book

Professional WordPress® Plugin Development

Name: Professional WordPress® Plugin Development
ISBN: 9780470916223

by Ozh Richard, Brad Williams, Justin Tadlock

March 2011

Intermediate to advanced

552 pages

11h 54m

English

Wrox

Read now

Unlock full access

Copyright
CREDITS
ABOUT THE AUTHORS
ACKNOWLEDGMENTS
FOREWORD
INTRODUCTION
WHO THIS BOOK IS FORWHAT YOU NEED TO USE THIS BOOKWHAT THIS BOOK COVERSHOW THIS BOOK IS STRUCTUREDCONVENTIONSSOURCE CODEERRATAP2P.WROX.COM
1. An Introduction to Plugins
1.1. WHAT IS A PLUGIN?1.1.1. How Plugins Interact with WordPress1.1.2. When Are Plugins Loaded?1.2. AVAILABLE PLUGINS1.2.1. Official Plugin Directory1.2.2. Popular Plugin Examples1.2.3. Popular Plugin Tags1.3. ADVANTAGES OF PLUGINS1.3.1. Not Modifying Core1.3.2. Why Reinvent the Wheel1.3.3. Separating Plugins and Themes1.3.4. Easy Updates1.3.5. Easier to Share and Reuse1.3.6. Plugin Sandbox1.3.7. Plugin Community1.4. INSTALLING AND MANAGING PLUGINS1.4.1. Installing a Plugin1.4.2. Managing Plugins1.4.3. Editing Plugins1.4.4. Plugin Directories1.4.5. Types of Plugins1.4.6. Testing Plugin Functionality1.5. SUMMARY
2. Plugin Foundation
2.1. CREATING A PLUGIN FILE2.1.1. Naming Your Plugin2.1.2. Using a Folder2.2. SANITY PRACTICES2.2.1. Prefix Everything2.2.2. File Organization2.2.3. Folder Structure2.3. HEADER REQUIREMENTS2.3.1. Creating the Header2.3.2. Plugin License2.4. DETERMINING PATHS2.4.1. Plugin Paths2.4.2. Local Paths2.4.3. URL Paths2.5. ACTIVATE/DEACTIVATE FUNCTIONS2.5.1. Plugin Activation Function2.5.2. Create Default Settings on Activate2.5.3. Plugin Deactivation Function2.5.4. Deactivate Is Not Uninstall2.6. UNINSTALL METHODS2.6.1. Why Uninstall Is Necessary2.6.2. Uninstall.php2.6.3. Uninstall Hook2.7. CODING STANDARDS2.7.1. Document Your Code2.7.2. Naming Variables, Functions, and Files2.7.3. Single and Double Quotes2.7.4. Indentation2.7.5. Brace Style2.7.6. Space Usage2.7.7. Shorthand PHP2.7.8. SQL Statements2.8. PLUGIN DEVELOPMENT CHECKLIST2.9. SUMMARY
3. Hooks
3.1. ACTIONS3.1.1. What Is an Action?3.1.2. Action Hook Functions3.1.2.1. do_action_ref_array3.1.2.2. remove_action3.1.2.3. remove_all_actions3.1.2.4. has_action3.1.2.5. did_action3.1.2.6. register_activation_hook and register_deactivation_hook3.1.3. Commonly Used Action Hooks3.1.3.1. plugins_loaded3.1.3.2. init3.1.3.3. admin_menu3.1.3.4. template_redirect3.1.3.5. wp_head3.2. FILTERS3.2.1. What Is a Filter?3.2.2. Filter Hook Functions3.2.2.1. apply_filters_ref_array3.2.2.2. remove_filter3.2.2.3. remove_all_filters3.2.2.4. has_filter3.2.2.5. current_filter3.2.3. Quick Return Functions3.2.4. Commonly Used Filter Hooks3.2.4.1. the_content3.2.4.2. the_title3.2.4.3. comment_text3.2.4.4. template_include3.3. USING HOOKS FROM WITHIN A CLASS3.4. CREATING CUSTOM HOOKS3.4.1. Benefits of Creating Custom Hooks3.4.2. Custom Action Hook Example3.4.3. Custom Filter Hook Example3.5. HOW TO FIND HOOKS3.5.1. Searching for Hooks in the Core Code3.5.2. Variable Hooks3.5.3. Hook Reference Lists3.6. SUMMARY
4. Integrating in WordPress
4.1. ADDING MENUS AND SUBMENUS4.1.1. Creating a Top-Level Menu4.1.2. Adding a Submenu4.1.3. Adding a Menu Item to an Existing Menu4.2. CREATING WIDGETS4.2.1. Creating a Widget4.2.2. Advanced Widget4.2.3. Creating Dashboard Widgets4.2.4. Creating a Dashboard Widget with Options4.3. META BOXES4.3.1. Adding a Custom Meta Box4.3.2. Saving Meta Box Data4.3.3. Advanced Meta Box4.4. KEEPING IT CONSISTENT4.4.1. Using the WordPress UI4.4.2. Headings4.4.3. Icons4.4.4. Messages4.4.5. Buttons4.4.6. Links4.4.7. Form Fields4.4.8. Tables4.4.9. Pagination4.5. SUMMARY

