WordPress Plugins: ur doin it wrong

WordPress Plugins: ur doin it wrong ur doin it wrong Will Norris < http://willnorris.com />

Effect of Plugins Upgradability Performance Security Extensibility

Function Name Prefix wcsea_activate() wcsea_deactivate() wcsea_uninstall()

Class class WordCampSEA { function activate() function deactivate() function uninstall() }

What do these have in common? XSS CSRF SQL-injection

Escape Values 1. Standard prefix 2. Context (attr, html, js, sql, url, url_raw) 3. Optional translation suffix http://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/

Traditional Directory Layout example.com/ wordpress/ wp-config.php wp-content/ plugins/ themes/

Non-Traditional Layout (since WP 2.6) example.com/ wordpress/ wp-config.php wordpress-content/ plugins/ themes/

Plugin URL ur doin it wrong: <img src=”<?php bloginfo(‘wpurl’) ?>/wp-content/plugins/wcsea/logo.png” ?> dats bedder: <img src=”<?php echo WP_PLUGIN_URL ?>/wcsea/logo.png ?>”/> you haz it: <img src=”<?php echo plugins_url(‘logo.png’, __FILE__) ?>” />

Plugin URL plugins_url() supports WPMU plugin directory auto detects SSL supports renamed plugin directory calls ‘plugins_url’ filter

Friends of plugins_url() site_url() admin_url() includes_url() content_url() no home_url() (why not?)

Including Files ur doin it wrong: include ‘../../wp-content/...’ dats bedder: include ABSPATH . ‘wp-content/...’ you haz it: include WP_CONTENT_DIR . ‘/...’

Find the Right Hook Load as late as possible, but no later

Admin Hooks ur doin it wrong: add_action(‘admin_init’, ‘wcsea_admin_init’) add_action(‘admin_head’, ‘wcsea_admin_head’) you haz it: $hookname = add_options_page( ... ) add_action(“admin_load-$hookname”, ‘wcsea_admin_init’) add_action(“admin_head-$hookname”, ‘wcsea_admin_head’)

Styles and Scripts ur doin it wrong: <script rel=”<?php echo plugins_url(‘wcsea.js’, __FILE__) ?>”></script> you haz it: wp_enqueue_script(‘wcsea’, plugins_url(‘wcsea.js’, __FILE__)) wp_enqueue_style(‘wcsea’, plugins_url(‘wcsea.css’, __FILE__))

Styles and Scripts wp_register_* and wp_enqueue_* support dependencies push scripts to footer caching support based on version (one day) server side concatenation

Add your own hooks A strategically placed hook covers a multitude of sins.

Custom Hooks Can do everything core WP hooks do: event notification (actions) massage data (the_content) replace values (stylesheet) extend functionality (http_api_curl) replace functionality

Custom Hooks do_action(‘my-action’) do_action(‘my-action’, $a, $b) do_action_ref_array(‘my-action’, array($wcsea)) apply_filters(‘my-filter’, $wcsea) apply_filters(‘my-filter’, $wcsea, $a, $b)

Designed for Flexibility WordPress database supports custom options arbitrary metadata for posts, users, and comments (2.9) custom taxonomies custom post types

Custom Post Types Used by WordPress core for posts pages revisions attachments

If it walks like a duck... author date and time title content comments categories and tags permalink order hierarchy (additional arbitrary metadata)

Admin Settings Pages Don’t waste time processing manually register_setting( ‘wcsea’, ‘my-option’ ) http://codex.wordpress.org/Settings_API http://codex.wordpress.org/Creating_Options_Pages# Register_Settings

Admin Settings Pages Do you really need a dedicated page? Add options to any built-in settings page add_settings_field( ... )

Direct Plugin File Calls Direct HTTP request to plugin file ajax.php: echo ‘<script type=”text/javascript”> jQuery.get(“‘ . plugins_url(‘ajax.php’, __FILE__) . ‘”); // do something with AJAX data </script>’;

Direct Plugin File Calls If ajax.php includes anything similar to: require_once(‘../../../wp-load.php’); ur doin it wrong

WordPress Requests Permalink URL: http://example.com/2009/01/hello-world becomes: http://example.com/index.php? year=2009& monthnum=01& name=hello-world

Custom WP Request Instead of making an AJAX call to: http://example.com/wp-content/plugins/wcsea/ajax.php we want a URL like: http://example.com/index.php?wcsea=ajax-handler

Custom WP Requests function wcsea_parse_request($wp) { // only process requests with "wcsea=ajax-handler" if (array_key_exists('wcsea', $wp->query_vars) && $wp->query_vars['wcsea'] == 'ajax-handler') { // process the request. } } add_action('parse_request', 'wcsea_parse_request'); function wcsea_query_vars($vars) { $vars[] = 'wcsea'; return $vars; } add_filter('query_vars', 'wcsea_query_vars');

WordPress Plugins: ur doin it wrong

More Related Content

What's hot

Viewers also liked

Similar to WordPress Plugins: ur doin it wrong

Recently uploaded

WordPress Plugins: ur doin it wrong

Editor's Notes