WordPress 3 Plugin Development Essentials

By Brian Bondari , Everett Griffiths
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Preparing for WordPress Development
About this book

WordPress is one of the most popular platforms for building blogs and general websites. By learning how to develop and integrate your own plugins, you can add functionality and extend WordPress in any way imaginable. By tapping into the additional power and functionality that plugins provide, you can make your site easier to administer, add new features, or even alter the very nature of how WordPress works. Covering WordPress version 3, this book makes it super easy for you to build a variety of plugins.

WordPress 3 Plugin Development Essentials is a practical hands-on tutorial for learning how to create your own plugins for WordPress. Using best coding practices, this book will walk you through the design and creation of a variety of original plugins.

WordPress 3 Plugin Development Essentials focuses on teaching you all aspects of modern WordPress development. The book uses real and published WordPress plugins and follows their creation from the idea to the finishing touches in a series of easy-to-follow and informative steps. You will discover how to deconstruct an existing plugin, use the WordPress API in typical scenarios, hook into the database, version your code with SVN, and deploy your new plugin to the world.

Each new chapter introduces different features of WordPress and how to put them to good use, allowing you to gradually advance your knowledge. WordPress 3 Plugin Development Essentials is packed with information, tips, and examples that will help you gain comfort and confidence in your ability to harness and extend the power of WordPress via plugins.

Publication date:
March 2011


Chapter 1. Preparing for WordPress Development

Since you have picked up this book, you are likely to fall into one of two overall categories: developers who are new to WordPress, or WordPress users keen to start or improve their WordPress development skills. No matter which camp you lie in, this book will help you down that path. This book will show you how to customize WordPress using plugins by providing well-structured code and by explaining how the code interacts with the WordPress application. It introduces a variety of development techniques drawn from a range of real-world scenarios that will give you, the reader, a practical understanding of how to write, debug, and deploy WordPress plugins.

Together we will delve through a series of increasingly challenging topics covering a range of scenarios that a developer is likely to encounter when developing and maintaining a WordPress 3 site. While you may read the book from start to finish, each chapter strives to be a self-contained topic for easier reference.

It is expected that the readers of this book have some knowledge of programming concepts and a working understanding of web applications, including HTML and basic CSS. Familiarity with WordPress is also recommended.


WordPress background

WordPress is a popular content management system (CMS), most renowned for its use as a blogging / publishing application. According to usage statistics tracker, BuiltWith (http://builtWith.com), WordPress is considered to be the most popular blogging software on the planet—not bad for something that has only been around officially since 2003. It has always sought to allow its users to publish information easily, and although it can be used successfully for sites that are not blog-centric, running a blog has been a guiding star in WordPress' design since its inception.


Extending WordPress

Like many systems, WordPress may not do everything you want right out of the box. Instead, it focuses on a set of core features and allows for customizations in the form of plugins, so if the built-in functionality doesn't meet your needs, your options are to:

  • Find an existing third-party plugin

  • Write your own plugin

  • Look for another CMS entirely

It is well worth your time to search for an existing solution if WordPress doesn't already have the functionality that you require—chances are high that someone out there has already done what you are trying to do. It may not be as much fun or as glamorous as developing your own shiny new code, but it is usually easier and faster to cash in on the work others have done, just be aware that a lot of code in the WordPress repository is written by amateurs and it may contain bugs.

If you do end up extending WordPress with your own plugin, and we hope you do since you are reading this book, make sure that you are doing one of two things: either you are solving a problem that nobody has solved before, or you are coming up with a better mousetrap and re-solving a problem in a new and valuable way.


Understanding WordPress architecture

Spend a few minutes kicking the tires and you will become familiar with WordPress' features:

  • Clean blog management

  • Flexible permalink structure

  • Easy search engine optimization (SEO)

  • A simple package management tool

  • The ability to update WordPress itself directly from the manager

  • Versioning of drafts (so you don't lose data)

  • A mature Ajax interface (lets you easily drag-and-drop widgets to customize your experience in the manager)

This is a fine system, but it is a bit like listening to a car salesman—if you really want to see how it performs, you should get your hands greasy and see what's under the hood. For developers, the real aspects of WordPress' customization and extensibility lie in Templating and Plugins.


