How to add a custom field to WooCommerce checkout page

How to modify the WooCommerce API orders response?

How to modify the WordPress REST API posts response

The WordPress REST API is a great thing, but in most cases you need to extend it. For example, if you use Advanced Custom Fields and you need to get them via the API, then you need to modify the response. Here’s a quick example:

How to create a callback URL in WooCommerce

I was working on a payment gateway for WooCommerce and had to create a special URL that will then load the specified class method. Sometimes the information does not reach all parties e.g. if you close the browser and the status of the payment between the payment’s and merchant’s server remains unclear. The WooCommerce API allows you to create a callback URL.

Creating a callback URL

Calling a callback URL

Before WooCommerce 2.0, you could use:
http://yoursite.com/?wc-api=wc_gateway_my_gateway

In WoCommerce 2.0+:
http://yoursite.com/wc-api/wc_gateway_my_gateway/

DevSlider – A simple responsive slider built for Developers

There were many times when client asked me to customize the current slider template and add new settings to the slider. There are many great sliders in WordPress plugins repository, but they are not extendable – you can’t add new settings to the slider and change the template or it’s very hard. This time I decided to spend a bit more time and create my own slider which you can extend easily.

It uses bxSlider jQuery library and a Custom Post Type for slides. bxSlider has many options and examples. You can filter out bxSlider options by using devslider_slider_js filter and change them.

How to add slider to your page?

Use [DevSlider] shortocde. Available options are: slidewidth (default: 0), minslides (default: 1), maxslides (default: 1), category (default: all or category slug).

How to change the slider template?

The template file of DevSlider contains the markup and template structure for the front-end. This template file can be found within the /devslider/inc/ directory.

You can edit this template in an upgrade safe way through overrides. Simply copy devslider-template.php to your theme folder.

How to add new settings?

There are two ways. You can use Advanced Custom Fields plugin or WordPress meta boxes.

If you are going to use ACF, then you need to tell that to DevSlider by using devslider_use_wp_meta_boxes filter.

If you are going to use WordPress metaboxes, then you need to add a new meta box by using devslider_slider_settings_metabox action hook. For example, I’ll add a new input field for slide text.

We also need to hook into devslider_save_slide action hook to save it.

Now in wp-content/themes/yourtheme/devslider-template.php you can use slide text. (If you don’t see this file in your theme, then you can .copy it from the plugin inc folder).

You are welcome to contribute to this slider on GitHub.

Available action hooks

  • devslider_loaded
  • before_devslider_init
  • after_devslider_init
  • devslider_enqueue_scripts
  • devslider_add_meta_boxes
  • devslider_slider_settings_metabox – available argument $post
  • devslider_save_slide – available argument $post_id

Available filters

  • devslider_slider_js – bxSlider JavaScript code
  • devslider_use_wp_meta_boxes – available argument bool – true or false

WooCommerce REST API – Import products from JSON

I had a task to create a PHP script to import simple and variable products from JSON file using the WooCommerce REST API. Thought it might be worth sharing with others because I couldn’t find much information about products import from JSON using the API.

To make it easier to understand, I created a simple JSON file with one simple product and one variable product that have two product variations. You can get all files from Github repository.

products.json

Getting started

What you need to do is download a PHP wrapper for the WooCommerce REST API. You can download it using composer from https://packagist.org/packages/automattic/woocommerce If you don’t have composer yet, then you can download it from https://getcomposer.org

Setup

Setup for the new WP REST API integration (WooCommerce 2.6 or later):

1. Parse JSON

Convert JSON string to PHP array.

2. Get all product attributes from JSON

We need to get all product attributes names and values from JSON file.

3. Get products and variations from JSON for importing

4. Merge products and product variations

Used to loop through products, then loop through product variations.

5. A simple function to print status message

Import products to WooCommerce using the API

You can find the script on Github repository

My first package for Laravel – Google Safe Browsing Lookup (v4)

I’ve been working on an exciting project, and one of the first task was to integrate Google Safe Browsing into the project. The Safe Browsing APIs (v4) let you check URLs against Google’s constantly updated lists of unsafe web resources. However, I couldn’t find a working package for Laravel 5.4 so I decided to create my own and share it on github and packagist.

Installation

Run the following from the Terminal:

Next, add your new provider to the providers array of config/app.php:

Finally, add aliases to the aliases array of config/app.php:

Preparation

You need to get your API key from Google Safe Browsing API.

Publish the config file.

