Developer Workshop:
What I Wish I’d Known
When I Started
Erick Hitter
@ethitter
https://ethitter.com/
Slide 2
Slide 2 text
PREAMBLE
Please, interrupt
and ask questions
Slide 3
Slide 3 text
INTRO
Why should
developers care?
Slide 4
Slide 4 text
Why does this matter?
• Helps future-proof your code
• Makes your code easier to maintain
• Easier for others to learn and maintain your
code
• Reduces duplication
Slide 5
Slide 5 text
Why does this matter?
• Security
• Performance
• Scalability
Slide 6
Slide 6 text
FIRST
Can’t check if the user’s
logged in until init
Slide 7
Slide 7 text
Why?
• WordPress checks the user login between the
after_setup_theme and init actions
Slide 8
Slide 8 text
So?
• WordPress may protect you, and it may work
earlier, but it can’t be relied on
• Can’t load code at the plugins_loaded action
based on the user
• Theme setup can’t take user into account
Slide 9
Slide 9 text
SECOND
Query results aren’t
available until wp
Slide 10
Slide 10 text
Practical implications
• Most conditionals aren’t available before wp
• Can’t use query conditionals at init or in any
earlier hooks
• Can conditionally load code in the admin, or
not, but that’s about it
Link Functions
•add_query_arg()
•remove_query_arg()
Slide 14
Slide 14 text
Link Functions
•set_url_scheme()
Force HTTP URLs to HTTPS, vice versa, and more
Slide 15
Slide 15 text
Link Functions
•home_url( '/' )
Many more in
wp-includes/link-template.php.
Slide 16
Slide 16 text
The importance of slashes
• WP’s permalink structure controls if URLs
should end in a slash or not.
• WP redirects requests to the “incorrect” form of
the permalink.
• Therefore, use user_trailingslashit() to
avoid unnecessary redirects.
Slide 17
Slide 17 text
FOURTH
Escaping and
Sanitization
Slide 18
Slide 18 text
Why?
• Security!!! User input is untrustworthy.
• WordPress makes this really easy
• Escaping functions for handling output
• Sanitization functions for cleaning data to
save
An Exception
• Normally, almost all output should be escaped
• WordPress template tags are a rare exception
• Otherwise, always assume nefarious intent,
even by “trusted” users such as administrators
Slide 22
Slide 22 text
An Exception
• There’s really no excuse for not sanitizing user
input
Slide 23
Slide 23 text
http://xkcd.com/327/
Slide 24
Slide 24 text
FIFTH
Nonces
Slide 25
Slide 25 text
Remember how we
don’t trust the user?
• Intent is just as important as input sanitization
• Should the user have been able to do that thing,
in the way they did so?
Slide 26
Slide 26 text
Examples
• Did the user really click the “delete” button?
• Did this request originate from where we
expected?
Caveats
• User ID is part of their creation, so can’t be used
for logged-out requests
• Actually valid for a time period, not number of
uses
• Regardless, they play an important part in
protecting against CSRF
Slide 29
Slide 29 text
SIXTH
Ajax is easy
with WordPress
Slide 30
Slide 30 text
Ajax
• Hook your function to one of two variable
actions
• Use the same action name with the request to
admin-ajax.php
•check_ajax_referer() or use a nonce
Slide 31
Slide 31 text
Ajax
•wp_ajax_{$your_action}
•wp_ajax_nopriv_{$your_action}
• Hook to both if logged-in state isn’t relevant.
Slide 32
Slide 32 text
SEVENTH
REST API
Framework
Slide 33
Slide 33 text
Why?
• Framework introduced in WordPress 4.4
• Doesn’t run in admin context, unlike admin-ajax
• Much simpler than creating custom REST
endpoints
• Obeys Core’s permalinks, making requests
cacheable
WP HTTP API
•wp_remote_get()
•wp_remote_post()
•wp_remote_head()
•wp_remote_request()
•wp_remote_retrieve_response_code()
Slide 46
Slide 46 text
TWELFTH
Roles & Capabilities
Slide 47
Slide 47 text
Roles
• Don’t check a user’s role, rather check if that
user has a specific capability
• Roles can change at runtime
• Native capabilities can be taken away from roles
• Specific user’s capabilities can be filtered
• Familiar with user levels? Ignore them too.
Slide 48
Slide 48 text
Capabilities
• Add to specific user roles whose members need
those abilities
• Control access by checking a user’s capabilities
• Can add same capability to multiple roles
• Can also remove a capability from all roles,
blocking all access
Slide 49
Slide 49 text
Capabilities
• Don’t add custom capabilities unless they’re
necessary
• Often, a native capability that WordPress uses
for related functionality can be leveraged
instead
Rewrite Rules
• aka “Pretty Permalinks”
• They don’t use query strings, improving
cacheability
• Simplifies routing and parsing a user request
• Provides access to request variables through
WP_Query and other Core APIs
Slide 53
Slide 53 text
Rewrite Rules
• Consider replacing custom rewrite rules with
REST API endpoints, when feasible