WordPress offers a templating system for implementing custom HTML and CSS, but it is not a templating system in the same sense as Smarty (http://www.smarty.net) or Perl's Template Toolkit. Instead, like many PHP CMSs (most notably Drupal and Joomla!), WordPress templates are simply PHP files that typically contain a mix of application logic and presentation code, for example, <div id="footer"><?php wp_footer(); ?></div>.

Compare that with a Drupal template excerpt: <div id="footer"><?php print render($page['footer']); ?></div> or with a MODx excerpt using Smarty placeholders: <div id="footer">[[*footer]]</div> and you can get some idea of the spectrum. Typically, the templates used in WordPress do not adhere to the Model-View-Controller (MVC) pattern, so they cause some developers to raise a critical eyebrow.

Be aware that your WordPress templates contain PHP code and that they do execute, so it is naturally possible to "crash" your templates, or to have complex loops and logical statements in them. As a developer, try your absolute best to separate logic from presentation and keep your templates as clean as possible. There are plenty of WordPress theme files out there that contain a dizzying mess of PHP and HTML, which result in an unmaintainable no man's land. Designers won't touch them because they can't decipher the myriad if-statements and sloppy concatenations, and developers won't touch them for the same reason, or perhaps because they contain HTML and CSS that developers don't want to worry about. In the end, just try to avoid the numerous pitfalls that exist in this type of templating system.

Introducing plugins

Like any good CMS, WordPress offers an application programming interface (API) for developers to perform common tasks in their plugins. Unlike many CMSs, however, the WordPress API is largely procedural: it exists mostly as a series of globally scoped functions and variables in the main namespace, so you have to be extra careful when naming your functions to avoid naming collisions. There are certain tasks that are object oriented (OO), but there is a decent chance that you could look through a dozen WordPress plugins before encountering a class or an object. In certain programming languages, such an arrangement is unusual if not impossible, but the PHP community in particular often offers procedural equivalents of object-oriented code.

Opening up an existing WordPress plugin is a bit like going into a public restroom: it may be perfectly clean and hygienic, or it may be a rank and apoplectic mess of functions, logic, and HTML. Just be prepared.


What is a plugin?

The term "Plugin" is a bit ambiguous and WordPress' definition differs from other content management systems. In general, a WordPress plugin is any bit of code that extends the core functionality of WordPress. Unlike Expression Engine, Drupal, or MODx, WordPress does not use different terms such as "module", "snippet", or "add-on" to distinguish where or how this extension occurs. In WordPress, they are all considered plugins.

WordPress plugins use an event-driven architecture—anyone who has seen a JavaScript function triggered via an HTML "onClick" is familiar with this approach, but in WordPress, the events are typically referred to as hooks. A hook is an event—it is a place where you can attach (or "hook") code. While examining existing plugins, keep an eye out for the add_action() and add_filter() functions that tie a hook to a function inside the plugin. Depending on the author, add_action() and add_filter() instances may be scattered throughout the code or consolidated into one place.

The number of hooks available in WordPress has been steadily increasing and with version 3, there are well over 1,000. Unfortunately, they are not well documented. This daunting number represents an unwieldy weak point in the WordPress architecture. How can the developer find the one or two he needs? We have included a list of some of the most common hooks in an appendix at the end of this book.

Many plugins contain convoluted mixtures of logic and HTML within a single function. This scenario is unfortunately common in many PHP CMSs, and it can make it exceedingly difficult to find and fix formatting errors. You may be fighting an uphill battle, but we strongly recommend separating your plugin logic from any formatting code. It will make your plugins easier to maintain and skin.

Another thing to remember when writing plugins is that WordPress 3.1 is the last version of WordPress that is compatible with a dwindling number of PHP 4 users. Be sure your plugin tests the PHP version in use, especially if you use the more advanced language constructs available in PHP 5.


Summarizing architecture

WordPress has put together a solution that works well. This solution is not necessarily better or worse than other platforms, it just has different advantages and disadvantages. When in Rome, it is not necessarily best to do as the Romans do (Rome did fall, after all), but you had better be aware of their modus operandi.

In general, WordPress offers a clean and efficient way to get many sites off the ground. However, its flexibility has allowed some less-experienced developers to create unenviable code patterns that are difficult to maintain and debug, and this is what we are striving to avoid. Above all, we encourage you to strive for clean and concise code while working within this, or any, system.


