Nonces: The Other Problem With WordPress Caching

Cloudy mountain top

Nonces are one of those things that, hopefully, all WordPress developers know they need, but there is still a lot of confusion about. Maybe it’s beacuse “nonce” means a number used once and a WordPress nonce is not a number and it can be used. So it’s closer to a nonce than a nonce word, but it can be used multiple times, but I digress.

The point here isn’t semantics, it’s to discuss some problems nonces present. I run into problems with Caldera Forms + caching plugins that are set with infinite cache lengths as this causes our nonce validation to fail.

This article isn’t about setting up caching plugins or services or which one is best. It’s about understanding one of the gotachas with many caching plugins: caching nonces.

Nonce Problems

I want to talk a bit about what nonces are, why we use them and what can go wrong. I’ll keep it brief, as I’ve written a more detailed article on nonces for Torque already.

What Is  A Nonce?

As I said earlier, “nonce” means “a number used once.” For example, most payment processors, like Stripe issue a one time use token, which is a mix of numbers and letters, for creating a payment. They call it a token, but same concept, technically a nonce word. You request the token with a public API key and then complete the payment with the token and the secret API key.

Nonces are not a security feature by themselves since they become public once printed to the page. Also, in WordPress, nonces can be used more than once.

Nonces help prevent cross-site request forgery, beacuse they can be used to prevent requests from external sources form mimicking intended HTTP request. Also, nonces make up part of your strategy to prevent XSS attacks since they help verify that the request is coming from the intended user.

Nonce Expiration

Snowy mountainAs I said in the last section, nonces can be used more than once. They remain valid for a set period of time. By default this is 12 hours, but can be changed with the nonce_life filter. This design decision means that WordPress doesn’t have to keep a record of nonces created and if they have been used. That probably would have required a new database table.

This is important to keep in mind. As are the other ingredients of a nonce. For example, one of the components that goes into a nonce is user ID, or 0 if the user is not logged in. This prevents nonces from non-logged in users from validating when a user is logged in. This by the way is why you should always send the REST API nonce on every request. If you don’t other nonces might not validate properly.

Forms, Caching And Nonces

Every form in WordPress should use a nonce to prevent cross-site forgery requests. All forms provided by WordPress core do. This includes comment forms. Also, your contact form should. We use a nonce in Caldera Forms.

In the last section I mentioned that nonces can be reused for a period of time, normally up to twelve hours. This is good beacuse it means that you can cache the content of a page with a from and the form will still work, for up to twelve hours.

The “up to twelve hours” part is the rub.

The idea behind a static HTML cache is that you only generate the page output once, and serve the same thing, which should be identical to all other visitors. This makes sense as it prevents running the same database queries and running the same PHP scripts to do the same thing over and over again.

Great, but if you have a nonce in your content, it could get expire and prevent your forms from working. Obviously this is a problem we face with Caldera Forms, when it is used with caching plugins or proxies like CloudFlare. This is also one of the reasons people have moved away from native commenting in WordPress.

What To Do?

One thing not to do is to re-generate nonces from other plugins, before they can be validated. This bypasses the problem, but defeats the purpose of the nonce. I’ve seen plugins do it though 🙁

It’s common practice to bypass the cache for logged in users. One reason is that the content may be unique to the user. The other is that nonces are unique to the user and can’t be shared.

The other thing you really should do is keep your cache times short. Definitely less than 12 hours, but probably even shorter. Also, relying on a non-PHP solution like Varnish or nGinx as a reverse proxy is preferable, but you still need to make sure your cache time is short enough.

By the way, if you’re wondering which caching plugin I recommend, I don’t use one. None of my sites receive thousands of concurrent views. The Caldera Forms site is I’m dealing with few thousand page views a day, not a time and we have it on a small AWS VPS that can handle that easily, especially with all of the assets coming from a CDN.

If they did, I would probably use Varnish and/or nGinx as a reverse-proxy over a plugin. I do use Redis as a persistent object cache whenever possible. A good WordPress host should provide a static HTML cache, powered by a server appliance, with a short cache length.

Nonces Are Important, But Don’t Get Cute

Mountain valleyNonces are important, if you do WordPress development, make sure you read the WordPress developer handbook section on nonces. If you have questions, ask in the comments. Also, be careful not to get cute with nonces, and always use wp_verify_nonce() to verify nonces to avoid issues like I discussed in this post.

 

 

Some Quick Thoughts On LoopConf

I was super lucky to be able to attend LoopConf last week. Ryan Sullivan and his team put on an amazing conference. I’ve never been to a fancy developer conference before, and I had a blast. Thanks Ryan for having me! I just wanted to share a few observations about what made LoopConf special and share my recommended videos playlist.

Before I go on, I should point out that while I don’t usually stay in hotels when I travel — I prefer AirBnB –Me and Roy Sivan being super classy by hotel fireplace– the Little America hotel in Salt Lake City where they put us up was classy AF. I didn’t know what to do with myself in such a big fancy room, but I super enjoyed sitting by the fire in the lobby and being classy.

One side of the fireplace had statues of dogs. The other side had a painting of wolves howling in the snow. Apex Classy.

Our REST API Workshop And Something New

Caldera Learn BannerRoy Sivan and I gave a 6 hour workshop on using AngularJS and the WordPress REST API. Honestly, we were worried we couldn’t fill 6 hours, but we actually ran out of time at the end. We had almost 40 attendees and people seemed to get a lot out of it.

I have embedded our slides below, and we also put all of the example code to Github. There is a ton of practical examples in there, some not finished to provide a start point for your own work. Some examples are running live on CalderaForms.com right now.

If you’re wishing you could attend an in depth workshop about the REST API from Roy and I too, don’t worry. We recently announced Caldera Learn. This new site will offer live webinars, recorded courses and code communities for anyone looking to level up their WordPress development skillset. It’s going to be awesome.

The Main Event

Photo by:  Anna Anikina

Our workshop was the day before the main event. LoopConf was a single track conference with excellent talks. They also did a great job of accommodating the hallway track. The room that meals were served in was open all day with the live stream playing. This was a great way to network and watch the talks. I wish WordCamps would do this.

The talks were a lot more focused on philosophy of code, then code. Not that there were not code examples. I really liked this trend for non-workshops.

For example, KAdam White talked about why the WordPress REST API was important for JavaScript developers and why he built his node.js client for the REST API, before showing code for a React app using both tools. Similarly, Natalie MacLees and Nathan Tyler shared their experiences learning React. They provided tons of React and general JavaScript resources in context of using the WordPress REST API.

John Jacoby Jones (JJJ) didn’t really show any code at all. Instead, he talked about lessons from Unix Philosophy that could be applied to WordPress. Andrew Norcross talked about improving our community by acknowledging and dealing with unacceptable conduct that happens in our community.

All the nerdy talks on how to code something or why to code something a certain way were book-ended by business-focused keynotes. Josh Koening of Pantheon talked about how the web has trended away from open source recently as companies have packaged what we created for the open web  in better experiences. He made an excellent point that most people can’t afford what free software costs — time and education.

Jason Cohen of WPEngine spoke about building a bootstrapped business. While he talked about pricing and product design, the best part of his talk was about managing yourself. This especially rang true for me when he talked about focusing on 2xing revenue over shiny features.

I’ve been working on both, and beating myself up over not delivering all the shiny new features I want for Caldera Forms. Those would be done if I wasn’t also working on a new tool that we’re testing right now. Then again, February is looking like a 1.5-2x growth for us versus January, so yah.

I really appreciated both of their talks and spending time talking with both Jason and Josh during the event. I was imagining LoopConf would be all out nerdy-codefest with out a ton of networking. But I got both.

