As a new WordPress plugin developer I’m learning things about WordPress that I never knew existed and raising my PHP coding skills to new levels. There are three main points that stand out after submitting 3 plugins to the official repository.
There is no such thing as sanitizing too much.
If you are getting input from users (admin or front-end) or getting data from the database, filter and/or sanitize that data before you do anything with it! This is the biggest reason for getting your plugin kicked back by the official WordPress plugin repository – believe me I know. The WordPress Codex suggests:
I tend to disagree and validate as soon as the data enters my code. The key is to be consistent so that you know all data is safe and expected.
Be prepared to have people point out bugs and errors.
Embarrassing? Yes. But work through the embarrassment and acknowledge that you are being given a chance to make your code better. Better yet, be profusely grateful to users who find enough value in your plugin to take the time to let you know it isn’t working right. I had three people test my plugin BP Post to Google Map and several bugs still were found once it was in the repository. I’ve offered the premium version of the plugin free to one person especially who has been key in pointing out errors.
WordPress’ version of Markdown is a pain.
WordPress uses a version of Markdown for the Readme.txt files which then become the tabbed information about your plugin in the WordPress Repository. It is persnickety and a pain to use. There is a validator where you paste in your readme.txt and you can see what the result will look like, but the result from the validator and the result in the Repository always are different for me. My advice? Run it through the validator and then add it to the Repo, but expect to still have to make changes to it.
What “secrets” have you discovered from being a WordPress plugin developer?