Tools for web development

The tools you need to develop plugins for WordPress are essentially the same tools you need for developing almost any web application, specifically:

  • WordPress

  • Text editor

  • FTP client

  • MySQL client (optional)


If you are going to develop plugins for WordPress, you need WordPress itself and an environment that can run it. Download the latest version of WordPress from http://wordpress.org/download. It is then just a matter of finding a suitable place to install it.

WordPress 3 runs on a web server (most commonly Apache) that can run at least PHP 4.3 and MySQL 4.1.2—WordPress 3.2 requires PHP 5.2 and MySQL 5.0.15. Since both PHP and MySQL are widespread web technologies and WordPress is such a popular blogging tool, most hosting providers can support running WordPress on their servers. If in doubt, consult your web host's FAQ.

Another option is to run WordPress in a "sandbox" environment on your own computer. This can be more involved since you have to set up your computer as a web server and configure several other inter-related technologies, but thankfully there are bundled packages available that do much of the difficult work for you—we have listed a few options for these types of packages below.

A third option is to run a virtual machine on your local computer using emulation software like Parallels (http://www.parallels.com), VMware (http://www.vmware.com) or VirtualBox (http://www.virtualbox.org). This can be a great way to mimic your intended production environment precisely and still get all the benefits of hosting your site locally, but it does require some solid system administration skills, so this option is mainly recommended for seasoned developers.

If you plan to run a "sandbox" testing ground on your own computer, you have a few options depending on the platform.


Since Mac OS X ships with Apache and PHP—and MySQL can be compiled to run natively—you can run WordPress directly on your Macintosh. However, this requires a fair amount of non-trivial sysadmin skills, so we strongly recommend that you download an all-in-one pre-configured PHP-MySQL package.

Two solid options are:

Both are free packages that include all you need to get your Mac ready for WordPress.


On Microsoft Windows, there are several options. You can try:

All of the above options are free and will get the job done. For reference, the Microsoft Web Platform uses IIS as the web server instead of Apache. Refer to the relevant website for instructions on how to install and set up any of this software.

Text editor

You don't need anything special when it comes to a text editor, just something that can write plain, unformatted text files. Don't try using a word processor such as Microsoft Word because it will add all kinds of formatting. We strongly recommend, however, that you go a little bit beyond the basic requirement of authoring text files and find an editor that offers the following features:

  • Syntax highlighting: This could save you hours of frustration by helping you spot variables, missing quotes, or other errata.

  • Locate matching parentheses, brackets, or braces: Many times syntax errors are caused when you inadvertently omit a curly brace or a parenthesis. Being able to locate the matching unit of these paired symbols will help you track down these types of errors more quickly.

  • Find and replace across multiple files: A massively timesaving operation.

  • Displays line numbers: PHP will reference line numbers when it encounters errors.

On a Mac, TextWrangler (http://www.barebones.com/products/textwrangler) is a free application that lets you work on multiple files simultaneously, made by the same folks who make the venerable BBEdit (which is a viable option if you need more features and are willing to spend a bit of money). TextMate (http://macromates.com) is on par with BBEdit and is a direct competitor. A tremendous editor for Mac OS X is Coda (http://www.panic.com/coda). It really is the Swiss Army Knife of web development applications. Coda keeps your files organized, lets you preview HTML and CSS, does syntax highlighting on all kinds of files, offers auto complete on function calls, acts as an FTP, SSH, and a lightweight SVN client, and even has plugins that will help you check your code for errors. If you have a budget for your projects, Coda is a time-saving application.

On Windows, there are several free text editors worth examining, including NotePad++ (http://notepad-plus-plus.org), PSPad (http://www.pspad.com), and NotePad2 (http://www.flos-freeware.ch/notepad2.html). One excellent commercial offering is UltraEdit (http://www.ultraedit.com).

Using an IDE

You may consider using a full blown Integrated Development Environment (IDE) such as Eclipse (http://www.eclipse.org), Sun's NetBeans (http://netbeans.org), Jet Brain's PhpStorm (http://www.jetbrains.com/phpstorm/), or the Zend Studio IDE (http://www.zend.com/products/studio), all of which run on Mac, Windows, or Linux.