Next Generation WordPress

Photo by: Alexey TopolyanskiyIn 2014 I went to WordCamp Milwaukee and saw two talks on the future of WordPress. Ryan McCue and Rachel Backer presented the beta of the WordPress REST API and Andrew Nacin talked about the WordPress REST API and the WordPress fields API being the basis for a modernized WordPress.

I was super-excited for the vision they shared, and got on the REST API bandwagon pretty hard. Of course, things turned out a bit differently then we expected then. At LoopConf Ryan gave a talk called “Next Generation WordPress”.

He talked about going from the blog era of WordPress, to the CMS era of WordPress and now the platform era of WordPress. Echoing what Matt Mullenweg said in the State of the Word about what got us here is not going to get us where we are going, Ryan suggested a new direction.

While State of The Word was all about user experience, Ryan talked about developer experience. I loved this obviously, as there is a reason I prefer to develop most things in Laravel than in WordPress these days — the developer experience — there has to be a balance here.

WordPress is a user-centered platform and that should never change. But, for users to get an improved experience, both from core as well as plugins and bespoke sites, we need to make it easier for developers to fit those needs. Ryan is, per usual a man with a plan. Definitely watch his talk, do what you can to contribute and let’s hope he gets a reasonable fraction of what he’s asking for there.

Vegan Food, Also Videos

I didn’t expect their to be such excellent vegan food in Salt Lake City, but I was impressed. If you’re ever in Salt Lake City, which I recommend strongly, check out The Vertical Dinner.

I’m still working my way through videos of talks I missed, but I created a highlights playlist from both LoopConfs for you. Check it out:

 

2016 FTW

 

At last year’s WordCamp Miami, I split an Airbnb with Vova from Freemius. We took an Uber to the speaker sponsor party together and one of the things we discussed on that ride was Caldera’s revenue from plugin sales. I was worried it wasn’t very good. But, I told him it was 3 or 4 times what it was last time I was at WordCamp Miami, so I felt good about it.

I know the time difference between WordCamp Miami 2016 and Miami 2017 or 2015 and 2014 isn’t exactly one year, but time isn’t linear. Nor is progress.

When I go to a WordCamp, I tend to think about where my career and my company where last time I was at that WordCamp. Since I often lack the ability to evaluate things relative to the proper time frame, this can be really helpful for me to see my growth.

By WordCamp Miami 2017  we should be at 4x the revenue from plugin sales as we were at last time I was in town for that event. We’ve also more than quadrupled the active installs for Caldera Forms. Because a new year is a great opportunity to talk about growth and goals, I want to share some of mine for 2016 and 2017.

But before I move on from Miami, I should mention I was also in Miami twice last year because my wife Alicia was performing at Miami Opera Festival last summer. I’m very happy and very proud that her career is also going well, and she will be an apprentice at Des Moines Opera this summer. What I do is hard, but nowhere near as challenging as what she does. I am so lucky to have her as an inspiration. Also, lucky to have her in general.

TL;DR (And This Is A Long One)

Here is this article in short bullet points for those of you who don’t have time to read the whole thing, and it’s real long:

  • Caldera Forms is growing – 4x user growth in 2016 and a lot of love.
  • Caldera matured a ton as a company. Asking Christie Chirinos to run the company was clearly the right decision.
  • I feel a lot better. Stress is way down, hopefulness is up.
  • A lot of fun stuff coming in 2017 from Caldera.
  • I wish I had written more, taught more and contributed to WordPress core more in 2016.
  • Team Caldera is growing. Maybe including you?

I can’t overstate how much happier I was by the end of the year then I was in the early parts of it. I spent a lot of time in early 2016 looking at job postings, considering taking my marketable skills to work for someone else. But, now I feel like powering through has gotten me what I wanted from doing my own thing — constant challenges, lots of fun and less stress. I’m honestly super happy with where I am now.

The Tasty Recurring Revenue

Photo by: Saul CuellarI’m the kind of person who quits a video game because I know I can win and moves on with life. Or I start over on a higher difficulty setting. I like playing, not winning.

The combined Josh + Caldera revenue is in the same order of magnitude for 2015 and 2016, but it has grown by decent amount. What’s more important is that the percentage of the revenue that has come from one off jobs has fallen significantly.

Numbers-minded people like recurring revenue beacuse it is an easier way to project revenue and therefore budget. Also, it tends to be more profitable.

But, I don’t do budgets — we’ll get to that shortly. What I don’t like about one-off jobs is the lack of personal investment. I don’t care for games with final boss battles.

What’s fun about software is it never ends, what’s fun for me, about working on projects I love or with clients I enjoy working with is that it never ends.

When we complete a Caldera Forms release, I don’t get a ton of joy out of that milestone. But my favorite part about the release process is the last step — I fork the master branch into the develop branch and set the version number ahead.

In addition to increased plugin revenue, we also added recurring revenue from maintenance agreements.  The normal play with that type of business is to sell a bunch of low priced maintenance plans that come with scalable and predictable work.

We did the opposite. High price, lots of work. It’s fun and I’m learning a lot form it. It’s not something we advertise, because we don’t have the resources to scale this part of the business, but we’d consider adding another if the client had interesting enough problems — preferably needing help with improving eCommerce performance and  conversions.

Changing The Team: Part 1 🙁

I didn’t create Caldera Forms, I started out as a user.

I originally tried out Caldera Forms, because I was impressed with work David Cramer, who was the original developer of Caldera Forms had done on Pods. I was immediately impressed and wanted my plugins to have that kind of user interface. This was before WordPress people got all excited about JavaScript driven-interfaces and David had basically built his own reactive JavaScript framework on top of jQuery before reactive frameworks were really a thing.

When I said I wanted to start my own WordPress plugin company and started recruiting those I knew, I was super excited David was on board.

The last time I wrote about the progress in our business, was in June. That article was canablized from a 2015 year in review article I never finished. I didn’t finish it in January of 2016, as I was really unsure at the time where we were going and if the company was going to survive as a team, which at the time was me and David.

In that article I wrote about struggles I had been having with David Cramer, who was the original developer of Caldera Forms, but how I felt we had patched those up and things were going better.

Unfortunately, that didn’t last. David is super-talented and he’s working on some really exciting new stuff right now, but he’s no longer working with us. In the end, we had a different vision for how to develop and manage Caldera Forms. David wanted to build new things, and so did I, but Caldera Forms has taken of to the point that it has to be priority number one.

I look forward to helping promote his new business when it launches. Please check out his new plugin DB Post Types. It’s a tool for organizing WordPress data into useful, and editable reports. A super useful tool that I’ve been excited to try out since I saw the first prototype for it.

When CalderaWP started, I had David keep control of the CalderaForms.com domain name and the WordPress.org repository so he had leverage over me, since I owned the company. When he left, we bought those assets from him. Seriously, I wish him the best and with that it hadn’t ended this way, but it was the right call.

Changing The Team Part 2 🙂

Photo by: Marcin CzerwinskiAt a dinner after WordCamp Pittsburgh I asked Devin Walker, lead developer for WordImpress of Give fame, if he could imagine doing his job as lead developer and doing the math on their budget and physically making sure the bills were paid. He laughed politely at me when I told him that’s what I was doing until recently.

It’s well known that I do too much and I enjoy working on a lot of things. But I also know that too many decisions in a day is mentally fatiguing and it is essential to stick to what you’re good at and find someone who can handle what you’re not good at.

In that post, I also announced that we had merged all of our operations under one umbrella, called Caldera Labs, and that it would be managed by Christie Chirinos. This has gone incredibly well.

Until May of this year, I never received a regular paycheck. Previously, I was living month to month and so was the business. Neither had a reasonable idea of what next month had. This had a pretty strong affect on my stress level.

Now I get a paycheck, the business’ books are in order and we have a budget. These things lead to not just less stress, but the ability to effectively manage the ups and downs in month to month revenue.