5. Internationalization
5.1. INTERNATIONALIZATION AND LOCALIZATION5.1.1. Why Internationalize?5.1.2. Understanding Internationalization in Professional Work5.1.3. Getting Your Plugin Ready for Translation5.1.4. Echoing and Returning Strings5.1.4.1. The __() Function5.1.4.2. The _e() Function5.1.4.3. The esc_attr__() Function5.1.4.4. The esc_attr_e() Function5.1.4.5. The esc_html__() Function5.1.4.6. The esc_html_e() Function5.1.4.7. The _x() Function5.1.4.8. The _ex() Function5.1.4.9. The esc_attr_x() Function5.1.4.10. The esc_html_x() Function5.1.4.11. The _n() Function5.1.4.12. The _nx() Function5.1.4.13. The _n_noop() Function5.1.4.14. The _nx_noop() Function5.1.5. Using Placeholders5.1.6. Internationalizing JavaScript5.2. CREATING TRANSLATION FILES5.2.1. The MO and PO Files5.2.2. Translation Tools5.2.3. How to Create a POT File5.2.4. Where to Store Translation Files5.3. SUMMARY
6. Plugin Security
6.1. SECURING YOUR PLUGIN6.1.1. What Securing Your Plugin Is6.1.2. What Securing Your Plugin Is Not6.2. USER PERMISSIONS6.2.1. How to Check current_user_can()6.2.2. Do Not Check Too Early6.3. NONCES6.3.1. Authority Versus Intention6.3.2. What Is a Nonce?6.3.3. How to Create and Verify Nonces6.3.3.1. Creating a URL Nonce6.3.3.2. Creating a Form Nonce6.3.3.3. Verifying a Nonce6.3.3.4. Wrapping It Up: The Entire "Unused Tags" Plugin6.3.4. Nonces in Ajax Scripts6.4. DATA VALIDATION AND SANITIZATION6.4.1. The Need for Data Validation and Sanitization6.4.2. Good Practice: Identifying Potentially Tainted Data6.4.3. Validating or Sanitizing Input?6.4.4. Validating and Sanitizing Cookbook6.4.4.1. Integers6.4.4.2. Arbitrary Pure Text Strings6.4.4.3. Arbitrary Mixed Text Strings6.4.4.4. Internal Identifier Strings6.4.4.5. String Patterns6.4.4.5.1. Example 1: Telephone Number6.4.4.5.2. Example 2: Product Serial Number6.4.4.5.3. Example 3: Dates6.4.4.6. Email Strings6.4.4.7. HTML (or XML)6.4.4.7.1. HTML Fragments6.4.4.7.2. HTML Nodes6.4.4.8. URLs6.4.4.8.1. URLs in a Database6.4.4.8.2. URLs in Redirects6.4.4.9. JavaScript6.4.4.10. Server or Environment Variables6.4.4.11. Cookies6.4.4.12. Arrays of Data6.4.4.13. Data from a Defined Set6.4.4.14. Database Queries6.5. FORMATTING SQL STATEMENTS6.5.1. The $wpdb Object6.5.2. Why wpdb Methods Are Superior6.5.3. All-in-One Methods6.5.3.1. $wpdb->update()6.5.3.2. $wpdb->insert()6.5.4. Common Methods6.5.4.1. SELECT a Variable6.5.4.2. SELECT a Row6.5.4.3. SELECT a Column6.5.4.4. SELECT Generic Results6.5.4.5. Generic Queries6.5.5. Protecting Queries Against SQL Injections6.5.6. Miscellaneous wpdb Methods and Properties6.5.6.1. Toggling Error Display6.5.6.2. Tracking the Number of Queries6.5.6.3. Other Class Variables6.6. SECURITY GOOD HABITS6.7. SUMMARY
7. Plugin Settings
7.1. THE OPTIONS API7.1.1. Saving Options7.1.2. Saving an Array of Options7.1.3. Retrieving Options7.1.4. Loading an Array of Options7.1.5. Deleting Options7.1.6. The Autoload Parameter7.1.6.1. Segregating Plugin Options7.1.6.2. Toggling the Autoload Parameter7.2. THE SETTINGS API7.2.1. Benefits of the Settings API7.2.2. Settings API Functions7.2.2.1. Creating the Plugin Administration Page7.2.2.2. Registering New Settings7.2.2.3. Defining Sections and Settings7.2.2.4. Validating User Input7.2.2.5. Rendering the Form7.2.2.6. All Done!7.2.3. Wrapping It Up: A Complete Plugin Management Page7.2.4. Improving Feedback on Validation