These are powerful programs, but they aren't easy to use so their complexity may be off-putting. Compare a 16 MB footprint for a standalone text editor such as TextEdit to the behemoth 470 MB of the Zend Studio IDE and you get some idea of the resources required to run each program. The more development you do, the more you will gravitate toward IDE applications because they offer unmatched features, but they're not generally recommend for first time developers. NetBeans is free and relatively resource friendly, so it is a good option if you are looking to explore the world of IDEs.

On the lightweight end of the spectrum, you can use one of the feature rich and battle-tested command line editors: vi or eMacs. They offer enormous flexibility and features directly from any *nix command line. Although it is extremely useful for a developer to be capable of editing files from a command line, the keyboard-only interface and steep learning curve of these editors precludes them from mainstream use, so we don't recommend you use them as your primary editing application.


No matter which editor you choose, make sure it helps you get your work done instead of becoming a chore unto itself. Refer to each vendor's site for instructions on how to install and configure them.

FTP client

In order to transfer files from your local computer to your destination web server and back again, you need an FTP client (or an SSH client) to facilitate the copying. The application need not be fancy, but it should be easy to use because chances are good that you will be using it a lot.

On Mac OS X, the aforementioned text editor Coda includes FTP functionality; CyberDuck (http://cyberduck.ch) offers a fine standalone client with the ability to bookmark sites and access Amazon S3 folders. Though not free, Transmit (http://www.panic.com/transmit) has a slick interface and it stands out as one of the only FTP clients that offers the OS X "column view" of files and folders.

On Windows, FileZilla (http://filezilla-project.org) is a solid offering. There's also the venerable WinSCP (http://winscp.net), as well as Core FTP LE (http://www.coreftp.com). All three of these programs are free.

MySQL client

Depending on the level of developing that you do with WordPress, you may not need a MySQL client, but it is extremely handy to have one available, and it can be good to have this window into your database. After all, the database has much of your content and settings, so eventually you will want to see what's going on in there.

On a Mac, if you installed the MAMP package, it comes with phpMyAdmin. This works in a pinch, albeit clumsily because it is a web application. Sequel Pro (http://www.sequelpro.com) is one of only a handful of options for desktop SQL clients on Mac OS X.

SQLyog (http://www.webyog.com) is the Windows-only benchmark—it's a powerful desktop client with an intuitive interface and sensible shortcuts.

phpMyAdmin is also available for many Windows installations, including XAMPP and EasyPHP, so don't feel obligated to purchase software if it's not in your budget.


Coding best practices

Contrary to the old adage, practice does not always make perfect. Instead, practice makes habit. The more time you spend developing, the more knowledgeable you become, but the benefits or disadvantages of certain development practices may not be obvious to the hobbyist. The wisdom of experienced developers is invaluable as you learn, so here are some general guidelines that should help you make your code easier to design, test, and maintain. You can read through WordPress' coding guidelines (http://codex.wordpress.org/Writing_a_Plugin), but this chapter provides more detailed information—we will be putting these into practice over the following chapters.


Basic organization

The simple recommendation here is to keep your code consistently organized. If someone is looking through your code months from now, will he be able to follow the method to your madness? If you are consistent, people will be able to follow your logic more easily, even if they don't agree with it. Consistency should prevail throughout your variable names, function names, documentation, file names, and folder structure: keep it sensible and clean.

One other tip that we have learned through many hours of frustration seems profoundly simple: a "unit" of code should fit on one screen without scrolling. In general, if you can't see it, you can't get it uploaded into your brain for full comprehension. What is a "unit"? Usually it is a function, but sometimes it can be a logical block or a group of related tasks. Functions are easier to test, so they make for better units. The bottom line is to take small bites and if your "units" fit snugly on the screen instead of scrolling across several pages, then your code will be much easier to understand and debug.

Here are the main points to consider when organizing your code:

  • Isolate tasks into functions

  • Use classes

  • Use descriptive variable names

  • Use descriptive function names

  • Separate logic and display layers

  • Go modular, to a point

  • Avoid short tags

Isolate tasks into functions

A function, as its name suggests, performs a certain task, but structuring them can be a bit of an art. Any time you find yourself copying and pasting identical code (or even similar code), that should be a glaring red flag that it's time to consolidate it into one place by putting it into a function. Just like having a single stylesheet for your website gives the designer a single place to make global changes, a function should give the developer one place to alter a particular behavior.

A good rule of thumb when writing functions is that they should not accept more than three inputs. Otherwise, they become difficult to use. You can package multiple inputs into a single associative array (a.k.a. a "hash"), or you could restructure your code into multiple functions. Again, find a clean solution.