At WordCamp US when Christie and I sat down to discuss goals for early 2016, she made me start with not just what I wanted to do, but why I couldn’t do it. She’s been working since on removing the barriers that are surmountable and reminding me to be patient with what can’t be changed yet.

At that point I began to suspect that Christie is doing, on a higher level, is going through the business and identifying inefficiencies and systemic problems and addressing them when solutions are possible.

That goes hand in hand with being strategic about what we do and what we plan to do next. My biggest goal for this year was to stop running a business based on putting out fires and building shit just beacuse it would be fun.

Look, I think that being crazy is in my job description. “Let’s build a WordPress form builder, there are tons of well-loved competitors that are established and years ahead of us” is a crazy pitch for a business. What we’re doing is hard AF, but that’s what makes it fun for me. Also, it’s what sets us up for where we are going.

My strength is seeing how to put things together and what’s wrong with how systems are assembled. It’s a great skill set for a programmer and a product designer. Not a great skill set for running a business.

This part of me is why I’m good at what I do, but it can create bad feedback loops if I’m not patient. My personal growth this year, has been about getting better at focusing on changing the things I can change, accept the things I can not, and find the wisdom to know the difference between the two.

Becoming more strategic and intentional about the business has taught me, as a developer about dealing with technical debt. You don’t just start with the problems that are easiest to fix or those that have the biggest ROI in terms of getting them fixed. You have to evaluate what systems that are badly in debt touch which systems and what their technical debt it. That’s where you start. I learned this from watching Christie add prioritization and structure to our business, which in of itself was independently useful.

I know have a strategic partner who believes in this plan, and sees many ways to get to some version of the goal. That’s super important. I’m lucky to have so many people to call on for help, and to talk things through with, but having someone focused on co-developing that strategy and executing it is huge for me.

When I read Pippin’s year in reviews and he talks about how much better AffilateWP is doing, in less time, than anything else he did, I’m not just happy for Pippin and looking to see what lessons he learned can apply to us. I’m also reminding myself that he couldn’t have had that success without years of developing his team and his process.

So I’m learning to be patient, but I also have a ton more time to work on things. It’s seriously amazing to me that contracts can get negotiated, signed and invoices sent with little involvement from me.

These changes have taken longer than I wanted, and took a lot more work then I can imagine.  But, the percentage of time I spend doing what I want to do (and having that align with the company’s goals) vs doing what I don’t want to do, but have to do, because it’s necessary for the company has also improved dramatically.

Growing The Team In 2017 Part 3: Maybe You

When Christie started, Jason from Postmatic told me to be patient. He reminded me that I was better at running our business than her, by virtue of experience. But, my belief was that by nature of her skills, she could get better at it then me if I was patient and supportive.

Jason was right, and it was an important reminder, because patience isn’t one of my virtues. I’m trying to keep this in mind, as a major goal for 2017 is to grow the team even more. Right now that doesn’t mean partner-level or even leadership-type positions, though we will probably be looking for a lead UI developer and a marketing director later on in the year.

Bringing Christie on was like getting a new developer as it greatly increased the amount of time I could spend writing code. We got through last year with me handling almost all support and development and contracting out development work.

We specifically contracted out development work that required skills I don’t have. This was great as it reduced my stress-level and increased the quality of the work.

But, we’ve been relying on short-term agreements per project from friends who are talented, but busy. We’re currently working through the interview, trial and hire process for a few jobs. It’s not an easy process.

Training and evaluating new people is way harder then just doing their jobs myself. But that’s a long term investment, as I can’t keep doing everything and the more other people handle support and bug fixes, the more I can work on Caldera Forms and the larger Caldera/ Ingot road-map (spoiler alert, its the same roadmap.)

If you’re interested in working with us, we’re going to be very interested in talking with people who are interested in starting with us as a junior developer and support person. That’s where I started at Pods, and it was the most amazing learning experience. And I literally wouldn’t be here today with out that.

If helping our users out, while improving our product and learning from me sounds fun — get in touch.

Growing Beyond My Brain

Photo by: petradrAt WordCamp US we had a running joke about being a “grown up company.” The fact of the matter is this year we really did grow up. Even if part of that was acting sillier than we ever did.

On one hand we know have our books in order, a formal budget as well as an accountant and lawyer. On the other hand, DMing my friend Michal and asking him to put our logo on a taco was a real business man thing I did this year.

After WCUS Taco Club and the WordCamp US, I was waiting for an Uber to take me and my friend Steve to the airport, Christie and I talked about car accidents we’d been in. On the plane ride home I started thinking about what happens to my grown up company if I get hit by a truck again. Because, that’s a thing that happened to me at time, I couldn’t use a computer for 2 months while my shattered collarbone healed.

The point here isn’t that you need emergency plans for your business. But that is a thing we have now. The point is that by necessity our business started out as being mainly run by me, and me alone. As a result so much of the knowledge necessary to work for Caldera is in my head.

For 2017, we’re growing the team and the product and that’s going to require getting more of that knowledge into documentation and other people’s minds. That’s hard AF. This is an incredible challenge that I only recently realized the scope of.

Whenever someone asks us a question, it’s faster for me to answer it then train someone to answer those kinds of questions. It’s faster for me to keep using some hack to fix a problem then to fix it for real in away anyone can use.

I see Marc Benzakein from ServerPress a few times a year at WordCamps and we talk a lot about growing my business. One thing that always comes up is getting more people to associate Josh with Caldera. This goal goes hand in had with getting people to see Caldera as more than just Josh. While that second part is true, to make it efficient, we need to work on documenting our processes better, and better team member onboarding.

In July I presented at WPCampus, the same weekend that Christie presented at WordCamp NYC. Caldera had never been in two places at the same time like that and it was something I was intensely excited about and proud of. Also a little jealous beacuse she got to speak at the UN…

No one should be as obsessed with this business as I am. It’s an intense level of obsession, and I hope that passion shows in everything we do. Not to say Christie isn’t obsessed with this too, but she didn’t build it and people we hire to help out with development and support sure didn’t.

Our next challenge is making sure that the passion for the product shows in every other team member and is backed by knowledge of the product.

Branding

CalderaWP WapuuWhen Caldera started, I didn’t think of Caldera Forms as a big part of our plans. I felt like it was a part of what we would create. For example, one of our launch products Easy Pods, uses Caldera Forms to create search forms for Pods content.

We’ve made a lot of different things, but nothing has taken off like Caldera Forms. We started the year at 10,000+ active installs of Caldera Forms and ended it  at 40,000+.

Passing 40,000 installs in late November was huge milestone and it happened right before we pulled the trigger on a site relaunch. The old site was at CalderaWP dot com and tried to present multiple product lines equally. That site was built for a different company than we ended up having. The more I hacked on it to make Caldera Forms more prevelant the weirder it got.

So, last fall I through it out and started over from scratch. In December, we relaunched the site as Caldera Forms dot com. It’s now way more focused. We also added a new build your own bundle feature at the end of the year to respond to concerns from users that they wanted to choose which add-ons went into our lowest priced bundle, instead of the 5 we chose form them.

Building the new site was super time consuming, and we saw a short term drop in sales as we ironed out bugs, and dealt with some problems in search results. But it seems to have picked back up and complaints about the usability of the site or problems finding add-ons or documentation have dropped significantly.

Adding that bundle builder, is the first step of moving towards a Caldera Forms driven eCommerce interface on the site. The content management for products and software licensing will still be managed by Easy Digital Downloads, but the interface will more and more be Caldera Forms.

In addition, we will be making use new tools built on top of Caldera Forms, Ingot and Easy Digital Downloads that I are being developed first for site and then will be externalized as products. I’m really excited about what we’re budiling to improve selling digital products and look forward to showing them off soon.

This kind of dog fooding has been great. I’m trying to take an Amazon-like approach to building everything as a service that can be turned into a product as needed. It’s a bit of a tough balancing act as when I build stuff for our site, I don’t need a UI, and I don’t have a ton of time.

