I ran into an undocumented and unexpected problem when registering custom post type meta fields for the REST API.
register_meta() exposes meta fields in all REST API endpoints, which can lead to privacy leaks. To avoid that, it can be called conditionally.
Unfortunately, the WordPress.org plugin repository doesn’t provide a way to maintain your plugin with Git. In the past, I’ve either just used Subversion, or hosted an extra copy on GitHub, and setup Git and SVN side-by-side in the same directory. Awhile ago, I briefly considered using git-svn, because it would allow me to avoid using Subversion entirely, […]
I wanted to update the database prefix one this site, but most of the tutorials out there have you do it manually. There are some plugins available, but I didn’t trust most of them, and the ones that I did were kind of bloated with other features, and I didn’t want to mess with the […]
We’ve opened the call for speakers for this year’s WordCamp Seattle. Give it a shot if you have any ideas, best practices, use cases, or stories you want to share with the community. I think people are often hesitant to put themselves out there, and that’s definitely understandable, but the WordPress community is really welcoming, and I think […]
I just finished the first version of a new WordPress installation template called Regolith. I’ve been using my personalized fork of Mark Jaquith’s WordPress Skeleton for the past several years, but recently came across Bedrock and really liked it. I started playing around with it, but quickly discovered that the tools and practices it embraced were a bit overkill for […]
$wpdb->prepare() is often called with each un-sanitized value explicitly passed as an individual argument; for example: $wpdb->prepare( "SELECT id FROM wp_posts WHERE id > %d AND `post_status` = %s", $min_id, $status ) The function will also accept an array of un-sanitized values, though, like this: $wpdb->prepare( "SELECT id FROM wp_posts WHERE id > %d AND […]
TL;DR: View the code on Meta Trac. Every once in awhile I’ll run into a situation where something will break permalinks on all the sites in a WordPress Multisite network, like a plugin network-activation gone wrong. On a single site, it’s easy enough to fix by manually visiting Settings > Permalinks, which will flush and rebuild the rewrite […]
Why Websites get Hacked is a good high-level article to sends to clients or friends who don’t understand why someone would want to attack their site — and therefore doesn’t see the need to protect it — or are curious about how it happens.
I’m working on a plugin that implements a custom post type, and it doesn’t need the editor, but I do want to upload files. I setup the everything like you normally would, but I noticed that the files weren’t being attached to the post when they were uploaded. I couldn’t find anything online, so I dug through […]
WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site. That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton […]
I’m one of the mentors for WordPress’ SupportPress project in this year’s Google Summer of Code, and I wanted to put together a list of WordPress.tv videos to help introduce Varun to the WordPress community and some development best practices. I figured it’d be good to save it for future reference, so I’m also posting […]
Mike Jordan’s post on the WordPress community has some great insight and challenging thoughts. The truth is, however, that our community does not have these rare traits simply because its members are just that awesome. The primary reason that our community is so approachable, is that for the first several years of its life we had to […]