WordPress – walk-through – Part 2

Prefix Everything 
All files, variables, and functions should be prefixed with a unique identifier.

The root level of your plugin directory should contain your plugin-name.php and, optionally, your uninstall file. All other files should be organized into folders whenever possible.

Here’s a sample folder structure for reference:

Every time a post title, post meta value, or some other data from the database is rendered to the user, we need to make sure it’s properly escaped. This helps prevent issues like Cross-site scripting (XSS).

Mark Jaquith: Theme&Plugin Security

As you build a plugin, make sure to pay careful attention to which roles should be permitted to perform a specific action.

The example below shows a helpful function which gives editors a link to trash posts from the front end of their site:

Data validation should be performed as early as possible. In the case of processing a form, that means validating the data before doing anything else with it. Form validation can be performed with JavaScript before a form is ever submitted, and then with PHP after the form has been submitted.
Data coming from other sources will almost always be validated with PHP.

Validation Sample;

Validation is confirming that the data is what you expect it to be. Sanitization is a more liberal approach to cleaning your data.
Escaping means stripping out unwanted data, like malformed HTML or script tags (thereby preventing the dreaded cross-site scripting attack).

Most WordPress functions properly prepare data for output, so you don’t need to escape the data again. For example, you can safely call the_title() without escaping.

Escaping helps prevent issues such as cross-site scripting.

Nonces are generated numbers used to verify origin and intent of requests for security purposes. Each nonce can only be used once and includes a capability check to confirm the sender.

When you generate the action link, you’ll want to use wp_create_nonce() to add a nonce to the link:

when you’re processing a request to delete a link, you can check that the nonce is what you expect it to be:


Hooks are a way for one piece of code to interact with and modify another piece of code.

There are two types of hooks: Actions and Filters. To use either, you need to write a custom function known as a callback, and then register it with WordPress for a specific action or filter.

Filters give you the ability to change the value of a piece of data during the execution of WordPress. Callback functions for filters will be passed through a variable, modified, and then returned. They are meant to work in an isolated manner, and should never affect global variables or anything else outside of the function.

Actions, in contrast, allow you to add to or change how WordPress operates. Your callback function will run at a specific point in in the execution of WordPress, and can perform some kind of task, like echoing output to the user or inserting something into the database.

Actions work by calling the add_action() function and passing two parameters: the name of the action you want to hook into, and the name of your callback function that will be executed when the action runs.

Number of Arguments

In the following example, the_title() filter runs a custom function named modify_the_title


WordPress – walk-through – Part 1

In this series I will try to demonstrate best parts of WordPress from developers point.

Please visit https://developer.wordpress.org for full reference.

Got a bunch of users? Not a problem. WordPress lets you define different roles for different users – just like in real life – and lets you assign privileges accordingly. Users can register themselves (if you want), and can submit content for your review

WordPress is designed to be installed on your own web server, in the cloud, or in a shared hosting account.

You have complete control.

Unlike commercial software or third-party hosted services, you can be sure of being able to access and modify everything related to your site.

You can even install WordPress on your personal computer, or on a corporate intranet

Want to connect WordPress to another system? WordPress uses XML-RPC, an open XML standard that allows different systems in different environments to talk to one another. XML-RPC is designed to be as simple as possible, while at the same time allowing for complex tasks to be performed. WordPress also supports an extended version of the Blogger API, MetaWeblog API, and finally the MovableType API

WordPress can be extended to MultiSite feature on demand base. You are able to develop and maintain multiple sites using single WordPress installation. Multisite is a feature of WordPress 3.0 and later versions that allows multiple virtual sites to share a single WordPress installation. When the multisite feature is activated, the original WordPress site can be converted to support a network of sites

Spam protection

Out of the box WordPress comes with very robust tools such as an integrated blacklist and open proxy checker to manage and eliminate comment spam on your blog, and there is also a rich array of plugins that can take this functionality a step further

Though typically in the software world, a “major” version means you can break backwards compatibility, WordPress strives to never break backwards compatibility. Backwards compatibility is one of the project’s most important philosophies, with the aim of making updates much easier on users and developers alike

Automatic Background Updates for Security Releases

WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on

their end, and the security update will install automatically

If there’s one cardinal rule in WordPress development, it’s this: Don’t touch WordPress core. This means that you don’t edit core WordPress files to add functionality to your site. This is because, when WordPress updates to a new version, it overwrites the local files. Any functionality you want to add should be added through plugins using approved WordPress APIs

There are two types of hooks within WordPress: actions and filters.

Actions allow you to add or change WordPress functionality,
Filters allow you to filter, or change, content as it is loaded

Did you know that WordPress provides a number of Application Programming Interfaces (APIs)? These APIs can greatly simplify the code you need to write in your plugins. You don’t want to reinvent the wheel—especially when so many people have done a lot of the work and testing for you. The most common one is the Options API, which makes it easy to store data in the database for your plugin. If you’re thinking of using cURL in your plugin, the HTTP API might be of interest to you. Since we’re talking about plugins, you’ll want to study the Plugin API. It has a variety of functions that will assist you in developing plugins.


Let’s talk a little bit about plugin development. I think this is one of the most important core feature of WordPress.

This is how you define plugin header:

Activation and deactivation hooks provide ways to perform actions when plugins are activated or deactivated.

Your plugin may need to do some clean-up when it is uninstalled from a site. A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link.

When your plugin is uninstalled, you’ll want to clear out any rewrite rules added by the plugin, options and/or settings specific to to the plugin, or other database values that need to be removed. Less experienced developers sometimes make the mistake of using the deactivation hook for this purpose.

differences between deactivation and uninstall

When using uninstall.php, the plugin should always check for the WP_UNINSTALL_PLUGIN constant, before executing.
The WP_UNINSTALL_PLUGIN constant is defined by WordPress at runtime during a plugin uninstall, it will not be present if uninstall.php is requested directly. It will also not be present when using the uninstall hook technique.
WP_UNINSTALL_PLUGIN is only defined when an uninstall.php file is found in the plugin folder.

This is how it looks when you upload your plugin in your WordPress website. In this case dubebe-rss-importer the plugin I defined.

Here is an example removing database entries.