But this forces me to build software with proper architecture from the start. If I can write code that can take its configuration as a dependency, it doesn’t matter if that configuration starts hard-coded. If and when the internal tools I’m building now become products, I can easily add Caldera Forms processors, REST API endpoints, and/ or a CLI for end-users to configure them.

Missed Goal: Teach More

I love to teach. Caldera has from day one, had a goal of providing WordPress plugins and WordPress. One of my huge goals for 2016 was to write more, teach more and contribute to WordPress core more. I wanted to release several new courses.

I released a REST API course in January and thought it would be the first of many I’d do in the year. We held some workshops in September, which were recorded. I loved teaching those and want to do more. BTW fun fact — for a reasonable fee I will come to your city and teach WordPress development workshops to your company or meetup group. For an extra fee, I’ll bring Carl.

The workshop video is edited and I’m going to do some re-recording this month to fill some gaps. I’m really excited to get this course out there and to really make Caldera Learn a great resource for those looking to level up their WordPress development and satisfy my need to teach others. Also, it should be another good revenue source, that will help us grow our team further.

I want to say a special thanks to Ryan Sullivan. He made the workshops possible by sponsoring them in the name of his company WPSiteCare and the conference he organizes LoopConf. We needed sponsorship money and Ryan is super generous and I’m sure he sees a good ROI in having me say nice things about WPSiteCare, which I don’t mind doing as they have an awesome product, that we recommend all the time.

I was a contributor to all three major releases of WordPress in 2016, which felt good. I didn’t do a ton of work on core. I wish I had done more. A patch or two per release is not particularly time consuming. I hope to do more in 2017, and I think that as we work to create more margin in the business that will be great.

Caldera Forms

Caldera Forms Globe LogoThe website project I discussed earlier was long-overdue, our old site was terrible. I was OK with that for awhile, as I was actually trying to slow down our growth in early 2016. In later 2015 people started to really use Caldera Forms. In 2016 we had 180,000 downloads. We have slightly over 230,000 downloads total as of now. That gives you an idea of how big 2016 was for us.

That’s awesome, but going from 1,000 to 10,000 active installs exposed a lot of problems with Caldera Forms. We spent a ton of time in late 2015 and early 2016 fixing the kind of problems you don’t find until you get a real user base. We stopped adding new features and just focused on making what we had be more reliable.

Getting through that wasn’t easy, but I grew a ton as a developer, and the product was well postioned for the rest of 2016 as we went from 10,000 to 40,000 installs while decreasing the number of support tickets and solved most email related issues.

Serious pro tip: setup DKIM and SPF records for your domain and use a transactional email service. If your contact form submissions are going to spam, your DNS is probably not setup right. You can fix it in 10 minutes.

I got into WordPress while I was in grad school at Goddard College, a small hippie college in Plainfield, Vermont. Plainfield, Vermont also happens to be — until recently — the home of Jason from Postmatic. This is purely coincidental, Chris Lema introduced us.

In May of this year, I spent part of a week working out of Jason’s offices in Plainfield, which was a great time. We talked a lot about Caldera Forms.  At the time I was really excited that we had a solid plugin that worked. But Jason opened up a WordPress site and showed me what my next “what’s wrong” was: new user experience.

We call Caldera Forms “A Different Kind Of WordPress Form Builder.” Many of our users are new to WordPress, but others are trying us out after using other form builders. Last time I checked the stats, Contact Form 7 was the 3th most common plugin to be installed on a site using Caldera Forms — that’s behind Aksimet and Yoast SEO. Getting people passed their existing expectations of what a form builder can do is not easy.

Caldera Forms 1.4 started with that talk with Jason and running his feedback by other developers and users. In that release, we emphasized form templates over creating forms from scratch, changed a lot of our verbiage, and added a lot of context clues to the form layout builder.

Getting users to start from a template helped the form builder teach itself to users. No amount of documentation, which we also improved, including a new getting started guide, can beat that. Still some, users will start with a blan

In his Caldera Forms webinar for iThemes Training, Benjamin Bradley said he appreciated that the Add Field button was blinking when the form had no fields. This was pretty great vindication for me, as making that button “pulsate in order to draw the user in” was one of my wackier ideas I had, but like Taco Club, it worked out pretty well I think.

It was very liberating to refine things that worked, but could be better instead of just putting out fires.

While Caldera Forms 1.4 was our only major release in 2016, we did add a lot of new incremental improvements to Caldera Forms, and some new features. These include magic sync for fields, SendGrid integration, improvements to conditional logic as well as hidden fields, better file upload fields, field duplication, and a ton of new features as well as better infrastructure for add-ons.

Most exciting new features came in add-ons. We released recurring payments via BrainTree and Authorize.net. We added ConvertKit and Aweber add-ons for email marketing. We also added a form translations add-on and several other cool new add-ons.

Our Form to PDF service is our first SaaS product, and my first time launching a customer-facing app in Laravel, which I’m loving working with. In 2016 look for Caldera Space — we’re too cool for the cloud, we went to space — to grow even more cool new features to make Caldera Forms better.

After 1.4 came out, we split our Git development between a 1.4.x branch and 1.5.x branch. The idea was new features went in the 1.5.x branch and bug fixes went into 1.4.x. On one hand this has been great as we put out a minor update for Caldera Forms roughly once a month with small bug fixes and occasional small new features.

On the other hand, version 1.5 is full of big, exciting new features. Some of them are interdependent on others and it makes sense to work on them in isolation without worrying about breaking the branch we count on for bug fixes.

But, there are some really cool new features that were relatively simple, that could have already been in user’s hands like conditional recipients and scroll to top after submit. I think I’ll revamp this approach once 1.5 is done, and it is almost done. I like having a safe space to break stuff and rebuild it while developing internal APIs for multiple features, but I also with I had finished 1.5 already.

More importantly Caldera Forms 1.5 is going to be hella awesome. It’s got a 9 new field types, a new front-end entry viewer powered by the WordPress REST API, new default processors and more. I also removed all the inline JavaScript rendered in post content. This will reduce bugs with themes that do strange things to post content, and also allowed me to improve the efficiency of our front-end JavaScript a bit. We’re also loading less front-end JavaScript and CSS, so performance will be better.

Last time I searched the source  for “@since 1.5.0” I got over 220 results. For everyone of these new features I approached the work with a “no new technical debt perspective.” This meant new internal APIs and formalizing conventions into programmatic rules. As result the time spent developing new features was also time spent improving the quality of the code and therefore stability of the system.

Pricing Changes

strawberriesAt WordCamp San Diego I sat down with Pippin to talk about our growth and what we could do to improve it. He asked me what our average cost per sale was. I didn’t know, but he told me it was a safe guess that it wasn’t great.

I wrote a quick plugin to do the math and he was totally right. Increasing our average cost per sale has been a huge focus. BTW I later found Scott Bollinger’s EDD Metrics plugin which is great for tracking these types of numbers.

Soon after we launched bundles, which has gone well, but we’re still seeing too many single add-on purchases. When we launched bundles, the single add-on pages on our old site were made to highlight single site licenses or bundles.

That didn’t go well as it hid multi-site licenses making our add-ons seem way more expensive. For example, it wasn’t obvious that you could get a $89 five site licnese for our MailChimp license, it seemed like you would need $250 worth of single site licenses, which if true wouldn’t be fair.

In December we launched our 3 add-ons for $79, 5 add-ons for $139 bundle builder. This required building a cool new Caldera Forms integration for Easy Digital Downloads. I also modified the site to make the options more clear. It’s too early to say if this is working, but early numbers for January look good.

Taco Club

WordCamp US Taco Club Caldera Forms LogoOK, this is getting really long, but I have to mention WordCamp US Taco Club, beacuse that’s a very real thing that happened this year the night before WordCamp US. We had more than 30 people over to our AirBnB for a taco party.

