corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Tagged: plugin development

How To Prevent Direct Access To Your Plugin image/svg+xml

As developers, one of the most important things we can do is prevent direct access to your plugin. By this, I mean if someone gets clever and tries to access to one of the files located in any given plugin’s directory, they should not be able to execute any of the code in the script.

Some sensible security advice for WordPress plugin developers.

Abusing the WordPress REST API

Earlier, I was playing around with the WordPress REST API and I was struggling to figure out why the WordPress function is_user_logged_in() was not working with my custom endpoint. The function returns false regardless of whether the user is logged in or not. Turns out, this is by design and I needed to send a nonce within my endpoint request. Doh.

Anyhow, before I figured this out (RTFM, Philip), I came up with a rather fugly workaround. The hack was to add an action to the rest_api_init hook, call the is_user_logged_in() function and set a global variable, which could then be accessed from within the endpoint. Now, I’m not sure I would recommend using this hack, but it did occur to me that there could be a scenario where it’s not possible to send a nonse with the request, in which case the only way to test if the user is logged-in would be within the endpoint’s code.

How bad am I?

WordPress Options API

Tonight, I have mostly been playing with the WordPress Options API to create some admin pages for my theme. I was pleasantly surprised by how easy it was to create the admin pages and associated custom options. I think I’m going to be able to have a lot of fun with these.

Screenshot of admin page showing custom theme options.

My only concerns with using these custom options are:

  1. How do they impact on performance?
  2. When should I use them in a theme, as opposed to a plugin?

I guess I can test the performance impact, but I’m thinking that caching will negate any concerns I might have. With regards to my second concern, I’m thinking I’m probably the only person to decide this and it’ll depend on how self-contained I’d like my theme to be.

Hello Host WordPress Plugin

I’ve created a hack of Matt Mullenweg‘s famous Hello Dolly plugin. Instead of a lyric from Louis Armstrong’s “Hello, Dolly”, when activated the plugin displays the server’s hostname in the upper right of the admin screen on every page. It is intended to be a handy plugin for developers who work with ‘development’ and ‘production’ servers.

Screenshot of WordPress Hello Host Plugin

I haven’t checked if any similar plugins already exist, I’m sure they probably do, but again, it was good practice to create it. If you are interested, the plugin can be found on GitHub.

A simple Google Analytics WordPress plugin

I’ve created a simple WordPress plugin. It’s called Simple Google Analytics. Can you guess what it does?

Yup, you guessed it, it allows WordPress site owners to quickly install their Google Analytics tracking code.

Screenshot of Simple Google Analytics plugin admin page.

Apart from that, the only other feature is hidden — the plugin only outputs the tracking code if the user is not logged in.

I’ve installed the plugin on this site, but I’m not sure anyone else will find it useful as there are a lot of Google Analytics plugins already available for WordPress, obviously. Reinventing the wheel is stupid, but I enjoyed writing it, and besides, it was good practice.

If you fancy taking a look at the code, you can find it on GitHub.