WordPress VIP Similarities

By: Ryan Kienstra on: January 4, 2015  in: Security, WordPress VIP

wordpress-vip-checklistSome of the coding standards for the WordPress VIP platform are similar to the normal WP standards.

Developers with plugins and themes on wordpress.org will know them.

But these become more important in the high-volume VIP multi-sites.

These practices can improve security and performance of any WordPress site.


Remote Requests

  • Use the WordPress APIs, like WP_Http, wp_oembed, and the ajax API.
  • Cache the results.
$raw_code = wp_oembed_get( esc_url( $url ) );

(From my Adapter Responsive Video plugin)


Custom Roles

Use the WP functions for this.

add_action( 'init' , 'ac_editor_capability' );
function ac_editor_capability() {
        $editor = get_role( 'editor' );
        $editor->remove_cap( 'unfiltered_html' );
}

(From my “Adapter” child theme)


No Direct Database Queries

  • Use WordPress abstractions like WP_Query instead.
  • VIP Agency 10up recommends using WP_Query instead of get_posts.
<?php $page_uri_query = new WP_Query( array( 'post_type' => 'page' , 'posts_per_page' => 100 ) );

(From my Widget Live Editor plugin)


Securing Input and Output

  • All input should be secured.
  • Prefer validation or “whitelisting” to sanitization.
  • All PHP values should be escaped where they’re echoed.
  • VIP engineer Nick Daugherty recommends even escaping WordPress functions like get_bloginfo( 'name' ).
  • See my guides to securing WordPress input and escaping WordPress output.
echo '<div class="row awr-row" id="' . esc_attr( $sidebar ) . '">';

(From my Adapter Widget Rows plugin)


Settings and Options APIs

  • Use instead of saving straight to the database.
  • Use sanitization callbacks to ensure security.
function awp_sanitize_customizer_value( $input ) {
        if ( current_user_can( 'edit_theme_options' ) ) {
                return esc_attr( $input );
        }
}

(From my “Adapter” theme)


Prefixing

  • Not only for namespace reasons.
  • Clarifies where function came from (which plugin or theme).
function awp_should_page_have_top_and_bottom_navs()

(From my “Adapter” theme)

When I submitted this theme to wordpress.org, I forgot to prefix this function: should_page_have_top_and_bottom_navs().

It was flagged in the theme review, and I prefixed it with awp_.

There was never a namespace issue because the function is so long.

But it clarifies where the function came from.


Licenses


Debugging

  • Make sure WP_DEBUG is only defined in wp-config.php.
  • It’s fine if only your local wp-config.php file has define('WP_DEBUG', true );.

Rationale

These VIP standards are also WP best practices, for good reasons.

They promote two goals of the VIP platform, and any site.

  • Security
  • Performance

What’s your approach to this?

Do you think general WP sites can have more leeway with these standards?

  • This field is for validation purposes and should be left unchanged.

Leave a comment

Get Free Updates

  • This field is for validation purposes and should be left unchanged.