Errors7.2.5. Adding Fields to an Existing Page7.2.5.1. How It Works7.2.5.2. Adding a Section to an Existing Page7.2.5.3. Adding Only Fields7.2.5.4. WordPress' Sections and Setting Fields7.2.5.5. User Interface Concerns7.3. THE TRANSIENTS API7.3.1. Saving an Expiring Option7.3.2. Retrieving an Expiring Option7.3.3. Deleting an Expiring Option7.3.4. A Practical Example Using Transients7.3.5. Technical Details7.3.6. Transient Ideas7.4. SAVING PER-USER SETTINGS7.4.1. Crafting a Plugin7.4.2. User Metadata7.4.3. Saving User Metadata7.4.4. Updating User Metadata7.4.5. Getting User Metadata7.4.6. Deleting User Metadata7.4.7. Getting a User's ID7.4.8. Adding Input Fields to a Profile Page7.4.9. BOJ's Admin Lang Plugin7.4.10. Per-User Settings: Best Practices7.5. STORING DATA IN CUSTOM TABLES7.5.1. Types of Data7.5.2. WordPress' Standard Tables7.5.3. Creating a Custom Table7.5.3.1. Checking if a Table Already Exists7.5.4. Updating the Structure of a Custom Table7.5.5. dbDelta() Tips for Success7.5.5.1. Watching Your SQL Syntax and Style7.5.5.2. Checking the Return Value in a Debug Sandbox7.5.5.3. Test Running Your SQL Statement7.5.6. Accessing Your Custom Table7.6. SUMMARY
8. Users
8.1. WORKING WITH USERS8.1.1. User Functions8.1.1.1. is_user_logged_in()8.1.1.2. get_users()8.1.1.3. get_users_of_blog()8.1.1.4. count_users8.1.2. Creating, Updating, and Deleting Users8.1.2.1. wp_insert_user8.1.2.2. wp_create_user8.1.2.3. wp_update_user8.1.2.4. wp_delete_user8.1.3. User Data8.1.3.1. get_userdata8.1.3.2. wp_get_current_user8.1.3.3. get_currentuserinfo8.1.3.4. count_user_posts8.1.3.5. count_many_users_posts8.1.4. User Metadata8.1.4.1. add_user_meta8.1.4.2. get_user_meta8.1.4.3. update_user_meta8.1.4.4. delete_user_meta8.1.4.5. user_contactmethods8.1.4.6. Creating a Plugin with User Metadata8.2. ROLES AND CAPABILITIES8.2.1. What Are Roles and Capabilities?8.2.2. Default Roles8.2.3. Custom Roles8.3. LIMITING ACCESS8.3.1. Checking User Permissions8.3.1.1. current_user_can8.3.1.2. current_user_can_for_blog8.3.1.3. author_can8.3.1.4. user_can8.3.1.5. map_meta_cap8.3.2. Is the User an Admin?8.3.2.1. is_super_admin8.3.3. Allowing Custom Permissions8.4. CUSTOMIZING ROLES8.4.1. Creating a Role8.4.1.1. add_role8.4.2. Deleting a Role8.4.2.1. remove_role8.4.3. Adding Capabilities to a Role8.4.3.1. get_role8.4.4. Removing Capabilities from a Role8.4.5. A Custom Role and Capability Plugin8.5. SUMMARY
9. HTTP API
9.1. HTTP REQUESTS CRASH COURSE9.1.1. What Is an HTTP Request?9.1.1.1. HTTP Request Concepts9.1.1.2. Dissecting an HTTP Transaction9.1.1.2.1. The Client Sends a Request9.1.1.2.2. The Server Sends a Response9.1.1.3. Possibilities for Crafting HTTP Requests9.1.2. How to Make HTTP Requests in PHP9.1.2.1. Using the HTTP Extension9.1.2.2. Using fopen() Streams9.1.2.3. Using a Standard fopen()9.1.2.4. Using fsockopen()9.1.2.5. Using the CURL Extension9.1.2.6. Too Many Ways?9.2. WORDPRESS' HTTP FUNCTIONS9.2.1. The wp_remote_ Functions9.2.1.1. wp_remote_* Input Parameters9.2.1.2. wp_remote_* Return Values9.2.1.2.1. Unsuccessful Requests9.2.1.2.2. Successful Requests9.2.1.3. wp_remote_ Companion Functions9.2.2. Advanced Configuration and Tips9.2.2.1. Proxy Support9.2.2.2. Filtering Requests and Responses9.2.2.2.1. Example: Modify a Default Parameter9.2.2.2.2. Example: Log HTTP Requests and Responses9.2.2.2.3. Example: Advanced Filtering9.2.2.3. Some Caveats