Use classes

For new developers, the whole notion of objects and classes may seem something of a black art. It may feel needlessly complex, and to be fair, in some scenarios it is. However, the more you develop, the more you will gravitate toward object-oriented code because it allows for better organization, maintainability, and classes are much easier to extend.

Anyone familiar with CSS can appreciate the beauty of overriding a behavior. In the same way that you can override a style declaration from a *.css file with a local declaration, you can override a PHP class function by extending the class and redefining the function. We will see some examples of this later in this book.

Use descriptive variable names

PHP does not impose many restrictions on variable names, and there are differing naming strategies that you may employ. Compare this to Java, where using the incorrect case or underscores in your variable names is tantamount to heresy. Common naming strategies include $lower_case_with_underlines and $camelCase, and since PHP does not use distinct glyphs to distinguish arrays from scalar variables (like Perl, which distinguishes a $scalar from a @array), it can be useful to include the data type in the variable name, for example, $records_array.

Whichever method you use, make sure that the names adequately describe the contents of the variable in the context in which they appear. Avoid single letters and avoid long-winded, overly complicated names. In general, find the shortest name that accurately represents the variable's purpose. It may seem esoteric, but in order to understand your code, it must enter your brain through the construct of the English language (or in whatever language you tend to think). If your variable names are unclear, your brain will have to work harder to understand what your code is doing, so take the time to be descriptive and clear.

Use descriptive function names

As with your variable names, your function names should accurately describe what the functions do. It is common in most languages to have functions that get or set attributes, such as getHeader() or setPageWidth().

There are a few caveats to mention with PHP function names: first of all they are not case sensitive. For example, add_action(), aDD_aCtIoN(), or ADD_ACTION() are all interpreted identically. For the sake of clarity and ease of searching, always call your functions using the same case as their definitions.

Function names starting with a single underscore (for example, _my_private_function()) have historically been used to denote private functions—that is functions intended for use by other functions and not for direct use by the "outside world". With PHP 5, you can control the access to a class's functions as public, private, or protected, but the underscore is still often used as a helpful reminder.

"Magical" functions in PHP use names starting with two underscores (for example, __construct()). They are used to perform special tasks inside of a PHP class. Although you can name your functions in this way provided there are no name collisions, it is not recommended because they may be mistaken for magic PHP functions. For example, WordPress uses the __() function for localization, but we do not recommend using function names that begin with two underscores or whose names are very non-descriptive.

Lastly, your code will be much easier to navigate if you alphabetize your functions by name. Some text editors, particularly IDEs, will provide a menu to jump to each function. Alphabetizing works especially well if you put the magic functions (with two leading underscores) before the private functions (with a single leading underscore) before the public functions (with no leading underscores). The quicker you can navigate your code, the quicker you will be able to debug and change it.

Separate logic and display layers

It doesn't matter whether you are using procedural or object-oriented code, you should still separate your logic from your presentation. In laymen's terms, that means that you should keep if-statements, loops, or any other logical flows out of your HTML as much as possible.

Endlessly concatenating bits of HTML with variables and having to debug your display layers is a huge waste of time that is accepted as common practice by a staggering number of developers. You will be way ahead of the curve if you keep your HTML display logic as simple and static as possible, and keep your complicated calculations in separate functions and files. We will show you several examples of how to avoid messy concatenations using PHP functions like sprintf() as well as a few of our own parsing functions.

Go modular, to a point

Normally, there are strong admonitions to reuse your code whenever possible, but it is necessary to mention the caveats required for making your code portable and modular. When it comes to plugin development, sometimes you can get into trouble if your code pokes its head too far out of its own folder and starts referencing JavaScript libraries, CSS files, or even scripts that it assumes will be present in any WordPress install.

The only tie to the parent application should be through the API. It may go against your instincts to copy a second version of an image or a JavaScript library into your plugin's directory, but it will ensure that your plugin is self-sustaining and not susceptible to changes outside of its own folder.

Avoid short tags

Simply because you can configure PHP to use "<?" and "?>" (a.k.a. "short tags") to demarcate PHP code, that doesn't mean you should. Short tags are fool's gold! Even if your web server supports them, don't expect everyone in the neighborhood to join your club. Apart from making distribution of your plugin risky, short tags can cause XML files to get interpreted as PHP because they too begin with "<?".