Set your API key in YOUR-APP/config/google_safe_browsing.php

Usage

More examples

License

The package is licensed under the GPL v3 License.

Writing secure code in WordPress and preventing the most common security vulnerabilities

The number of vulnerabilities discovered in WordPress plugins and themes is quite impressive. If you take a look at public exploits databases, you’ll see new vulnerabilities discovered every week.

According to the most recent data (source: ThreatPress WordPress plugins and themes vulnerabilities database), the most common vulnerabilities in WordPress plugins and themes are XSS (Cross-site Scripting) and CSRF (Cross-Site Request Forgery). Less common types of vulnerabilities are SQL Injection, RFI (Remote File Inclusion), LFI (Local File Inclusion), Arbitrary File Upload, Directory Traversal.

Security is one of the most important things to keep in mind. If you develop WordPress plugins and themes, then you should follow the best security practices (See WordPress Codex: Validating Sanitizing and Escaping User Data). There are plenty of examples about every vulnerability exploitation. If you are not familiar with such types of attacks, then I’d recommend watching step by step guides on Youtube.

How to prevent attacks and secure your code in WordPress?

Validate data. Use the right helper functions to sanitize and escape data.

Validation – Verification that something is correct or conforms to a certain standard (such as a string contains numbers and letters).
Sanitization – Is a technique to modify the input to ensure that it is valid (such as doubling single quotes).
Escaping – Converting the special HTML characters to HTML entities (makes certain characters like ‘, “, and > don’t break anything and to prevent XSS).

The difference between sanitizing and escaping is that when you save something to the database, then you sanitize all data collected from $_POST, $_GET and $_REQUEST. When you output data from the database or from user input, then you escape it.

What is XSS (Cross-site Scripting) and how to prevent it?

An XSS vulnerability enables attackers to inject client-side scripts into web pages viewed by users. The first thing you need to do is to sanitize user input. In many cases you can use sanitize_text_field( $string ) function. This function will convert HTML characters to entities, strip all tags and remove extra whitespace. If you need to sanitize email, then you should use sanitize_email( $email ). For the full list of functions, go to WordPress Codex > Data Validation. When you need to output your data – escape it. It will also prevent XSS vulnerabilities. WordPress has a few helper functions such as esc_attr(), esc_html(), esc_url() and more (see Codex).

What is CSRF (Cross-Site Request Forgery) and how to prevent it?

Cross-site request forgery (CSRF) is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. To prevent CSRF, you need to use nonces. A nonce is a “number used once” to help protect URLs and forms from particular types of misuse.

How to prevent SQL injection?

Use only safe $wpdb API methods to insert, update and delete from the database. All data in SQL queries must be SQL-escaped before the SQL query is executed. A good function for that is esc_sql().

Safe methods are:
$wpdb->insert()
$wpdb->update()
$wpdb->delete()

Use other methods only with $wpdb->prepare(). This helps prevent SQL injections.

What I learned from doing customer support for WordPress products and why it’s great

I’m always involved in customer support. I’m providing support for my own plugins and helping others in forums. When I was working for other companies, we had a practice where every week a team member jumps into the support queue and answers some complex tickets. First of all, customer support is rewarding. I’ll tell you why.

Happy customers = more sales

A long-term happy customer will mean that all that hard work you did to resolve the issues will turn into profits and loyalty. “On average, loyal customers are worth up to 10 times as much as their first purchase.” (Source: White House Office of Consumer Affairs)

You can understand your customers

By providing support you can identify areas where your customers are struggling. You can improve the documentation. You can bring new stuff through positive recommendations and improve the product.

You can get testimonials

Testimonials are important to business success. If you provide excellent customer support, then you can get great testimonials. When your potential customers visit your website for the first time, they will look for testimonials.

You can improve your debugging skills

It’s a great way to improve your ability to debug existing code. Answering complex tickets requires time and a lot of debug work.

Make new friends

Doing things that make people feel good and significant will turn into a friendly relationship. They’ll want to keep in touch with you.

How to extend search for custom post types in WordPress admin

I recently had to extend the search to include custom fields in WordPress admin. I created a custom post type called “document” and a few custom fields such as “_file_name” and “_url”. Unfortunately, it’s not possible to search by custom field value in WordPress admin, so I had to hook into the native WordPress search and tweak it.

WordPress admin search

In order to change the search query, you need to hook into pre_get_posts action. The pre_get_posts action gives developers access to the $query object by reference (Read more at WordPress Codex).

WordPress admin search

Here’s the code. You can change $post_type and $custom_fields according your needs.