on Checking HTTP Responses9.3. PRACTICE: READING JSON FROM A REMOTE API9.3.1. Getting and Reading JSON9.3.2. Your Functional Plugin9.4. PRACTICE: SENDING DATA TO A REMOTE API9.4.1. Formatting Parameters for POST Requests9.4.2. Your Functional Plugin9.5. PRACTICE: READING ARBITRARY CONTENT9.6. MAKE YOUR OWN PLUGIN REPOSITORY9.6.1. How Plugin Upgrades Work in WordPress9.6.2. Polling an Alternative API from a Plugin9.6.3. Building the Alternative API9.6.4. A Few Words of Caution About Self-Hosted API9.7. SPECIAL CASE: FETCHING REMOTE FEEDS9.8. SUMMARY
10. The Shortcode API
10.1. CREATING SHORTCODES10.1.1. What Shortcodes Are10.1.2. Register Custom Shortcodes10.1.2.1. [book]10.1.2.2. [books title="xkcd"]10.1.2.3. [amazon asin="12345" ]book title[/amazon]10.1.2.4. Wrap Up: add_shortcode() and the callback Function10.2. SHORTCODE TIPS10.2.1. Think Simplicity for the User10.2.2. Remember the Dynamicity10.2.3. Look Under the Hoods10.2.3.1. $shortcode_tags10.2.3.2. remove_shortcode()10.2.3.3. remove_all_shortcodes()10.2.3.4. strip_shortcodes()10.2.3.5. shortcode_atts()10.2.3.6. do_shortcode()10.2.3.7. Recursive Shortcodes10.2.4. A "bb code" for Comments Plugin10.2.5. Shortcode Nesting Limitations10.3. INTEGRATING GOOGLE MAPS10.3.1. Accessing the Google Geocoding API10.3.2. Storing API Results10.3.3. Accessing the Google Maps API10.3.3.1. API Concepts10.3.3.2. Plugin Implementation10.4. MORE SHORTCODE QUICK IDEAS10.4.1. Display Member-Only Content10.4.2. Display Time-Limited Content10.4.3. Obfuscate Email Addresses10.5. SUMMARY
11. Extending Posts: Metadata, Custom Post Types, and Taxonomies
11.1. CREATING CUSTOM POST TYPES11.1.1. Post Type Possibilities11.1.2. Registering a Post Type11.1.2.1. register_post_type11.1.2.1.1. public11.1.2.1.2. show_ui11.1.2.1.3. publicy_queryable11.1.2.1.4. exclude_from_search11.1.2.1.5. supports11.1.2.1.6. labels11.1.2.1.7. capability_type11.1.2.1.8. capabilities11.1.2.1.9. hierarchical11.1.2.1.10. has_archive11.1.2.1.11. query_var11.1.2.1.12. rewrite11.1.2.1.13. taxonomies11.1.2.1.14. menu_position11.1.2.1.15. menu_icon11.1.2.1.16. show_in_nav_menus11.1.2.1.17. can_export11.1.2.1.18. register_meta_box_cb11.1.2.1.19. permalink_epmask11.1.2.2. Registering the Music Album Post Type11.1.3. Setting Post Type Labels11.1.4. Using Custom Capabilities11.1.5. Attaching Existing Taxonomies11.2. USING CUSTOM POST TYPES11.2.1. Creating a Custom Post Type Loop11.2.2. Retrieving Custom Post Type Content11.2.2.1. the_title11.2.2.2. the_content11.2.2.2.1. the_excerpt11.2.2.2.2. the_permalink11.2.3. Checking if a Post Type Exists11.2.3.1. post_type_exists11.3. POST METADATA11.3.1. Adding Post Metadata11.3.1.1. add_post_meta11.3.2. Retrieving Post Metadata11.3.2.1. get_post_meta11.3.3. Updating Post Metadata11.3.3.1. update_post_meta11.3.4. Deleting Post Metadata11.3.4.1. delete_post_meta11.4. CREATING CUSTOM TAXONOMIES11.4.1. Understanding Taxonomies11.4.2. Registering a Custom Taxonomy11.4.2.1. register_taxonomy11.4.2.1.1. public11.4.2.1.2. show_ui11.4.2.1.3. hierarchical11.4.2.1.4. query_var11.4.2.1.5. rewrite11.4.2.1.6. update_count_callback11.4.2.1.7. show_tagcloud11.4.2.1.8. show_in_nav_menus11.4.2.1.9. labels11.4.2.1.10. capabilities11.4.2.2. Registering the Genre and Artist Taxonomies11.4.3. Assigning a Taxonomy to a Post Type11.4.3.1. register_taxonomy_for_object_type11.5. USING CUSTOM TAXONOMIES11.5.1. Retrieving a Taxonomy11.5.1.1. get_taxonomy11.5.2. Using a Taxonomy with Posts11.5.2.1. the_terms11.5.3. Taxonomy Conditional Tags11.5.3.1. taxonomy_exists11.5.3.2. is_taxonomy_hierarchical11.5.3.3. is_tax11.6. A POST TYPE AND TAXONOMY PLUGIN11.7. SUMMARY
