New WordPress Plugin: Suspend Transients

Recently while working on a project in WordPress, I found myself adding and remove code to bypass cached transients. Needless to say, this was not a great solution. It caused needless code churn and sometimes it MAY have gotten committed to master.

As a result, I wrote a new WordPress plugin that will allow me to bypass transients on any given page.

I give you Suspend Transients!

It’s available on GitHub and pull requests are welcome!

Should we trust WordPress Core translations?

A while ago I was working on a patch to refresh the code for the default widgets that are included with WordPress Core. One of the changes made was to replace the i18n methods currently in-place with their counterparts that escape and translate the output. This is a pretty common practice as translation files can be a potential attack vector for hackers. VIP will usually request that this is added to any strings being translated and it is part of the 10up best practices.

One of the comments made was that Core trusts it’s translation files. For the sake of moving the ticket forward, I reverted those addition but it does lead me to a larger discussion of why we are trusting translation files. Another conversation referenced (#30724) pretty clearly states the reasons that core strings are not escaped but I think we should re-examine that policy.

The argument that we should trust the because they can be vetted by the team is somewhat valid in my opinion however, what if a malicious script is used change the location of file that is loaded? At that point, it doesn’t matter how well-vetted the original file is, it’s been replaced. If the escaping methods were being used, then the worst that could happen is that the strings look strange – which is a lot better than malicious script tags being rendered all over the page.

Adding these functions into Core, doesn’t hurt anything. It just makes Core a bit more secure. We are already escaping data being rendered in attributes and form fields so why not translated strings as well?

Another benefit to having using these functions in Core is the education factor. Many developers ( myself included ) learn the “WordPress way” of doing things by looking at Core source code. Developers may have no idea that their translation files are a potential entry point for hackers and so by having the code they are learning from set the example, they ( hopefully ) will follow suit.

I’d love to hear your thoughts in the comments below.

Setting up Unit Testing for WordPress Core

Recently I was running into issues with VVV running some units tests for AJAX. I was not able to remedy the issue so I decided to create a testing environment from the SVN repo directly.

I went to the page on the codex and while the information there was great, part of the instructions are to setup a different database for your tests but not how to get mysql setup and ready for anything to connect to it.

After a bit of digging around I found a simple approach for setting up a test suite for WordPress core unit tests. This setup does not account for viewing WordPress in a browser it was really only meant for unit testing but you could easily set that up as well if required.

Using homebrew, install mysql

Once installed, start the server

Once the server has started you can login using the default user (root) and password (blank)

You may be prompted for a password  if so, just hit enter.

Now you can create the tables as needed. There are two commands here because we need a database for WordPress regular use and one for unit testing because the test suite will drop all of the tables in the database each time it’s run.

That’s it! Now your databases are all setup to use.

Next, checkout the WordPress repo into your user folder and change to that directory

Now edit the wp-config.php and wp-test-config.php adding in the appropriate database connection info for each.

I found that I needed to set the DB_HOST constant to instead of localhost to have the connection work.

If everything is setup correctly, you can run the unit test suite from inside the root of the core repo.

Once you’re done with your testing you stop the mysql server as it can cause conflicts with other tools that use their own mysql installations.

That’s it! Happy unit testing!


Resetting $post in WordPress admin

I have run into a bug a few times in the past little while that had me stumped. When creating meta boxes on the admin side of WordPress that contained custom loops, I couldn’t reset $post using wp_reset_postdata() – it just didn’t work.

Originally, I thought maybe I was doing it wrong because I was using get_posts, so I tried WP_Query with the same results. So, thinking I had a legitimate bug, I went to report it and found that there was already a ticket and a patch for it ( gotta love the WordPress community ). The patch is a nice, elegant fix that worked well when I tested it – but until it’s accepted into core it’s not really an option to use because hacking core is bad. So I rolled my own in the meantime. Continue reading Resetting $post in WordPress admin

WordPress Plugins and debug mode

Sometimes when we’re developing a plug-in, it’s easy to forget that we’re not building something that is meant to be standalone. What we’re building is going to exist as part of the WordPress ecosystem and as such it should respect it’s configuration. Simply put, if WordPress is in debug mode, than your plugin should be to. Continue reading WordPress Plugins and debug mode

Change the WordPress post updated messages

Sometimes it is necessary to modify or remove the default WordPress post updated messages that are displayed when making changes to a Post in WordPress. One example is when you are creating a custom post type that does not have a permalink. When you save a draft, publish or update a published post, you are presented with messaging that includes a link to the post – which in that case will take the user to a 404 page. Continue reading Change the WordPress post updated messages

Custom post types with no permalinks

When I was at WordCamp Ottawa this year, I was asked a question about how to create custom post types without generating permalinks. This is actually something I do a lot of as I am creating internal content types that are not meant to be viewed individually at their own url.

The snippet below will register the post type and you’ll notice that there is no Permalink line below the title. Continue reading Custom post types with no permalinks

Debug Bar Tracer Plugin

I have just released a new plugin called Debug Bar Tracer. It is meant to work with the Debug Bar plugin that should be a staple of any WordPress developer’s toolkit. The idea behind it is quite simple – I am always printing data out to the browser when developing and it always breaks the page and looks horrible. This plugin just adds a new panel that will show you the location of the call ( complete with file name and line number ) as well as the data you are sending out.

Please take a look and let me know what you think!


Creating a skinnable WordPress widget

Building custom widgets is fun, rebuilding them because we need to change the way it looks is not. With that in mind, lets build a skinnable WordPress widget that separates how it looks from what it does. For the purposes of this tutorial, I am assuming that you are comfortable creating a Widget and working with the API. Please refer to the Widget API as needed. Continue reading Creating a skinnable WordPress widget