This event was great, we got to meet Caldera Forms users, make new friends, see old friends and enjoy a taco bar together. It was great fun, and on a suggestion from our friend Kyle, we made an epic WordCamp Mannequin Challenge.

I look forward to having more fun, and non-exclusive events around WordCamps this year. They might not all be Taco-flavored, but I hope their corresponding limited edition stickers are as cool.

Personal Life

One thing I strived for this year was to get out of bed earlier and limit my work hours a bit. Working 100 hour weeks definitely took a bit of a toll on my health and ability to relate to other human beings.

That said, I’ve also come to peace with the fact that my work is my life, beacuse I love what I do. I know I’m supposed to strive for better work/ life balance. I definitely spent more time reading and otherwise indulging in my passion for science-fiction. But, I’m OK with the long hours and I’ve never found anything more fulfilling than what I’m doing now.

In sadder news, my cat Shy died in 2016. She had been with my wife and I since we moved in together in 2001. When we moved to Florida she claimed my office in our new office as her own. I spent most of those long work hours with her sleeping on my lap, on my desk or on the futon behind me.

It was definitely her time, but I miss her.

On a happier note, our other cat Gus has really thrived as an only cat. He’s closer with us and he’s actually made friends with our dog Josie. They cuddle together sometimes, which is super cute.

Josie is doing great and was even selected as our vet’s pet of the month for December. I’ve never been prouder of her. She’s a great doggo.

As I said earlier, this was the first year that I got a regular paycheck for an extended period of time. I also turned 34 this year, so it shouldn’t come as shock that my personal finances are not great. Nothing too terrible, but my wife and I spent a lot of money this year on paying down debts, which is annoying, but important.

At the end of last year my wife bought me a Chemex for Christmas. Coffee optimization has become a big passion of mine. Thanks to having a great way to brew coffee — you’re not still using a machine are you? — and the fine work that the people of Lucky Goat Coffee do, I’m drinking better coffee and coffee has become a shared experience — this thing takes awhile, but it’s worth it — we do most days together.

2017 Goals

Photo by: Ales KrivecOK, so now I need to stop before this turns into a book, though I do wish I could tell some more stories. I have so many great stories, like the time Rich Robinkoff talked me into going to WordCamp NEO to talk about the importance of stories.

I haven’t talked about everything. I’ve barely touched the 10 or so WordCamps (I’m counting WPCampus) that I attended. Nor have I talked about some of the cool projects I’ve been a part of — for example I got to work on Cookbook a very cool new recipe plugin from WPSiteCare. I’ve glossed over Ingot, beacuse I’m annoyed I didn’t get to work on the core plugin this year, but I’m excited for the evolution of that product line, which is underway.

But it’s time to go, so here’s what I want to do in 2017:

  • Triple user base and revenue from Caldera Forms
  • Convert all checkout and license management forms on our wsbsite to Caldera Forms and externalize that as products.
  • Improve the analytics and marketing automation tools we use for Caldera Forms and externalize those as products. I gave a preview of some of that at WordCamp US and am pretty excited about what come next.
  • Release the course we’re working on now, create shorter content to use for lead generation to help sell the course and test new tools discussed above.
  • Grow the team.

wordpress-logo-simplified-rgbOk, that was a lot, but it was a huge year. If you’re reading to the end — or just skipped here — the shortest version is I’m a lot happier with my professional life now then this time last year. That’s awesome. A ton of people have had a lot to do with that and I hope that everyone of them and everyone in the WordPress community knows how much I appreciate them for being so awesome.

Fun Challenges With Recent Caldera Forms Updates

cropped-CalderaWP_Icon_512x5121.pngLast week, we release a new version of Caldera Forms and a new form translations add-on for Caldera Forms. These were both fun projects to work on and I wanted to share a more technical overview of some of what I did on those projects than I gave in the official release post.

I hope this post is interesting and useful to all WordPress developers, whether you are a Caldera Forms user or not. But if you’re not, maybe it’s time to try it 🙂

https://calderawp.com/2016/11/caldera-forms-translations-and-more/

 

Caldera Forms Translations

Photo by: Ben MoorePreviously, When using Caldera Forms or most other form builders on a multi-lingual site, you had to have to create multiple forms, one per language. That is a pain to manage. Making one change meant editing multiple forms.

Caldera Forms Translations is our new translations add-on. One forms, many languages. I originally was planning this as a feature of the core plugin since we didn’t want to make it a paid add-on. That said, figuring out if a form has translations, then if each field has a translation, and then if that translation is in the right language introduces a bit of overhead to form rendering.

It’s not that much, and its worth the trade-off in exchange for the functionality. But this is one of those features that is great for certain users and not worth it for many, so an add-on makes perfect sense.

The interface for this plugin was a lot of fun to build. It’s actually the first time that we’re using the new Caldera Forms REST API. I will be blogging more about the challenges of implementing the WordPress REST API in a legacy project soon.

I actually did the first pass at this plugin using admin-ajax. I thought it was just going to be one ajax action I need for the admin UI. Turned out I needed three.

You can see the commit where I deleted those callbacks here. But I can best summarize how messy things become validating and authenticating these type of HTTP requests get with this:

if( cf_translate_can_translate() ){
        if( ! empty( $_POST[ 'language' ] ) &&  ! empty( $_POST[ 'form_id' ] ) && ! empty( $_POST[ 'fields' ] ) && is_array(  $_POST[ 'fields' ] ) && ! empty( $_POST[ CF_Translate_AdminForm::nonce_field_name() ] ) ){
            if( CF_Translate_AdminForm::verify_nonce( $_POST[ CF_Translate_AdminForm::nonce_field_name() ] ) ){

That’s terrible and doesn’t even get into sanitization. I think it was the third time I had to refactor that when I decided to add the Caldera Forms REST API infrastructure to Caldera Forms 1.4.4. Previously I had infrastructure and some implementation on the 1.5.0 milestone.
The REST API routes for this plugin has three endpoints. One is for saving settings. The other two are for adding and saving languages.

This add-on supports more than a hundred languages. I don’t want each field to by default to support all of those languages. So, in the UI, there is a selector for languages and an add button. This makes an API call to get the field data, and insert it into the local variable that tracks the languages of the form.

The JavaScript for this interface is a bit experimental and doesn’t use our normal UI framework. I’m playing with new ways to build UI. This add-on was an experiment in using a more structured system. I ended up with a pretty modular system that separates each part of the UI into its own closure. That’s good, because I will probably replace each part one at a time as I continue to use this add-on for experimenting with UI systems and figure out which JavaScript framework we will use in the future.

I will admit that some of this modularity was a bit of overkill and I definitely broke some of my self-imposed rules in order to finish it. Still, I think it would take minimal refactoring to pull one part of the system out if I wanted to replace it with something else, or reuse it elsewhere. Also, it works, which is the point.

One thing I am very happy with is how the class that handles translating fields during rendering works. You can read the source here. This class is a good example of using dependency injection — it takes the form configuration through its parent’s constructor — and using inheritance to create a reusable system. Its parent class is a system for conditionally adding a filter. I might add a similar system to Caldera Forms itself, I’m not sure yet.

Caldera Forms 1.4.4

Photo by: petradr

The new version of Caldera Forms is mainly a bug fix release, with a few enhancements. Most of the bug fixes were to resolve accessibility issues, as we continue to work towards our goal of being the most accessible WordPress form builder. Mainly the new improvements are infrastructure for add-ons and custom development. The REST API infrastructure will get its own post soon.

The biggest improvement in this new version is how file and advanced file fields handle uploads. One of the trickiest thing about building a form builder is dealing with the fact that most form submissions use more than one HTTP request. A validation error means another request may be made. Also, our advanced file field uploads multiple files via multiple AJAX requests and then the main submission happens.