12. JavaScript and Ajax in WordPress
12.1. JQUERY–A BRIEF INTRODUCTION12.1.1. Benefits of Using jQuery12.1.2. jQuery Crash Course12.1.2.1. The jQuery Object12.1.2.2. Syntax and Chaining12.1.2.3. No-Conflict Mode in WordPress12.1.2.4. Launching Code on Document Ready12.2. AJAX12.2.1. What Is Ajax?12.2.2. Ajax Best Practices12.3. ADDING JAVASCRIPT IN WORDPRESS12.3.1. A Proper Way to Include Scripts12.3.1.1. Introducing wp_enqueue_script()12.3.1.1.1. Adding a Core Script12.3.1.1.2. Adding a Custom Script12.3.1.1.3. Adding a Custom Script with Dependencies12.3.1.1.4. Adding a Custom Script with a Version Number12.3.1.1.5. Adding Scripts in the Footer12.3.1.1.6. All Parameters at Once12.3.1.2. Default Core Scripts12.3.1.3. Removing a Queued Script12.3.1.4. Replacing a Core Script with Your Own12.3.1.5. Registering and Enqueuing Scripts12.3.1.6. Managing Styles in WordPress12.3.2. Where to Include Scripts12.3.2.1. Head? Footer? Inline?12.3.2.1.1. In the Head12.3.2.1.2. Near the Footer12.3.2.1.3. In the Page Content12.3.2.1.4. Inline12.3.2.2. Valid Xhtml Syntax12.3.2.3. Valid Html 5 Syntax12.3.2.4. Pondering the Best Option12.3.3. Adding Scripts Only When Needed12.3.3.1. Getting the Location of Your Plugin's Scripts12.3.3.2. Adding in Admin Pages12.3.3.3. Adding in Public Pages12.3.4. Dynamic Scripts in WordPress12.3.4.1. How Not to Do It and Why12.3.4.2. A Better Solution12.3.4.3. An Ideal Solution12.4. AJAX IN WORDPRESS12.4.1. Ajax in WordPress: Principles12.4.1.1. Client Side: Send Ajax Request, Receive Response12.4.1.2. Server-Side: Receive Ajax Request; Send Response12.4.2. A Complete Example: Instant "Read More" Links12.4.2.1. Inserting the JavaScript with a Twist12.4.2.2. Client-Side JavaScript12.4.2.3. Server-Side Ajax Processing12.4.3. Another Example: Frontend Comment Deletion12.4.3.1. Plugin Basis12.4.3.2. Server-Side Ajax Handler: Security Checks and XML Response Parsing12.4.3.2.1. Ajax Security: Nonces and Permissions12.4.3.2.2. The WP_Ajax_Response Class12.4.3.3. Client-Side XML Response Parsing12.4.4. Debugging Ajax12.5. SUMMARY
13. Cron
13.1. WHAT IS CRON?13.1.1. How Is Cron Executed?13.2. SCHEDULING CRON EVENTS13.2.1. Scheduling a Recurring Event13.2.2. Scheduling a Single Event13.2.3. Unscheduling an Event13.2.4. Specifying Your Own Cron Intervals13.2.5. Viewing Cron Events Scheduled13.3. TRUE CRON13.4. PRACTICAL USE13.4.1. Deleting Post Revisions Weekly13.4.2. The Blog Pester Plugin13.4.3. The Delete Comments Plugin13.5. SUMMARY
14. The Rewrite API
14.1. WHY REWRITE URLS14.1.1. Permalink Principles14.1.1.1. Search Engine Friendly14.1.1.2. User Friendly14.1.2. Apache's mod_rewrite14.1.3. URL Rewriting in WordPress14.2. HOW WORDPRESS HANDLES QUERIES14.2.1. Overview of the Query Process14.2.2. The rewrite Object14.2.3. The query Object14.2.4. What Plugins Can Do14.3. PRACTICAL USES14.3.1. Rewriting a URL to Create a List of Shops14.3.1.1. Creating the rewrite Rule14.3.1.2. Registering the query Variable14.3.1.3. Flushing the Rewrite Rules14.3.1.4. The Functional Plugin14.3.1.5. Creating the Shops Page that Can Generate Its Children14.3.2. Creating a New Permalink Structure and Integrating Non-WordPress Pages14.3.2.1. Creating a rewrite Tag14.3.2.2. Displaying the Shop Products14.3.2.3. The Functional Plugin14.3.3. Adding an Endpoint and Altering Output Format14.3.3.1. Defining the Endpoint14.3.3.2. The Functional Plugin14.3.4. Adding a Custom Feed for the Latest Uploaded Images14.3.4.1. Registering the New Feed14.3.4.2. The Functional Plugin14.4. SUMMARY
