Prevent direct access to Plugin file

Recently, I wrote my first plugin called First Comment Redirect.  And before that I did a pretty much of research on how to write a secure plugin and there was a code snippet that I found in most of the plugins. The code was this

if ( ! defined( 'ABSPATH' ) ) exit;

So basically what it does is, it adds an extra layer of security by preventing any direct access to your plugin file. ABSPATH is PHP constant defined by WordPress in its core. If you dig the core you will see the code below

define( 'ABSPATH', dirname(dirname(__FILE__)) . '/' );

so if your plugin file is accessed from outside of the WordPress the constant “ABSPATH” will not be defined so it exit the plugin code, preventing any unauthorized access to your code.

You can also see this code in some plugins

if ( ! defined( 'WPINC' ) ) die;

Both code has the same purpose though.

Hope you will implement this simple code in your plugin as well.

First Comment Redirect

First Comment Redirect is a simple plugin that lets you to redirect commenter who just made their very first comment on your site to any pages or custom links you prefer. So what’s the point for redirecting commenter to any other page or link? Well you can redirect them to a simple Thank you page, thanking them for visiting your site and for their wonderful comments. Also you can ask them to subscribe to your blog or like them on facebook or  follow your blog/site on Twitter. This is just a simple examples on how you can use this plugin.  It all depends on you on how creatively you can use this plugin.

The plugin has simple setting page that you can use to set up the redirect page or link. Also you can choose whether to only redirect first commenter on your site or all the commenter.

First Comment Redirect Settings Page

Redirect Commenter to any page within your site?

  • Create a page called Thankyou and write some thankyou messages as your wish and save this page.
  • Go to your Dashboard and look for First Comment Redirect admin menu.
  • Click on the menu and you will see settings page as shown in the picture above
  • Now click on Redirect to dropdown and select the Page.
  • Now from the Page dropdown select Thankyou page
  • If you want to redirect only the very first commentor on your site then uncheck Redirect All Comment box but if you want to redirect all the commenter on your site then check the Redirect All Comment.
  • Click Save Changes

Redirect the commenter to any custom URL

  • Go to your Dashboard and look for First Comment Redirect admin menu.
  • Click on the menu and you will see settings page as shown in the picture above
  • Now click on Redirect to dropdown and select the Custom Link.
  • Now on the Custom Link box put the url where you would like the user to redirect.
  • If you want to redirect only the very first commentor on your site then uncheck Redirect All Comment box but if you want to redirect all the commenter on your site then check the Redirect All Comment.
  • Click Save Changes

You can download the plugin here First Comment Redirect

If you have any query regarding this plugin feel free to comment below.

When to use pre_get_posts in WordPress

Many of us are unaware about pre_get_posts hook that is very handy when it comes to alter the main loop. It was sometime before, I got to know about this handy filter by WordPress review team while submitting a theme to WordPress.org. So I will try to explain as simply as I could about its uses, benefits and when to use it.
Actually pre_get_posts hook is executed after the query variable object is created but before the main query runs. While using pre_get_posts hook, $query hook is passed by reference this means any changes we make to the object inside our function are made directly to original object. Continue reading

WordPress Custom Loop Pagination

Using WordPress normal loop to achieve something completely different is often not possible, So two things comes first. Either to use query_posts or wp_query. But its always better to use wp_query. There is almost nothing you cannot achieve using wp_query. But whenever Pagination comes in wp_query, its all messed up and even WordPress Codex do not provide sufficient documentation. Recently I faced a similar problem while trying to show pagination in custom loop. But after having some hard time I came up with a solution that I would like to share here.

WordPress Pagination with custom loop

The reason why Pagination works correctly in normal loop but not in custom loop is that WordPress pagination works only for $wp_query global variable . And this is what normal loop access. In normal loop have_posts calls $wp_query->have_posts and the_post calls $wp_query->the_post. Continue reading

Part II: Data Validation and Sanitization in WordPress

In the First Part of this article, I explained about Data Validation and Sanitization, it’s importance and some key differences between them. In this part I shall be covering some of the important functions in WordPress that can be used to validate and sanitize data. First, lets have a brief explanation on HTML elements and nodes so that it will make some sense and will be easier to use the escaping functions.

Here is an HTML code that can be broadly divided into 3 parts:

  1. Element node: Any element in the document like <h1>, <a> <span>
  2. Attribute node: An attribute provides additional information about an element and comes in name/value pairs like name=”value”. In above example class=”some_class”, title=”some_title” are attribute node.
  3. Text node: Any text found outside of element and attribute node. In above example some_text is text node.

So the key thing to remember here is that we should always try to sanitize attribute and text node. Continue reading

Part I: Data Validation and Sanitization in WordPress

Data validation and sanitization comes into action whenever users are allowed to enter data either via forms in Custom Meta Box, Theme Options or any other ways.  Although our code seems to work fine without the implementation of data validation and sanitization but it is important to validate the code if you want your data’s to be secured. Data’s without validation are vulnerable to hackers and they can exploit it in different ways.

Why data validation and sanitization?

  • Hackers can inject various script including XSS (Cross-Site Scripting) if not properly validated
  • Can break the forms at output
  • Spread malware

Here is an example that shows how a simple input field can be a potential threat.

//Retrieving value from $_Post variable
$username = $_POST['username']
<label> Name </label>
<input type="text" name="username" value="<?php echo $username; ?>" />

Continue reading