All files, variables, and functions should be prefixed with a unique identifier.
The root level of your plugin directory should contain your plugin-name.php and, optionally, your uninstall file. All other files should be organized into folders whenever possible.
Here’s a sample folder structure for reference:
Every time a post title, post meta value, or some other data from the database is rendered to the user, we need to make sure it’s properly escaped. This helps prevent issues like Cross-site scripting (XSS).
Mark Jaquith: Theme&Plugin Security
As you build a plugin, make sure to pay careful attention to which roles should be permitted to perform a specific action.
The example below shows a helpful function which gives editors a link to trash posts from the front end of their site:
Data coming from other sources will almost always be validated with PHP.
Validation is confirming that the data is what you expect it to be. Sanitization is a more liberal approach to cleaning your data.
Escaping means stripping out unwanted data, like malformed HTML or script tags (thereby preventing the dreaded cross-site scripting attack).
Most WordPress functions properly prepare data for output, so you don’t need to escape the data again. For example, you can safely call the_title() without escaping.
Escaping helps prevent issues such as cross-site scripting.
Nonces are generated numbers used to verify origin and intent of requests for security purposes. Each nonce can only be used once and includes a capability check to confirm the sender.
When you generate the action link, you’ll want to use wp_create_nonce() to add a nonce to the link:
when you’re processing a request to delete a link, you can check that the nonce is what you expect it to be:
Hooks are a way for one piece of code to interact with and modify another piece of code.
There are two types of hooks: Actions and Filters. To use either, you need to write a custom function known as a callback, and then register it with WordPress for a specific action or filter.
Filters give you the ability to change the value of a piece of data during the execution of WordPress. Callback functions for filters will be passed through a variable, modified, and then returned. They are meant to work in an isolated manner, and should never affect global variables or anything else outside of the function.
Actions, in contrast, allow you to add to or change how WordPress operates. Your callback function will run at a specific point in in the execution of WordPress, and can perform some kind of task, like echoing output to the user or inserting something into the database.
Actions work by calling the add_action() function and passing two parameters: the name of the action you want to hook into, and the name of your callback function that will be executed when the action runs.
Number of Arguments
In the following example, the_title() filter runs a custom function named modify_the_title