We have personally discovered many plugins in the WordPress repository that made the sophomoric mistake of using short tags, forcing us to have to debug them immediately after installing them. It sounds harsh, but using short tags is a sure-fire way to doom your plugin to the rubbish pile.


Planning ahead / starting development

If you have ever worked in a professional development shop, you are probably familiar with the careful preparations, discussions, wireframes, and mock-ups that are made before any code is written. Projects born of haphazard random hacking are always harder to upgrade and maintain, so it is worth your time to plan your actions before writing a single line of code.

The following are a few important aspects to have in mind when starting development of your plugin:

  • Interfaces

  • Localization

  • Documentation for the developer

  • Version control

  • Environment

  • Tests

  • Security


As you write code, you should constantly ask yourself, "How should this component be used?" If you are coding a particular function, you should choose what the input and output should be to make it as easy to use as possible. If you are planning a particular plugin, close your eyes and try to imagine every detail of how it should look once it is finished. What configuration options does it need? How many buttons? What will each button do? Choosing how a user will interact with your code can be broadly described as "defining the interface", and it is one of the most important aspects in planning your project because you should strive to "code to the interface". The concept is subtle, but the point is that if you have designed an interface that is easy to use, your plugin will be easy to use, and its code will be easier to maintain.

When you think about interfaces, think about the WordPress API—it is a series of functions that define how you interact with the WordPress application. While the code within each function may change between versions, so as long as the inputs and outputs (that is "the interface") remain the same, all the code using those functions will continue to work.


Even if you never intend to release your code publicly, it can be helpful to isolate any text that is used for messaging and might at some point be translated. If you are curious, you can skip ahead to the chapter on internationalization.

Documentation for the developer

As you write your plugin, be vigilant about documentation. Most developers do not include enough comments, and some include too many. At a minimum, you should include a synopsis of the plugin itself and list the expected inputs and outputs of each function so that it is clear to anyone looking at the comments what the function does and what data types it requires. If you've followed the advice presented here so far, your code will be broken down into bite-sized "units" that are easier to debug and easier to document. If you find that you are documenting a function that does more than one task, chances are good that you did not break down the functionality into a small enough unit. We have included a section on how to write effective documentation in a later chapter.

Version control

On any software project, it is useful to store versions of your files using one of the common version control applications such as Subversion (SVN), GIT, or Mercurial. The WordPress plugin repositories use SVN, and it is one of the most popular tools, so if you know you will be publishing your plugin, it may save you some time to use SVN right off the bat.

No matter how you do it, make sure that you are storing all revisions of your work so that you can easily roll back. Indeed, in professional projects, one of the first things that gets set up for collaborators is the version-controlled code repository. If you know you are going down this route or if you just want to brush up your chops, you may want to spend around $50 and get a good client for your system. Mac OS X ships with SVN on the command-line (and the Coda editor includes a basic SVN client), but you can also download Versions (http://www.versionsapp.com). Windows has the well-liked TortoiseSVN (http://www.tortoisesvn.net), while SyncroSVN is available on all platforms (http://www.syncrosvnclient.com). GIT also has client software available on all platforms.

We have included a chapter on SVN later in this book, so feel free to refer to it if you need to get your code versioned.


Just as you should consider the interfaces and possible translations of your code before getting too deep into it, you should also consider the environment on which it will be deployed. Does your code need to work on a specific version of PHP? Does it need to work across a series of load-balanced servers where the default PHP session management won't work? Does the destination environment have all the PHP modules that you have on your development machine?

It is common practice in software development to set up a development server that mimics the production server exactly. Unless you do additional tests, the only environment on which your plugin is guaranteed to work is the one you used while writing it. If you ever write plugins for paying customers, be sure to allow time to test your code in the environment(s) where it will be used.


Whether informal or not, tests are an integral part of any application. If you have structured your code well, it will be easier to test. Later on, we will talk about writing tests to ensure that your plugin functions properly, but it is also very worthwhile to construct informal proof-of-concept tests as you develop.

Just as an artist will draw a few studies before he paints his masterpiece, it is useful for the developer to isolate tricky bits of code into a separate test or proof. We recommend saving these little proofs in a separate directory and keeping them along with your other project code. They can become valuable notes for you as you progress in your education of PHP development.