As a result, when the main submission is being processed for a form with an advanced file field the $_FILES super global is empty. These fields allow for saving files to the media library and/ or attaching the files to an email.

If both options are selected, that’s easy. We upload the file to the uploads directory, add it to the media library and then attach that file to the email. When the file needs to be attached to the email, but not saved to the media library, that’s where it gets tricky. The file needs to be saved to the server so it can presit between sessions, but users are right to expect the files to not stay there forever. That creates a privacy issue and disk space usage issue.

My solution for this scenario, which is based on a conversation I had with Micah Wood when we had dinner last time I was in Atlanta, was mainly written in my my car as my wife and I drove back from Atlanta. I introduced a new class to Caldera Forms for handling file saving and implemented it in the existing callback for file fields.

This new class manages files on the server and introduces a concept of a private file. Private files are stored in an almost randomly named sub directory of the uploads directory and deleted later. That dub-directory names is named using a hash that can be created predictably, but only by the server, not an outside observer. As a result I can find the directory later and delete it.

Choosing when to delete that file is also a challenge. It should be deleted after form submission, but it needs to be available when the email is sent, though that email may be disabled. In addition, I had to account for files uploaded to form submissions that failed validation, and were never completed.

So, I wrote two ways to delete it. The first was to set a single CRON to delete the file(s). If form submission is successful, the files will be deleted by the time it runs, but its a good fallback. The other method hooks in at the last action that would be run if no email is set. It checks if the email should be sent. If not, it deletes the files. If an email should be sent, it adds a hook to run after the email is sent, to run basically the same callback.

Read The Source Luke

I hope you found this article useful and that you dig into the source code I’ve shown. Reading the source is the best way to learn.

Writing articles like this is something I’d like to do more of because most of my articles on development are a bit divorced from the real world. That’s fine, I’m teaching a principle most of the time and contrived examples are needed.

The real world is a lot messier than a tutorial. Improving a large code base and fixing bugs without breaking more than 30,000 websites running that code is a challenge. It’s a lot of fun, and its a great way to learn.

 

WordPress Authentication (over) Concerns: A Quick Case Study

A big push back against the WordPress REST API has been a feeling that a lack of authentication system makes these endpoints not useful. This is strange to me, since the content endpoints use the exact same permissions system as the rest of WordPress.

I think a lot of this confusion comes from the excitement about building cool apps that connect from outside of WordPress via the REST API. In those cases, WordPress’ cookie-based authentication does not work. Therefore a different solution is needed. oAuth1, oAuth2, JWT, a custom system, etc.

I like JWT a lot by the way in those scenarios. This plugin makes it very easy.

But what about when we are using the REST API to improve WordPress from inside of a WordPress theme or plugin? Or what if — presuming the content endpoints make it into WordPress 4.7?

In those cases, cookie-based authentication, which is super easy to use, is all we need. This is especially exciting for core. I’d love to see the REST API used for content editing in the front-end and/ or the customizer. Also, what about new ways we could work with terms or custom fields in the post editor, or combine editors for multiple content types, or build dynamic list tables?

Today I made up a quick prototype of a front-end revisions browser for posts. It took me about an hour, and most of that time was spent figuring out how revision endpoints worked — I had never used them before — and working through a bug in the REST API that was quickly resolved.

I’d like to briefly show you how it works, and discuss using cookie authentication, as well as why that was the best choice.

If you want, you can check out the code here. Also, if you want to learn more about authentication using the REST API, I have a section of my REST API course that covers this topic.

Photo by: Philipp Reiner

Why Use Cookie Authentication?

The first question is why use cookie-based authentication for this type of problem. The short answer is “why not?” I mean, why does having a REST API in WordPress mean that we have to suddenly start using a second authentication system? We don’t do that with admin-ajax?

The REST API does force us to use a nonce, in a way that admin-ajax does not, which complicates this by 2-5 lines of code. If only admin-ajax had been designed the same way, we probably could have skipped a few thousand XSS and CSFR vulnerabilities in plugins and themes.

How Does Cookie Authentication Work?

Cookie authentication works exactly the same way as it does in any other WordPress request, which is to say pretty much automatically, if we send the right nonce. That nonce, which must be created using the wp_rest action, can be sent as a header or as part of the query in a GET request or the body of a post request.

In the plugin I built as a proof of concept for the revision browser, I localized the URL for the current post’s revisions endpoint, and included the _wpnonce query argument, like this:

	$api = add_query_arg( array(
		'_wpnonce' => wp_create_nonce( 'wp_rest' ),
		'context' => 'view'
	), rest_url( sprintf( 'wp/v2/posts/%d/revisions', $post->ID ) )  );
	wp_localize_script( 'revision-browser', 'REVBROWSER', [
		'api' => esc_url( $api ),
		'nonce' => wp_create_nonce( 'wp_rest' ),
		'content' => $selectors[ 'content' ],
		'title' => $selectors[ 'title' ],
		'links' => $links
	]);

That’s pretty simple. Another approach would have been to put nonce as a key in the REVBROWSER object I was localizing. Then I would have had to add a header to my request. To make that work I would change my AJAX request from this:

$.get( REVBROWSER.api ).success( function( r ){ ...

To something like this:

$.ajax( {
   url: REVBROWSER.api,
   method: 'GET',
   beforeSend: function ( xhr ) {
      xhr.setRequestHeader( 'X-WP-Nonce', REVBROWSER.nonce );
   },

} ).success( function( r ){ ...

Either way pretty simple and works perfectly with WordPress as-is. No one who isn’t authorized to view revisions can see these revisions.

What About admin-ajax?

I could do that with admin-ajax (image meme)This is the point where someone mentions that I could have used admin-ajax. That’s totally correct, but let’s talk about what I didn’t do when I built this, but would have had to with admin-ajax.

I didn’t write any new code to collect revisions and convert them to JSON. The content REST API does that for me. This kind of efficiency is why we use open source software.

I also didn’t worry about authentication, authorization or cross-site forgery. That’s handled by the core API for me. I could do all of that myself, and hopefully not mess it up. But I didn’t have to. The next person who does this might be not as picky about security issues as I am. When we off-load those concerns to core, we get help from all of the other people working on the project. This is why we use open source software.

And it’s important to say again that not everyone exposing private content or allowing updating of content via admin-ajax has added the right permissions and nonce checks. Our ecosystem has been harmed by the fallout of those mistakes. The WordPress REST API will not make developer-errors that cause security vulnerabilities go away, but it will help.

By the way I did this once before for Lasso using the custom API I built for that plugin. It took Nick and I a long time. What I built today, needs some UI work, but could, if there is a content API in WordPress core, be polished patch for WordPress core without much more work. I’d love to do that if possible.

Being Loved Isn’t Enough

My dog Josie begging in my kitchen.
This is my dog Josie.

One argument for the REST API’s inclusion in core is that so many people are excited about it. I think that is a decent argument. We need people to be excited and passionate about building cool stuff with WordPress.

But that’s not enough. Having a standard way of working with WordPress content via a REST API is about creating new tools for end-users while following a standard and working together on improving the tool we all love. That’s why we use open-source.

The Core Team Wants To Know What You Think

Earlier today, Helen Hou-Sandi, a lead developer of WordPress and the release lead for 4.7 asked a question on Twitter that led to a bit of a discussion and then this proof of concept.  There has been several posts on the WordPress core development blog asking for comments on the REST API merge proposal and invitations to discuss further in Slack.

That’s awesome. This is a big decisive for a big project and I love that those making the decisions are so open to a public discussion.

Get involved y’all.

 

Getting Started With Modern WordPress Development: What You Need

I’m teaching a few workshops this month aimed at those looking to level up their WordPress development chops. It’s got me thinking a lot about what you need to do quality WordPress development.