15. Multisite
15.1. DIFFERENCES15.1.1. WordPress Versus Multisite Network15.1.2. Understanding Multisite Terminology15.1.3. Advantages of Multisite15.2. ENABLING MULTISITE IN WORDPRESS15.3. MULTISITE FUNCTIONS15.3.1. The Power of Blog ID15.3.2. Common Functions15.3.3. Switching and Restoring Sites15.3.4. Network Content Shortcode Examples15.3.5. A Network Content Widget Example15.3.6. Creating a New Site15.3.7. Multisite Site Options15.3.8. Users in a Network15.3.9. Multisite Super Admin15.3.10. Checking the Site Owner15.3.11. Network Stats15.4. MULTISITE DATABASE SCHEMA15.4.1. Multisite-Specific Tables15.4.2. Site-Specific Tables15.5. SUMMARY
16. Debugging and Optimizing
16.1. SUPPORTING OLD VERSIONS (NOT)16.1.1. Keeping Current with WordPress Development16.1.2. Deprecated Functions16.1.3. Dealing with Obsolete Client Installs16.2. DEBUGGING16.2.1. Enabling Debugging16.2.2. Displaying Debug Messages16.2.3. Correcting Debug Messages16.3. ERROR LOGGING16.3.1. Enabling Logging16.3.2. Setting Log File Location16.3.3. Understanding the Log File16.4. CACHING16.4.1. Saving, Loading, and Deleting Cached Data16.4.1.1. wp_cache_add()16.4.1.2. wp_cache_replace()16.4.1.3. wp_cache_set()16.4.1.4. wp_cache_get()16.4.1.5. wp_cache_delete()16.4.2. Caching Data Within a Plugin16.5. SUMMARY
17. Marketing Your Plugin
17.1. CHOOSING A LICENSE FOR YOUR PLUGIN17.1.1. Different Options17.1.2. Why It Matters17.1.3. Making Money While Using the GPL17.2. SUBMITTING TO WORDPRESS.ORG17.2.1. Creating an Account17.2.2. Submitting a Plugin17.2.3. Setting Up SVN17.2.4. Creating a readme.txt File17.3. GETTING YOUR PLUGIN RENOWNED17.3.1. Naming Your Plugin17.3.1.1. Tips on Creating a Plugin Name17.3.1.2. How to Not Name Your Plugin17.3.1.3. Branding Your Plugin17.3.2. Building a Web Site17.3.2.1. Creating a Page or Site for All Your Plugins17.3.2.2. Having a Great Design17.3.2.3. Blogging About WordPress17.3.3. Creating a Page for Your Plugin17.3.4. Announcing Your Plugin17.3.5. Supporting Your Plugins17.3.6. Getting Feedback17.3.7. Getting Out of the Basement17.3.8. Other Promotion Methods17.4. SUMMARY
18. The Developer Toolbox
18.1. CORE AS REFERENCE18.1.1. Inline Documentation18.1.2. Finding Functions18.1.3. Common Core Files18.1.3.1. Formatting.php18.1.3.2. Functions.php18.1.3.3. Pluggable.php18.1.4. Plugin.php18.1.4.1. Post.php18.2. CODEX18.2.1. Searching the Codex18.2.2. Function Reference18.3. TOOL WEB SITES18.3.1. PHPXref18.3.2. Hooks Database18.4. COMMUNITY RESOURCES18.4.1. Support Forums18.4.2. Mailing Lists18.4.3. WordPress Chat18.4.4. WordPress Development Updates18.4.5. WordPress Ideas18.4.6. Community News Sites18.4.6.1. WordPress Planet18.4.6.2. Planet WordPress18.4.6.3. WPEngineer.com18.4.6.4. WeblogToolsCollection.com18.4.6.5. Twitter18.4.7. Local Events18.5. TOOLS18.5.1. Browser18.5.2. Editor18.5.2.1. NetBeans IDE18.5.2.2. Notepad++18.5.2.3. TextMate18.5.2.4. Coda18.5.3. Deploying Files with FTP, SFTP, and SSH18.5.4. phpMyAdmin18.6. SUMMARY