Web application security is a massive topic that goes far beyond the scope of this book. Experience is the best teacher, and we encourage you to educate yourself as much as possible when it comes to understanding vulnerabilities. We are devoting only a small amount of time to cover some of the most common exploits. You don't have much control over the underlying technologies that your plugin runs on (that is PHP, MySQL, or WordPress itself), so you should focus your attention on writing your code securely. The following scenarios represent the most commonly exploited areas in a typical web application, but remember: security is a journey, not a destination. No technology or code can ever be guaranteed to be 100% secure, but there are steps you can take to avoid the most common pitfalls.

Printing user-supplied data to a page

This most often comes up when repopulating forms after failed validation and it is often the key ingredient in a cross-site-scripting (XSS) attack. Be extremely careful any time your code handles data supplied by the user. This can be data from the $_POST, $_GET, $_REQUEST, $_COOKIE, or even from the $_SESSION arrays. If you print any of this data to the page, you must make sure that you have filtered out any malicious content.

Consider this little bit of code:

<?php print $_GET ['x']; ?>

That bit of code is deadly. Printing raw request variables is all it takes to convert your site into a distributor of scum and villainy, infect computers with viruses, and get your site blocked by Google.

A better example shows how to force the value of a variable to an integer using type-casting, rendering harmless any hacking attempt:

<?php print (int) $_GET['x']; ?>

When handling user-supplied data, you will certainly become intimately familiar with regular expressions and the preg_match() and preg_replace() functions. Regular expressions represent another topic that is beyond the scope of this book, but keep an eye on our plugins for examples on how they might be used.

Using user-supplied data to construct database queries

This can crop up in search forms, profile pages, surveys, or any other form that interacts with the database. Consider this query:

$query = "SELECT * FROM wp_some_table WHERE username='" . $username . "'";

If you did nothing to filter the value of $username, then it is entirely possible that the variable could contain multiple queries instead of just the single username you expected. This could lead to your database being inadvertently read, deleted, or altered. Sending unfiltered user input directly to the database is the prime ingredient in a SQL-injection attack.

The risk can be virtually eliminated if your code uses "prepared statements". Instead of sending arbitrary strings to the database for execution, prepared statements first prepare the basic query and then accept only variables that complete it. Prepared statements are only possible if your web server has a more mature PHP-MySQL driver installed, such as mysqli, and your code is written explicitly to use them; WordPress does not, so be very careful if you ever start constructing your own query strings to send to the database. It is highly recommended that you use WordPress' built-in database accessor functions whenever possible. We have some examples of these in our plugins.



If you code, you will need to learn how to debug. PHP can be more difficult to debug than some languages because it lacks a built-in debugger, so you can't step through the code line by line and set break points. PHP also does not require that you declare your variables. The first time it comes across a variable, the variable is automatically typed and scoped. This behavior is both a blessing and a curse; it is guaranteed that you will have times when you will debug a script for hours, only to discover that the root cause was a misspelled variable name.

The following is a list of recommendations for more efficient PHP debugging:

  • Clear your browser cache

  • Update your php.ini file

  • Check your syntax

  • Configure your wp-config.php file

  • Check values: print_r() and vardump()

Clearing your browser cache

This should be old news for anyone who has done web development of any kind, but you must ensure that you are getting the freshest copy each time you view a page. The one caveat here is with Firefox and its "Work Offline" setting. If you are developing locally on your own computer (for example, using MAMP) and you have disconnected from the Internet, Firefox tends to go into "Work Offline" mode, which means that it will not reload any pages. Make sure Firefox never enters the "Work Offline" mode.

Updating your php.ini file

Use the following settings in your php.ini file:

error_reporting  =  E_ALL
display_errors = On

And optionally, use these settings to log errors to a log file:

log_errors = On
error_log = "/path/to/php_error.log"

For security, make sure the following value is set:

register_globals = Off

This will make PHP print errors to the screen (and optionally to the logs), including line numbers. Without this type of verbose output, it is virtually impossible to tell if your scripts are having problems, let alone diagnose them. On a shared hosting environment, you may not have much control over the contents of the php.ini file, but you can include a line in your scripts to change the error reporting level:


Some hosting setups allow you to use your own local php.ini file to override system settings found in the main php.ini file. Check with your web host for details.

