Week 8 Post – Report 8

Reading Professional WordPress Chapter 7 Plugin Development

Very detailed illustration of plugin development process is introduced in this chapter from setting pages, integration in WordPress and plugin security to uninstall and  publication. However, I don’t want to cover the process in this report; instead, I will extract and elaborate on some concepts I am interested in which play important roles in plugin development.



Most plugins achieve their functions by connecting to WordPress hooks, both action and filter ones. When WordPress is running, at particular times that correspond to different hooks, it checks if there is function registered at that time. If there is, the function will be run.

Below are some action hooks that are used in in this chapter:

  • admin_init, can be used to initialize the plugin or to register option settings. It is triggered before any other hook when a user accesses the admin area.
  • admin_menu, used to add menu item or sub-menu item for setting page. It runs after the basic admin panel menu structure is in place.
  • save_post, can be used to save meta box data when the post is saved. It is triggered whenever a post or page is created or updated.
  • widget_init, used to create plugin widget. It fires after all default WordPress widgets have been registered.

The Plugin API/Action Reference page on Codex has a full list of action hooks for plugin development.


WordPress API

WordPress APIs simplify the plugin development by providing various well-defined functions in different aspects. According to WordPress Codex,

The WordPress API stands for the WordPress Application Programming Interface. It can be separated into multiple API sections / topics. Each covers the functions involved in and use of a given set of functionality. Together they form what might be called the WordPress API, which is the plugin/theme/add-on interface created by the entire WordPress project.

In the example of this chapter, the following APIs are used for plugin development:

  • Settings API

The Settings API allows users to define settings pages in Dashboard, sections in settings pages and fields in sections. It handles security check so that it’s easy and secure to save options.

  • Shortcode API

Shortcodes are text macro codes that can be inserted into post’s content. Other type of content will be replacing the shortcodes and displayed according to the defined shortcode handler function.

Shortcode API includes functions for creating shortcodes and handling shortcodes like

function add_shortcode( $tag, $handler_func);
function shortcode_atts( $pairs, $atts );
  • Widget API

When developing widgets (this chapter covers widgets that are included in plugins), developers need to register the widget using Widget API function register_widget() and create the new widget class that extends WP_Widget class.

  • Options API

Options API provides easy and standardized way to manage plugin-related options, including create, delete, update and get the options. All the data is stored in the database table wp_options.

Plugin Security

Security is of the utmost importance for plugins. WordPress features some built-in security tools to help developers handle the security issues.

Nonce in WordPress stands for number used once which is a hash consists of numbers and letters. It is used to protect forms and URLs from malicious hacking attacks, especially the Cross Site Request Forgery (CSRF). The nonce acts like a secret key that is only valid for a particular user and a particular action.

The nonce generation and checking basically happens automatically behind the scene, for example, when different WordPress APIs are used to save options. For plugin developers, Nonces should be generated and verified using WordPress functions like wp_nonce_url() and heck_admin_referer().

Any data that comes from somewhere other than the code is suspicious until the security is proven. It can be divided into two parts: checking user input and securing output.

  1. Checking User Input

Validating user input is to check if the input has the correct data type, length or whatever format that the user should follow. We can also use sanitize_*() class of helper functions to help us sanitize user input. For example, sanitize_text_field() function sanitize text input.

  1. Securing Output

For output, we have escape functions to scrub the data before it is displayed or inserted into database. The commonly used ones are

  • esc_html(), to escape output data that is enclosed in HTML tags.
  • esc_url(), to escape all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.
  • esc_attr(), to escape the data that is printed to into an HTML element’s attribute.


Next Week Plan

As planned in the schedule, I will finish the book Professional WordPress in the next week and start reading the book WordPress Theme Design which will help me more in terms of theme development.

I will learn more about infinite scroll on WordPress next week, probably using JavaScript to implement instead of Jetpack.

To further develop the collaborative project, I will add a tag cloud to the sidebar in header section in the custom template page.

Leave a Reply