Developers Review







Theme or Plugin???


Does that custom code go in a theme or a plugin?

  1. In your functions.php
  2. A fully custom plugin

If you want the functionality to live past this current theme
then it goes in a plugin

If it's specific to this site design, it goes in the theme

WordPress Actions 


Actions indicate that something happened

Like the 'pre_get_posts' action that runs before WordPress gets posts

You can add_action to catch 'pre_get_posts' and change the posts WordPress is getting



Action example


Lets get published and scheduled posts


Wordpress Filters


Filters allow you to change things as they run

Like 'wp_mail_from' which allows you to change who the WordPress stock emails come from

So you add_filter with 'wp_mail_from' and change the email

Filter example


Lets make WordPress use my email as the send from email





Site Security Rules


1. Never trust the User












photo credit: lydia_shiningbrightly cc

2. Never Trust the User!












photo credit: levork cc

3. Escape as Late as Possible



4. Use Nonces


Number Used Once

Tie them to a $post_id

We'll cover nonces more later

5. Never Trust the User












photo credit: Dunechaser cc

6. Whitelist





But blacklisting??
  • infinite amounts of options you don't want
  • have to maintain that infinite list

7. Check Formats




8. Sanitize on Input Validate on output


When we output use the esc_* functions

When we are doing input (saving) we sanitize
  • check to make sure we have the expected data

9. Never Trust the User












photo credit: HelloImNik cc

Now Lets Try It



Answers



Roles and Caps


Roles are things like:
Administrator, Author, Subscriber


Caps are things that the roles can do like:
activate_plugins, read, save_post

Check for Caps not Roles





Add Caps when you Add functionality




Development Review

By curtismchale

Development Review

Quick review of actions and filters then we talk about sanitization and validation.

  • 1,814