WordPress Plugins:ur doin it wrong

Will Norris <http://willnorris.com/>

Effect of Plugins

•Upgradability

•Performance

•Security

•Extensibility

Unique Function Names

Function Name Prefix

wcsea_activate()

wcsea_deactivate()

wcsea_uninstall()

Class

class WordCampSEA {

function activate()

function deactivate()

function uninstall()

}

Escape Values

What do these have in common?

XSS

CSRF

SQL-injection

Escape Values1. Standard prefix

2. Context (attr, html, js, sql, url, url_raw)

3. Optional translation suffix

http://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/

Never Assume File Location

Traditional Directory Layout

example.com/

wordpress/

wp-config.php

wp-content/

plugins/

themes/

Non-Traditional Layout (since WP

2.6)example.com/

wordpress/

wp-config.php

wordpress-content/

plugins/

themes/

Plugin URL

ur doin it wrong:<img src=”<?php bloginfo(‘wpurl’) ?>/wp-content/plugins/wcsea/logo.png” ?>

dats bedder:<img src=”<?php echo WP_PLUGIN_URL ?>/wcsea/logo.png ?>”/>

you haz it:<img src=”<?php echo plugins_url(‘logo.png’, __FILE__) ?>” />

Plugin URL

plugins_url()

• supports WPMU plugin directory

• auto detects SSL

• supports renamed plugin directory

• calls ‘plugins_url’ filter

Friends of plugins_url()

site_url()

admin_url()

includes_url()

content_url()

no home_url() (why not?)

Including Files

ur doin it wrong:include ‘../../wp-content/...’

dats bedder:include ABSPATH . ‘wp-content/...’

you haz it:include WP_CONTENT_DIR . ‘/...’

Find the Right Hook

Load as late as possible, but no later

Admin Hooks

ur doin it wrong:add_action(‘admin_init’, ‘wcsea_admin_init’)

add_action(‘admin_head’, ‘wcsea_admin_head’)

you haz it:$hookname = add_options_page( ... )

add_action(“admin_load-$hookname”, ‘wcsea_admin_init’)

add_action(“admin_head-$hookname”, ‘wcsea_admin_head’)

Styles and Scripts

ur doin it wrong:<script rel=”<?php echo plugins_url(‘wcsea.js’, __FILE__) ?>”></script>

you haz it:wp_enqueue_script(‘wcsea’, plugins_url(‘wcsea.js’, __FILE__))

wp_enqueue_style(‘wcsea’, plugins_url(‘wcsea.css’, __FILE__))

Styles and Scriptswp_register_* and wp_enqueue_*

• support dependencies

• push scripts to footer

• caching support based on version

• (one day) server side concatenation

Add your own hooks

A strategically placed hook covers a multitude of sins.

Custom Hooks

Can do everything core WP hooks do:

• event notification (actions)

• massage data (the_content)

• replace values (stylesheet)

• extend functionality (http_api_curl)

• replace functionality

Custom Hooks

do_action(‘my-action’)

do_action(‘my-action’, $a, $b)

do_action_ref_array(‘my-action’, array($wcsea))

apply_filters(‘my-filter’, $wcsea)

apply_filters(‘my-filter’, $wcsea, $a, $b)

Custom Tables

Designed for Flexibility

WordPress database supports

• custom options

• arbitrary metadata for posts, users, and comments (2.9)

• custom taxonomies

• custom post types

Custom Post Types

Used by WordPress core for

• posts

• pages

• revisions

• attachments

If it walks like a duck...

• author

• date and time

• title

• content

• comments

• categories and tags

• permalink

• order

• hierarchy

• (additional arbitrary metadata)

Admin Settings Pages

Admin Settings Pages

Don’t waste time processing manuallyregister_setting( ‘wcsea’, ‘my-option’ )

http://codex.wordpress.org/Settings_API

http://codex.wordpress.org/Creating_Options_Pages#Register_Settings

Admin Settings Pages

Do you really need a dedicated page?

Add options to any built-in settings pageadd_settings_field( ... )

Direct Plugin Files

Direct Plugin File Calls

Direct HTTP request to plugin file ajax.php:

echo ‘<script type=”text/javascript”>

jQuery.get(“‘ . plugins_url(‘ajax.php’, __FILE__) . ‘”);

// do something with AJAX data

</script>’;

Direct Plugin File Calls

If ajax.php includes anything similar to:require_once(‘../../../wp-load.php’);

ur doin it wrong

WordPress Requests

Permalink URL:http://example.com/2009/01/hello-world

becomes:http://example.com/index.php?

year=2009&

monthnum=01&

name=hello-world

Custom WP Request

Instead of making an AJAX call to:http://example.com/wp-content/plugins/wcsea/ajax.php

we want a URL like:http://example.com/index.php?wcsea=ajax-handler

Custom WP Requests

function wcsea_parse_request($wp) {

// only process requests with "wcsea=ajax-handler"

if (array_key_exists('wcsea', $wp->query_vars)

&& $wp->query_vars['wcsea'] == 'ajax-handler') {

// process the request.

}

}

add_action('parse_request', 'wcsea_parse_request');

function wcsea_query_vars($vars) {

$vars[] = 'wcsea';

return $vars;

}

add_filter('query_vars', 'wcsea_query_vars');