composer and ecosystem
WordPress Plugin And Theme Orientation
WordPress applications commonly extend behaviour through plugins and presentation through themes. Safe work respects hooks, capability checks, nonce verification, escaping, sanitisation, and the platform update path.
Extend Supported Boundaries
Use plugins for behaviour and themes for presentation rather than editing WordPress core. Actions run code at named points in the lifecycle. Filters receive a value, allow code to change it, and return the updated value.
<?php
declare(strict_types=1);
add_filter('the_title', static function (string $title): string {
return trim($title);
});
Protect Admin Actions
For a state-changing admin action, verify both intent and permission. A nonce helps protect against CSRF; it does not replace authorization.
<?php
declare(strict_types=1);
if (! current_user_can('manage_options')) {
wp_die('You are not allowed to perform this action.');
}
check_admin_referer('rebuild_product_index');
$productId = filter_input(INPUT_POST, 'product_id', FILTER_VALIDATE_INT);
if ($productId === false || $productId === null) {
wp_die('Invalid product ID.');
}
Escape output for its context when rendering, such as with esc_html() for ordinary text and esc_url() for URLs. Keep WordPress core, plugins, themes, and the PHP runtime current, and test updates against the application's custom code.
Practice
Practice: Review A WordPress Admin Action
Review a WordPress administrator action for supported hooks, authorization, CSRF protection, validation, and output escaping.
Requirements
- Use a supported hook.
- Check capability and nonce.
- Validate input and escape output.
- Avoid core edits.
Show solution
Register the behaviour through a supported plugin hook rather than changing WordPress core. For the state-changing request, check the user's capability and verify a nonce.
Validate submitted values before using them and escape rendered output for its context. Test the action against the supported WordPress and PHP versions.