It’s a very subjective question, what software to use, what principles to value, what resources to learn from… So I wanted to share my thoughts on what is necessary for getting started. The list is less about software, and more about concepts because in the end, it’s about the wizard, not the wand.

Tools

You can write code in notepad and FTP it up to a shared host and hope for the best, but to do it right you need some basics tools. Here is my opinionated list. I’ve broken it down into “basics” and “important”. The first category is things you should have right away. The second list is important, but can probably wait.

Basics

Code Editor and IDE

A code editor is a specialized text editor designed for writing code. I like Atom as my simple code editor. It’s the application I use when I just need to open up a file, read it and maybe make a few changes.

An Integrated Development Environment (IDE) is more than a code editor. A good IDE provides everything you need to develop in a language. I do most of my work in phpStorm. I use it as a code editor, web server, terminal, sFTP client, Git client, and more. I probably don’t use half of its features.

Git and A Git GUI

Github Social CodingYou must use version control. It’s just not optional if you need to do anything large in terms of development or work with others. It will also be a part of your deployment strategy.

I wrote more about why you should use Git on the CalderaWP blog. WP Pusher, which is an excellent tool for deploying Git repos as plugins and themes, offers a Git course on their site that is worth checking out.

While I use the command line and phpStorm for Git most of the time, I am still a big fan of SourceTree and it’s one of a few reasons I miss using a Mac for my primary development machine.

Local Development Environment

Installing A Site With DesktopServerThe reasons to use a local environment are numerous. The short answer is — it’s faster, more secure, and no one can see your fails.

There are a lot of ways to set up a local environment on your computer.  Here are the ways I recommend, in order of ease of use:

  • DesktopServer – A simple application that gives you an interface for creating local WordPress sites. Start here if you are new to local development. It’s easy and might be all you need.
  • Valet – Made by the Laravel project, but works with WordPress. I use this on my Mac (never figured out how to get it to work in Ubuntu.) Requires Composer, homebrew and a bit of setup.
  • Vagrant – Vagrant creates a virtual machine on your computer that you can use for development. I use the popular VVV project for setting up a WordPress development environment on my main computer.

Important

Dependency Management Tools

Mandelbrot FractalI’m going to go less in depth here, as I’ve covered Composer quite a bit here and on Torque. Seriously use Composer, it makes PHP development better and easier.

Other tools I use for dependency management and task running:

  • Composer
  • NPM
  • Grunt
  • Bower

xDebug

When doing JavaScript development, you can use the browser’s developer tools to debug your code. You set a break point to stop execution and see what the variables equal at that point.

xDebug gives you that for PHP. It’s an amazing tool that takes the guess work, and the vard_dump()/die(); out of development. xDebug comes pre-installed in VVV and works great with phpStorm.

Concepts

Basics

Photo by: veeterzyIf you’re brand new to development, you need to get PHP and JavaScript fundamentals down first.

I’ve written a ton on PHP over on Torque. I recommend starting with my PHP fundamentals article and then looking at my article on using WP_Query to learn object-oriented PHP.

For JavaScript, I like CodeAcademy’s JavaScript course. The book “JavaScript The Good Parts” is also worth reading. Like most WordPress developers, I started with JavaScript by using jQuery and starting in jQuery being a smart start is the consensus we came to when we discussed this on an episode of The WPCrowd, which I followed up with an article on the same topic on Torque.

The WordPress Way

It’s hard to define the WordPress Way, without jumping into WordPress code, which you totally should do. The best way to learn after all is to read the source.

In addition, you really should read the WordPress handbooks:

If you take one lesson from the handbooks, it should be that there is a standard for documenting code and that you should follow it. Inline documentation makes it easier to work with your code, it makes it easier to read your code and it’s super useful to developers who are not familiar with your code.

Principles

I am very much a believer that pragmatic adherence to certain principles will make you a better developer. At a minumum, I think you should familiarize yourself with the single responsibility principle and the do not repeat yourself (DRY) principle.

Class Autoloaders

I’m a huge beliver in using a class autoloader. It’s becoming more common in WordPress, but is still behind. I covered using a PSR-4 autoloader and Composer’s autoloader in an article for Torque.

An autoloader is simple to setup and it forces a logical directory structure and class naming system on to your plugin or theme.

The WordPress REST API

As you probably know, I’m a huge advocate of the WordPress REST API. I think it’s super important for advancing the quality of code and end-user experience we can deliver.

I’ve written a ton on the REST API to help you get started. But, in my mind, it’s not just about learning the REST API. It’s about learning how to write plugins, themes and site-specific code that can be used with theme templates, shortcodes and the REST API.

TL;DR

Photo by: Paula BorowskaPaula BorowskaOk, that was a little long, but here is my summary:

Use local development (start with Desktop Server) and Git (Github and SourceTree FTW.) Composer and autoloaders are awesome. Read Carl and Tom and document your code.

I’ve linked to a ton of free content, mainly by me, to help you learn. I have two WordPress development courses. One on the WordPress REST API and one on modern WordPress development. You should check those out if you want to learn more and say thanks for all the articles and WordCamp talks that I’ve done to help educate the community.

Using Easy Digital Downloads To Serve Downloads From WordPress.org

On CalderaWP.com we use Easy Digital Downloads to sell plugins. We also have a few free plugins listed as free products. We do this because, even though you can just install them through WordPress.org, we’d prefer that you create an account on our site and sign up for mailing list.

What I didn’t want to have to do was manually update these files every time I made an update. It seemed better to pull form WordPress.org.

I had originally set the EDD file link to use a link like https://downloads.wordpress.org/plugin/caldera-forms.zip. But for some reason, that I couldn’t figure out, this was giving a year old version of Caldera Forms.

When I opened a issue about adding a filter in EDD so I could work around this, it was pointed out that I should be using https://downloads.wordpress.org/plugin/caldera-forms.latest-stable.zip instead. This seems to have resolved the issue for me.

Anyway, small tip and I told Otto I’d document a way around it after he took some time to help me understand how those files work and told me their was no CDN in use that could have explained it. I will update if I find out more about this mystery.

Proper settings to make a file downloadable in Easy Digital Downloads from WordPress.org

 

Deploying WordPress Plugins and Sites Built Using Composer

I’m a big fan of Composer, which I believe will give you super powers. I am happy that it is gaining in popularity in the WordPress world. I often hear from developers who love it, but are not sure what to do about the vendor directory in their plugins or themes or sites.

I spoke about the advantages of challenges of using Composer in a recent episode of The Plugin Architect podcast. I use Composer in most of my plugins. Most of Ingot’s code is in Composer packages, which helps us share code between different versions and add-ons. I also helped refactor the plugins Maps Builder and Maps Builder Pro by WordImpress to make sharing code between the pro and free versions easier.

Often times people are not sure what to commit or gitignore and the best way to deploy their code to keep their package size small. I’d like to answer a few questions to help you make the best of Composer for WordPress development.

Should You Ignore The Vendor Directory In Your Git Repo?

TL;DR yes.

A lot of people are hesitant to gitignore the vendor directory and other dependencies in their GIT repos. Most of the managed hosts encourage you to use GIT to manage your dependencies when using GIT as a deploy tool. This is not good practice for  a few reasons.

First, it is messy and redundant. Why should I use a GIT to manage changes in code that is managed by a different VCS system? It doesn’t make sense. A change to a dependency should require a commit in the configuration file for Composer, Bower, NPM, etc, but not commits of actual code.

Also, keep in mind that by default, Composer checks out all packages as GIT repos. That’s great in development, but not something you want included in your final product. Composer is built with this in mind. But you should not ship your plugins with Composer packages as GIT repos or push GIT repos of dependencies to your site.

Down with redundancy and bloat, folks.

Solutions

TL;DR –prefer-dist

Let’s talk about two scenarios, site deployment and shipping plugins. The solutions are pretty similar.

