Developer Workshop: What I Wish I'd Known When I Started

by Erick Hitter

Slide 1

Slide 1 text

Developer Workshop:    What I Wish I’d Known When I Started Erick Hitter @ethitter https://ethitter.com/

Slide 2

Slide 2 text

PREAMBLE Please, interrupt  and ask questions

Slide 3

Slide 3 text

INTRO Why should  developers care?

Slide 4

Slide 4 text

Why does this matter? • Helps future-proof your code • Makes your code easier to maintain • Easier for others to learn and maintain your code • Reduces duplication

Slide 5

Slide 5 text

Why does this matter? • Security • Performance • Scalability

Slide 6

Slide 6 text

FIRST Can’t check if the user’s logged in until init

Slide 7

Slide 7 text

Why? • WordPress checks the user login between the after_setup_theme and init actions

Slide 8

Slide 8 text

So? • WordPress may protect you, and it may work earlier, but it can’t be relied on • Can’t load code at the plugins_loaded action based on the user • Theme setup can’t take user into account

Slide 9

Slide 9 text

SECOND Query results aren’t available until wp

Slide 10

Slide 10 text

Practical implications • Most conditionals aren’t available before wp • Can’t use query conditionals at init or in any earlier hooks • Can conditionally load code in the admin, or not, but that’s about it

Slide 11

Slide 11 text

THIRD Never build a manual link again

Slide 12

Slide 12 text

Link Functions •get_permalink() •get_page_by_path( 'about' ) •get_post_type_archive_link( 'waffles' ) •user_trailingslashit() •get_year_link() •get_adjacent_post()

Slide 13

Slide 13 text

Link Functions •add_query_arg() •remove_query_arg()

Slide 14

Slide 14 text

Link Functions •set_url_scheme()        Force HTTP URLs to HTTPS, vice versa, and more

Slide 15

Slide 15 text

Link Functions •home_url( '/' )        Many more in  wp-includes/link-template.php.

Slide 16

Slide 16 text

The importance of slashes • WP’s permalink structure controls if URLs should end in a slash or not. • WP redirects requests to the “incorrect” form of the permalink. • Therefore, use user_trailingslashit() to avoid unnecessary redirects.

Slide 17

Slide 17 text

FOURTH Escaping and Sanitization

Slide 18

Slide 18 text

Why? • Security!!! User input is untrustworthy. • WordPress makes this really easy • Escaping functions for handling output • Sanitization functions for cleaning data to save

Slide 19

Slide 19 text

Escaping Functions •esc_attr() •esc_html() •esc_url() •esc_textarea()

Slide 20

Slide 20 text

Sanitization Functions •sanitize_text_field() •sanitize_email() •sanitize_user()

Slide 21

Slide 21 text

An Exception • Normally, almost all output should be escaped • WordPress template tags are a rare exception • Otherwise, always assume nefarious intent, even by “trusted” users such as administrators

Slide 22

Slide 22 text

An Exception • There’s really no excuse for not sanitizing user input

Slide 23

Slide 23 text

http://xkcd.com/327/

Slide 24

Slide 24 text

FIFTH Nonces

Slide 25

Slide 25 text

Remember how we  don’t trust the user? • Intent is just as important as input sanitization • Should the user have been able to do that thing, in the way they did so?

Slide 26

Slide 26 text

Examples • Did the user really click the “delete” button? • Did this request originate from where we expected?

Slide 27

Slide 27 text

nonce Functions •wp_create_nonce() •wp_verify_nonce() •wp_nonce_field()

Slide 28

Slide 28 text

Caveats • User ID is part of their creation, so can’t be used for logged-out requests • Actually valid for a time period, not number of uses • Regardless, they play an important part in protecting against CSRF

Slide 29

Slide 29 text

SIXTH Ajax is easy with WordPress

Slide 30

Slide 30 text

Ajax • Hook your function to one of two variable actions • Use the same action name with the request to admin-ajax.php •check_ajax_referer() or use a nonce

Slide 31

Slide 31 text

Ajax •wp_ajax_{$your_action} •wp_ajax_nopriv_{$your_action} • Hook to both if logged-in state isn’t relevant.

Slide 32

Slide 32 text

SEVENTH REST API  Framework

Slide 33

Slide 33 text

Why? • Framework introduced in WordPress 4.4 • Doesn’t run in admin context, unlike admin-ajax • Much simpler than creating custom REST endpoints • Obeys Core’s permalinks, making requests cacheable

Slide 34

Slide 34 text

How? •register_rest_route( $namespace, $route, $args )

Slide 35

Slide 35 text

EIGHTH Database Interactions

Slide 36

Slide 36 text

Database Interactions • Use custom post types and custom taxonomies instead. • If you must, always $wpdb->prepare() your queries.

Slide 37

Slide 37 text

Database Interactions •$wpdb->get_var() •$wpdb->get_col() •$wpdb->get_row() •$wpdb->insert( $table, $data, $format ) •$wpdb->update( $table, $data, $where, $format, $where_format ) •$wpdb->query()

Slide 38

Slide 38 text

NINTH Enqueue All The Things

Slide 39

Slide 39 text

Slide 40

Slide 40 text

Enqueue! •wp_enqueue_style() •wp_enqueue_script()

Slide 41

Slide 41 text

But why? • Reusable • Dependencies • Versioning • Miniﬁcation • Concatenation • CDN

Slide 42

Slide 42 text

TENTH Cache All The Things

Slide 43

Slide 43 text

Caching • Transients • Object Cache

Slide 44

Slide 44 text

ELEVENTH Remote Requests

Slide 45

Slide 45 text

WP HTTP API •wp_remote_get() •wp_remote_post() •wp_remote_head() •wp_remote_request() •wp_remote_retrieve_response_code()

Slide 46

Slide 46 text

TWELFTH Roles & Capabilities

Slide 47

Slide 47 text

Roles • Don’t check a user’s role, rather check if that user has a specific capability • Roles can change at runtime • Native capabilities can be taken away from roles • Specific user’s capabilities can be filtered • Familiar with user levels? Ignore them too.

Slide 48

Slide 48 text

Capabilities • Add to speciﬁc user roles whose members need those abilities • Control access by checking a user’s capabilities • Can add same capability to multiple roles • Can also remove a capability from all roles, blocking all access

Slide 49

Slide 49 text

Capabilities • Don’t add custom capabilities unless they’re necessary • Often, a native capability that WordPress uses for related functionality can be leveraged instead

Slide 50

Slide 50 text

Functions • current_user_can() • user_can() • add_role() • WP_Role::add_cap()

Slide 51

Slide 51 text

THIRTEENTH Rewrites

Slide 52

Slide 52 text

Rewrite Rules • aka “Pretty Permalinks” • They don’t use query strings, improving cacheability • Simpliﬁes routing and parsing a user request • Provides access to request variables through WP_Query and other Core APIs

Slide 53

Slide 53 text

Rewrite Rules • Consider replacing custom rewrite rules with REST API endpoints, when feasible

Slide 54

Slide 54 text

FOURTEENTH Miscellany

Slide 55

Slide 55 text

Miscellany •get_queried_object() •get_queried_object_id() •validate_file()

Slide 56

Slide 56 text

Miscellany •wp_parse_args() •wp_list_pluck()

Slide 57

Slide 57 text

Thanks Erick Hitter @ethitter https://ethitter.com/ https://ethitter.com/p/9425/