1: Overuse of the options table:
get_option() and set_option() are wonderfully useful features, if used in moderation. If not used in moderation, they result in a hellish jumble of entries in the wp-options table. Instead of using many discreet entries, an “options” object or array should be serialized into a set_option() call. While this may be overkill for a very simple plugin, once you get to any number of options it is a necessity.

2: No NONCEs
This is such an offensive mistake it makes me cry a little. As I(and Mark Jaquith and Vladimir Prelovac and many others) have written, using nonces is a must for any plugin which takes options from a user. Strangely enough, the nonce field is included, but then never checked (WTF?). Without the use of nonces, a nefarious user can arbitrarily change your plugin settings, and possibly even take over your database. Particularly if there are

3: No SQL Injection Security
Not having nonces is one thing. It’s bad, but I’ve forgotten from time to time myself. But not even escaping input before putting it in the database is, to quote “Yahtzee”, pants on head retarded!. Escaping user input is probably the single simplest and most basic security. It’s the last line of defense against people replacing your header image with horrific porn. Don’t write code without it.

4: Unnecessary use of global variables
This exists on two levels:
A) In purpose.php, both $wp_query and $post are called into the function via global. While this probably won’t do any harm, globally including everything everywhere is what made earlier version of php such a nightmare and it looks messy. If you don’t need a variable, don’t include it.
B) $var1-$var4 are declared to static values at the top of the file where they will clutter up the global namespace. They are never accessed from their global context, they are always get_option()ed. In fact, the only reason they are declared here is so that they can be add_optioned into options. EVERY TIME THE CODE RUNS. That’s four superfluous function calls every single time the file loads. This should be done once, on plugin install. Not every single time WordPress loads a page.

5: Include vs. Require
I realize that this is pretty nit-picky, but, when including files that are required for the program to function, the appropriate function is require() (or better yet, require_once(). If the file is missing, the code to break while trying to include the file, instead of mysteriously throwing messages about redeclaration of functions.

In conclusion, while the concept of a plugin framework is laudable, Fire Studio’s implementation falls far short of any reasonable mark of best practices, and only serves to encourage worst practices.

As always, head over the the µAudio page at WordPress.org or grab a copy from my µAudio page.

Head over the the µAudio page at WordPress.org or grab a copy from my µAudio page.

Those of you waiting for the 0.7 release with the new sidebar widget shouldn’t have too much longer to wait. It’s coming with some major changes to how µAudio handles javascript. There will probably be a 0.6.2 release in the next week or so to fix any lingering bugs with the current implementation, and then 0.7 will have the new code.

Head on over to WordPress.org or grab a copy from my µAudio Page.

• New Dashboard Widget
• Better number formatting
• 2.7 Compatible

Mosey over to the µMint page at wordpress.org or grab a copy from my µMint page.

I am happy to announce the release of a new plugin today: µMint. Like my other µ plugins, it’s a small, lightweight plugin to (hopefully) do something useful. In this case, µMint allows you to painlessly integrate Shaun Inman’s Mint into WordPress. Unlike the currently existent solution, µMint does not make use of iframes. Instead, µMint is designed to work with both the Exposé API, by Adam Livesley as well as the included API, µAPI for Mint. Furthermore, there is a development version of a connector whcih allows WordPress to directly query Mint, when the two share a database.

µAPI does more than just get your stats, it displays them for you. You can have your choice of a sidebar widget, a dashboard widget, or both. And, in the µ plugin philosophy, stats are cached periodically to reduce the number of API calls required.

I think that µAPI neatly bridges the gap between Mint and WordPress, and I hope you’ll give it a try.

µMint for WordPress Dashboard

You can get a version from my µMint Page.

Installation Instructions.

And yes, screenshot 5 is real, the minimal installation is just 495 Bytes!

Thanks for all you patience.

To get started with WordPress nonces, we need a plugin administration page. To make life easier for the budding developer, I’ve created a basic plugin called “WP Nonce Playground.” ('WP Nonce Playground: Part 1'). Upload and activate the plugin. Under “Settings” you will have a new tab: “WP Nonce”. On this screen you can set a check box and some text.

Unfortunately, this is not really secure, because it doesn’t check any credentials. Lets add some. To create a nonce, we’ll be using the wp_create_nonce($action) function. The $action parameter is optional, but without it the system is not nearly as secure. $action is a string, and you should create a unique $action for each different action which you will create

Open up wpn.admin.php. On line 61, add:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_setting'); ?>" />

This creates a hidden form field with the name wpn-update_settings and places a custom nonce in the value field. If you save the page, refresh, and examine the source, you’ll see the nonce in a hidden form field down at the bottom. Of course, we’re not actually checking it right now, so it’s not much use at the moment.

It’s easy enough to start checking the nonce, however. We use the companion to the wp_create_nonce($action) function, wp_verify_nonce($nonce, $action). Like wp_create_nonce, wp_verify_nonce does not explicitly require the $action parameter, however, whatever $action parameter was used to create the nonce must also be used for successful verification.

Back to wpn.admin.php. Replace lines 13 and 14 with:

if (!isset($_POST['wpn-update_settings'])) die("Hmm ..., looks like you didn't send any credentials");
if (!wp_verify_nonce($_POST['wpn-update_settings'],'wpn-update_settings')) die("Hmm ..., looks like you didn't send the right credentials");

Go ahead and save the page. Visit it and update the options.

Well, that didn’t work! If you copied and pasted exactly what I wrote above, you get the error:

Hmm …, looks like you didn’t send the right credentials

The eagle eyed among you will notice that on line 61, we created a nonce with the $action of ‘wp-update-setting’, but everywhere else, including in wp_verify_nonce, we used ‘wp-update-settings‘.

Update wpn.admin.php, line 61 to:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_settings'); ?>" />

Lo and behold, it works!

If your wpn.admin.php isn’t working, a working version with all the changes made in the part is also in the plugin folder at wpn.admin.final.php. You can rename this to wpn.admin.php to make the plugin work.

More:

• Part 0 — Background
• Part 1 — Basic Nonce Usage

WordPress Nonce Tutorial Home

Fortunately, WordPress supports Numbers used ONCE (nonce) as a way of keeping nonces (pedophiles, hackers, and people who talk at the theater) out. Follow along as I show you how to keep your plugin from being the door to hackers.

Since early in the version 2 branch wordpress has supported nonces, unfortunately, the resources on using them effectively are all too scarce. In actuality, they are quite easy and simple to use.

According to Wikipedia, a Crytographic nonce:

[Is] a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. … To ensure that a nonce is used only once, it should be time-variant (including a suitably granular timestamp in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value.

In WordPress terms, a nonce is either an md5 HMAC or a plain md5 hash. In general a WP nonce is valid for twelve hours but expires after 24 hours. Thus the current or previous nonce may both be used. While the wp_generate_nonce($action) function includes several internal components to make the nonce more secure, it also allows the developer to specify an action for the nonce. An action is simply a string which is included in the hash calculation. By creating a separate action for each edit page, etc., a hacker needs to intercept the nonce specific to the action they wish to perform. Thus, even if they intercept a nonce, there is only one (or a very limited number) of nefarious actions which they can perform.

More:

• Part 0 — Background
• Part 1 — Basic Nonce Usage

WordPress Nonce Tutorial Home