Site Deployment

The first situation is where you are deploying a site using GIT and Composer. If your live server has Composer installed — a rarity for some bizarre  reason in the WordPress managed hosting space — then this is easy. Use Composer to manage dependencies and gitignore the vendor directory and when you deploy use the –prefer-dist argument to tell composer to not checkout the whole GIT repo.

Laravel Forge, which is a server provisioning and deployment system of industry, has this line in its default deploy script:

composer install --no-interaction --no-dev --prefer-dist

This tells Composer to install with none of the packages that are required for development only, like your unit test framework, and to get the packaged distribution of the dependency, not the whole GIT repo. I have no idea what --no-interaction does, but let’s assume its good.

You probably want to add –optimize-autoloader to that if you’re not using Laravel, which runs that in one of its post install scripts.

Plugins

CalderaWP WapuuI make more plugins than I make sites. Most Caldera Forms add-ons use Composer to manage at least two dependencies. I’ve written a Grunt script that helps automate this process. It checks out all of the dependencies using composer update --prefer-dist and then copies everything to a sub directory, which it then zips and deletes.

This means that my plugin repos, have a directory, usually called releases, with a ZIP file I can upload to our site. I used to add an automated SVN deploy when I was working on plugins that need to go to WordPress.org. Now I just open that ZIP file and drag it into a new tag inside the SVN repo, opened with phpStorm and commit that.

What Else?

TL;DR Alot
Photo by: Jasper van der MeijThere are a few other challenges when using Composer. But I really do think they are outweighed  by the benefits. Composer is an essential part of the workflow for modern WordPress development.

Nor are these issues unique to Composer. I should probably write a follow up on using Bower Installer to solve a similar problem with Bower and NPM.

Composer is a great tool, and I hope you will try it, and when you do, this will have helped you learn how to make it work properly with GIT.

 

Learn Modern WordPress Development With Me

Cherry Tree

Photo by: Maja PetricSomewhere, in a parallel universe, I’m teaching high school science in an under-served New York City public school. At the beginning of the journey that led me to becoming a WordPress developer, I turned down an opportunity to join the New York City Teaching Fellows.

This was 2010 and New York City was balancing its budget by slashing education funding. It was the wrong time to go into teaching, but I do sometimes regret not becoming a teacher.

But one of the things that the WordPress community has given me is the opportunity to teach. It’s something I love to do — writing about WordPress development, speaking at WordCamps and creating my REST API course — it’s all something I just can’t get enough of. I’m always looking for ways to teach more.

Plugin Development For Everyone

Photo by: veeterzyToday, I’m super excited to announce a new course “WordPress Plugin Development With The WordPress REST API.” This course is what you need to get started with modern WordPress development. It’s not just about the WordPress REST API, but obviously that’s a huge part of what I will teach.

This course is not just for people who want to develop plugins for release, but also, for those who want do site development. You will learn how to create quality, reusable code you can implement on one or more client sites.

strawberriesWe will be offering this course as a one day workshop and as an online video course. The first workshop will be held in Pittsburgh on September 16th, the day before WordCamp Pittsburgh. The second workshop will be held in Tallahassee in October, date to be announced soon.

The workshops will offer both lecture-style instruction and hands-on work time to apply what you have learned. The video course, which will be available later this year will include all of the example code from the course, so you can practice what you have learned or use that code as a jumping off point for something of your own.

What You Will Learn

This is me, at WordCamp San Diego using the force to summon an object to me in the middle of my talk. Photo by Joe McDonald.
Photo by Joe McDonald.

I’m going to teach how to use WordPress hooks — the WordPress plugins API — using real object-oriented PHP. That way you can develop plugins that can work in traditional WordPress themes, via the REST API or both. Then I will show how to build a custom REST API, using object-oriented PHP.

Then we will finish with what you need to know about JavaScript to build a great user-interface that interacts with the WordPress REST API.

I hope you see the progression here. Solid foundation for a REST API and other APIs to a REST API to an interface that uses the REST API. That is what I think is necessary for modern WordPress plugin development.

A Big Thank You

LoopConf Logo

This course’s super-awesome level sponsors are WPSiteCare and LoopConf. It would not be happening with out that support. I’d like to say a big thanks to Ryan Sullivan, the founder of WPSiteCare and LoopConf for believing in the value of this course and backing us.

This is an introductory course that’s designed to get you leveled up fast and ready to start tackling serious WordPress development projects. If you purchase a ticket for the workshop, or pre-order the videos before September 1st, you will receive a $100 discount for LoopConf — the premiere conference for WordPress developers.

Those who sign up for the course will also receive 15% off the WPSiteCare Annual Protect Plan, which offers encrypted backups, 24/7 malware scanning, fully managed plugin, theme, core WordPress updates and more.

I hope to see you at LoopConf this year, giving an advanced Workshop on WordPress development with the REST API and AngularJS. That workshop will be a great follow up to the one I’m announcing today.

Stronger Communities

Downtown PittsburghFor me, WordPress is about community. I just wandered into this, but as soon as I went to my first WordCamp and got involved with Pods, I knew this community was special.

I learned early the mantra of “Add Value” and I’ve done my best to live that mantra. I know I’ve benefited from it and that others have benefited from my contributions in education, code and more.

Unless you know where I grew up — Pittsburgh, PA — and where I live — Tallahassee, FL — the choice of Pittsburgh and Tallahassee for our in-person workshops may sound strange. But community begins at home.

When I made the goal to teach more this year, I wanted to make sure I was contributing to growing Tallahassee’s technology industry. It’s my hope to provide young people in Tallahassee the training needed to make a career in WordPress and help meet the demand in the WordPress community for developers that know “The WordPress Way.”

Tallahassee SkylineAnd yes, I’d like to do more of these workshops in other cities, contact me if you want to make that happen in your community. But, I’m starting at home.

These workshop is a step towards that, while creating new video content that anyone can purchase, no matter where in our global community they live.

So, to my friends in the WordPress community, I’m asking you to support this new course. Help me grow these communities. Your purchase of this course is an investment in your own future, because you or whoever you buy it for can learn from it, but also, so we can keep this awesome community vibrant and growing for years to come.

The WordPress REST API As Connector

Earlier this year I gave a talk on what having the WordPress REST API means. I actually gave the talk twice, once I. Jacksonville and once in San Diego and both times I started by asking why we needed a REST API.

Both times I asked, someone in the audience said that the WordPress REST API would help us display content from multiple sites in one location. I agreed.

Both times I asked, someone in the audience said that the WordPress REST API would help us decouple content management form the front-end. I agreed.

Tomorrow, I will be at WPCampus, a conference for WordPress in higher-ed and this is what I am talking about. I’m talking about using the WordPress REST API to show content from multiple sites is one central location.

I hope this will help solve problems for educational institutions with many sites, managed by different departments, that want to share that content throughout their online presence. But, these strategies will also help organizations of any type solve scaling issues.

In addition, companies with multiple brands can use these strategies to share content between different sites and different brands. In fact, half of this talk is based on code I wrote to solve that problem for my own company, Caldera Labs.

Each of our brands has its own WordPress site. Our central site is a static HTML site, hosted on Github for free. It loads in about half a second, and has no database. Instead, we pull content via the WordPress REST API, using jQuery AJAX from multiple sites.

Photo by: Jakub SejkoraThe WordPress REST API is changing ways we use WordPress and ways we consume WordPress data. I look forward to learning more about how others use this new technology and continuing to teach about how to use it as well as using it.

As I prepare for my 6th WordPress conference so far this year, I’m reminded that WordPress is a connector. Yes, the REST API provides a way to connect WordPress sites together and WordPress to other technologies. But, more importantly, WordPress can help us reach our goals when we have the right tools, and helps connect us to awesome people in the community 🙂

Slides

 

Links