Developer Workshop: What I Wish I'd Known When ...

Developer Workshop: What I Wish I'd Known When I Started

WordPress provides a lot of convenience functions, perhaps too many. All too often, new developers reinvent the wheel, as the cliche goes, when Core already has a function or utility to accomplish the same. Six years on and thinking back to when I started building WordPress plugins, I could’ve saved a lot of time and avoided a lot of anxiety if I’d known where to look.

Avatar for Erick Hitter

Erick Hitter

July 09, 2016
Tweet

More Decks by Erick Hitter

Other Decks in Technology

Transcript

  1. Developer Workshop:
 
 What I Wish I’d Known When I

    Started Erick Hitter @ethitter https://ethitter.com/
  2. Why does this matter? • Helps future-proof your code •

    Makes your code easier to maintain • Easier for others to learn and maintain your code • Reduces duplication
  3. So? • WordPress may protect you, and it may work

    earlier, but it can’t be relied on • Can’t load code at the plugins_loaded action based on the user • Theme setup can’t take user into account
  4. Practical implications • Most conditionals aren’t available before wp •

    Can’t use query conditionals at init or in any earlier hooks • Can conditionally load code in the admin, or not, but that’s about it
  5. Link Functions •home_url( '/' )
 
 
 
 Many more

    in
 wp-includes/link-template.php.
  6. The importance of slashes • WP’s permalink structure controls if

    URLs should end in a slash or not. • WP redirects requests to the “incorrect” form of the permalink. • Therefore, use user_trailingslashit() to avoid unnecessary redirects.
  7. Why? • Security!!! User input is untrustworthy. • WordPress makes

    this really easy • Escaping functions for handling output • Sanitization functions for cleaning data to save
  8. An Exception • Normally, almost all output should be escaped

    • WordPress template tags are a rare exception • Otherwise, always assume nefarious intent, even by “trusted” users such as administrators
  9. Remember how we
 don’t trust the user? • Intent is

    just as important as input sanitization • Should the user have been able to do that thing, in the way they did so?
  10. Examples • Did the user really click the “delete” button?

    • Did this request originate from where we expected?
  11. Caveats • User ID is part of their creation, so

    can’t be used for logged-out requests • Actually valid for a time period, not number of uses • Regardless, they play an important part in protecting against CSRF
  12. Ajax • Hook your function to one of two variable

    actions • Use the same action name with the request to admin-ajax.php •check_ajax_referer() or use a nonce
  13. Why? • Framework introduced in WordPress 4.4 • Doesn’t run

    in admin context, unlike admin-ajax • Much simpler than creating custom REST endpoints • Obeys Core’s permalinks, making requests cacheable
  14. Database Interactions • Use custom post types and custom taxonomies

    instead. • If you must, always $wpdb->prepare() your queries.
  15. Database Interactions •$wpdb->get_var() •$wpdb->get_col() •$wpdb->get_row() •$wpdb->insert( $table, $data, $format )

    •$wpdb->update( $table, $data, $where, $format, $where_format ) •$wpdb->query()
  16. Roles • Don’t check a user’s role, rather check if

    that user has a specific capability • Roles can change at runtime • Native capabilities can be taken away from roles • Specific user’s capabilities can be filtered • Familiar with user levels? Ignore them too.
  17. Capabilities • Add to specific user roles whose members need

    those abilities • Control access by checking a user’s capabilities • Can add same capability to multiple roles • Can also remove a capability from all roles, blocking all access
  18. Capabilities • Don’t add custom capabilities unless they’re necessary •

    Often, a native capability that WordPress uses for related functionality can be leveraged instead
  19. Rewrite Rules • aka “Pretty Permalinks” • They don’t use

    query strings, improving cacheability • Simplifies routing and parsing a user request • Provides access to request variables through WP_Query and other Core APIs