I’ll be giving a presentation at the Seattle WordPress Developers Meetup tomorrow about how to write WordPress plugins that are both object-oriented, and implement the Model-View-Controller pattern. If you plan on attending, you can follow along with the slides and download the lab files .
All posts in WordPress
It’s not possible to create grandchild themes in the same way that you create child themes, but you can use a plugin to dequeue/enqueue stylesheets and scripts, and also override the locations of the main query templates. It’s obviously not the ideal solution, but there are cases where it may be the least-bad one.
In an ideal world you’d never have to fork a plugin, because developers would always make their plugins extensible with hooks , just like WordPress itself does. But unfortunately that’s not usually the case, and it’s sometimes necessary to directly modify a plugin to make it do what you need. In those cases, you want to make sure that the plugin… [more]
I recently spent some time reviewing the WordPress security plugin landscape, since there’ve been some big changes in the past year, and I’ve decided to update some of my standard choices. No single plugin covers all the different requirements, so it’s necessary to use a combination. That can be a problem, though, because the feature-sets… [more]
XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket .. Luckily, it’s easy to disable it. Just add this to a plugin: I’ve added that to my security checklist for new installations, and updated my installation skeleton to include… [more]
Note: This was originally a post to the Seattle PHP Meetup mailing list, but I’m reproducing it here to generate a discussion about the topic with people outside the meetup. * * * * I write a lot plugins for WordPress, and I like to make them object-oriented, even though WordPress itself is mostly procedural. I think it… [more]
Most WordPress security guides recommend moving wp-config.php outside of the Apache document root in order to prevent the database password being exposed if the PHP engine fails to parse the file, or from being readable to infected scripts running in the domain. Despite the conventional wisdom, though, this technique doesn’t solve those problems , and can actually create new problems if… [more]
I’ve been having a hard time figuring out an error that a client’s been getting in the Android and iOS apps for WordPress, but finally found the reason. The problem was that, when adding new posts with images, the post would be saved and the image would be uploaded and attached to the post, but… [more]
News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin, so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it . Update: It also sounds like an official WordPress mailing list for plugin security notifications is in the works.
I just threw a couple small PHP classes up on GitHub that I use in almost every WordPress plugin I write. The first is IDAdminNotices , which is a clean and easy way for plugins and themes to send messages/errors to the user within the Administration Panels. The second is IDDescribeVar , which will outputs the type, length and contents… [more]
Many actions in WordPress will fire multiple times, which can lead to performance drags and undesired/intuitiveness results. Pippin Williamson points out that you can check how many times an action has already run , and modify your code to respond accordingly.
In the past I’ve used Login Lockdown and Login Lock to block brute force attempts against WordPress installations, but Login Lockdown isn’t actively maintained and Login Lock has some serious bugs/security vulnerabilities. Recently Daniel Convissor released a new plugin called Login Security Solution that has the same basic features of Login Lockdown and Login Lock, but without the problems they have. He’s also added several more… [more]
Normally any kind of global values that don’t change within a program’s execution should be defined as constants, but text domains within internationalized WordPress plugins are an exception to that rule. Mark Jaquith explains why it’s important to use a string instead .
BackPress is a useful project that packages the re-usable code from WordPress into an independent library you can use in non-WordPress projects.
I ran into a problem today while cleaning up and modifying some widgets. I moved all of the markup inside widget() to an external view file, and then included it via require_once(), which worked fine. I then tried to do the same thing inside form(), but didn’t get any output. It turns out that you can’t use include_once() or require_once() inside form() ,… [more]
Ok, so it’s already 2012, but I just came across an article comparing the three from last year and it was a good read. Like a lot of articles, though, the real value is in the comments more than the article itself. Going into it I had the impression that Joomla was a stagnant mess, but it sounds… [more]