Content preview from Professional WordPress® Plugin Development

Chapter 6. Plugin Security

WHAT'S IN THIS CHAPTER?

Understanding what security is
Learning to identify weak spots in code
Preventing malicious attacks such as XSS or CSRF
Checking user permissions
Validating and sanitizing data
Formatting robust and secure SQL queries
Keeping good practices in mind

In computer language, "security" often refers to scary buzzwords such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), SQL Injection, Privilege Escalation, Vulnerabilities, and Holes.

Are you frightened yet?

You should be scared because these are real threats and, as you will read, trivial to execute against shabby code. But then, you should not be scared because, fortunately, WordPress comes with all the tools you need to make your code safe and secure.

SECURING YOUR PLUGIN

Weak code may be subject to abuse and eventually compromise your server security, or retrieve otherwise hidden data about you or your users. This is the worst-case scenario.

But before letting Internet pirates wander in your files and directories, feeble code will simply fail at making sure that data entered by an honest user is valid and sanitary. As you can see in this chapter, a poorly coded form can, for instance, truncate user input and as a result process partial content.

What Securing Your Plugin Is

Making your plugin secure is dealing with vulnerabilities and data integrity and reliability. It's both preventing malicious attacks and making sure legitimate use cannot produce unexpected behavior.

What Securing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Smashing WordPress: Beyond the Blog, 4th Edition

Publisher Resources

ISBN: 9780470916223Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business