Configuring your wp-config.php file

WordPress has some debugging options of its own. If you are developing on a shared server where you cannot modify the php.ini file, it can be just as effective to modify the contents of your wp-config.php file so that the WP_DEBUG value is set to true:

define('WP_DEBUG', true);

Checking your syntax

From a *nix command line (Linux or Mac OS X), you can easily check whether or not a script has parse errors by using the syntax-check flag:

php -l myscript.php

If you are using Coda on Mac OS X, you can install the PHP Toolkit (http://www.chipwreck.de) and check for syntax errors directly from Coda. No matter what, check your syntax frequently! Sometimes forgetting a semicolon or a bracket can trigger an error that is nowhere near the actual problem. So, it is best to work on one area of code at a time and check syntax frequently so you will know where to look for the problem.

Checking values

Since PHP does not have a built-in debugger, it is common for developers to temporarily sprinkle their code with print and exit statements to check variable contents at runtime. You should become intimately familiar with the following two functions: print_r and var_dump. The get_defined_vars() function is also useful to help check for misspellings and variables that may be persisting beyond the scope you expected.

It is common to exit your script after performing one of these debugging maneuvers, then comment out the statement once you've verified the values. It can be really easy to forget that you added an exit statement somewhere in your script, so be vigilant when you perform this type of debugging. Don't forget to comment it out when finished.

For example, the following script:

$arr = array('man','bear','pig');

prints this result, clearly identifying the contents of the array:

    [0] => man
    [1] => bear
    [2] => pig


If you are doing any sort of frontend development that involves CSS or JavaScript, then the Firefox Firebug add-on is invaluable (http://getfirebug.com).


If you're not already a Firebug user, here's a little exercise that you can try in order to get a glimpse of the value that Firebug can do to aid in debugging. First, upload the following HTML file to the root of your site then visit it using Firefox (for example, http://yoursite.com/firebug.html):

	<title>Testing FireBug</title>
	<script type="text/javascript">
		function myFunction(inputValue)
			console.log('Current value is' + inputValue);
	<a href="#" onclick="myFunction('man')">Man</a><br/>
	<a href="#" onclick="myFunction('bear')">Bear</a><br/>
	<a href="#" onclick="myFunction('pig')">Pig</a><br/>

Within FireFox, click on the Firebug icon at the bottom-right corner of your browser to activate it, then enable the console. Do you see how you can track JavaScript variable values in the console?


Note that the console.log() function has variants: console.info(), console.warn(), and console.error(). They all accept input in the same format at PHP's printf() function, and they will all help you test your JavaScript. The big thing to remember when using the Firebug console methods is that they are only available when Firebug is active. As soon as you close Firebug, those commands will fail and cause JavaScript processing to stop. The simple workaround is to remove the debugging statements when you are finished debugging, or shepherd them into areas where they can fail safely.

We will show some examples of how to use Firebug and JavaScript in your plugins in some of the later chapters.



There is a lot to learn about the numerous technologies that work together to allow you to write a plugin. If it did not all sink in, that's okay, because we will be repeatedly exposing you to the ideas and techniques discussed in this chapter as we work through the following chapters. We have included an appendix at the end of the book that lists resources where you can get information about WordPress functions and plugins.

Hopefully, we have painted a decent picture of the landscape of WordPress plugins and their parent technologies. In the next chapter, we will dissect a typical plugin to find out what makes it tick.

About the Authors
  • Brian Bondari

    Brian Bondari is a musician, composer, and teacher with equal loves for both music and technology. His hobbies include reading, hiking, composing music, and playing with his pet rabbit. He also spends an exorbitant amount of time lying on the floor grading papers.

    Brian earned his doctorate from the University of Kansas in 2009 and is currently an Assistant Professor of Music Theory and Composition at the University of Texas at Tyler. When he is not writing music or grading papers, he serves as Senior Editor for the multi-author technology blog, http://www.TipsFor.us.

    You can also visit him at http://www.bondari.com.

    Browse publications by this author
  • Everett Griffiths

    Everett Griffiths is a freelance PHP/Perl developer and database architect specializing in Content Management Systems and plugin development. His hobbies include playing guitar and running. He currently resides in Los Angeles with frequent trips abroad.

    Browse publications by this author
WordPress 3 Plugin Development Essentials
Unlock this book and the full library FREE for 7 days
Start now