Author Avatars Plugin – fifteen years on

It hardly seems possible that I uploaded my first co-authored plugin, Author Avatars, to wordpress.org over 15 years ago!

That initial foray into the world of plugins was the first step that led to the creation of my premium plugin business, Matador Jobs.

It is rewarding to feel that, with 7,000+ active installations, people are still finding Author Avatars useful. Since I took over full ownership in 2011, I have continued to maintain it regularly. This includes adding Gutenberg support even before Gutenberg was included in WordPress Core.

Author Avatars makes it easy to display lists of user avatars, grouped by user roles, on your (multiuser) site. It also allows you to insert single avatars for blog users or any email address into a post or page – great for displaying an image of someone you’re talking about.

It makes use of built-in WordPress (core) functions to retrieve user information and get avatars.

Avatar lists can be inserted into your sidebar by adding a widget or into posts/pages by using a shortcode. The plugin comes with a tinymce editor plugin which makes inserting shortcodes very easy.

How to List All Authors From Your Blog in WordPress (image from WPBeginner tutorial on Author Avatars)

It is particularly gratifying to find Author Avatars featured in a WPBeginner tutorial dated March 8, 2024. Thanks guys for providing an excellent ‘How to’ guide!

Why contribute to WordPress Core?

So why would anyone want to volunteer their time or sponsor staff to contribute to WordPress core?

WordPress logo

WordPress, which fuels over 40% of the web, is an open source project. This means that the core code on which it runs has been created and is constantly evolving through the efforts of its users, a diverse community of people from around the world.

Developers/Coders

For developers, in the crudest form, core contribution allows them to demonstrate their expertise by saying to clients ‘you can find my name on the WordPress About page’. This is very helpful when a client asks, ‘how do I know that you know what you are talking about?’

Working on core also provides coders with an opportunity improve their skills due to the enforced use of coding standards and constant code review. You can keep up to date about new developments. As a bonus, you also get to know the inner workings of WordPress in weird and wonderful ways.

Contributors have the opportunity to work and learn alongside passionate innovators who are more than happy to share their skills. 

Contribute as an Individual | Five for the Future | WordPress.org

Agencies and other organizations

For agencies, being associated with core development positions you in the top tier worldwide. It creates regular marketing opportunities. Both clients and experts perceive it as validation of an organization’s credibility.

Contributions that improve the WordPress platform help to secure a positive future all round.

Supporting staff to contribute to WordPress core can also be a cost-effective way to offer them opportunities to learn and grow.

For any agency specializing in WordPress development, their ongoing success rests on the ability of WordPress to thrive and prosper. Therefore, it is in their best interests to support its growth.

By becoming involved in core contributions, an organization ‘enters the conversation’. It has at least some possibility of influencing future directions in WordPress. They can also represent the needs of their particular client group.

Participating organizations are able to integrate more deeply into the WordPress ecosystem, while gaining a voice in the ongoing development of the platform.

Contribute as an Organization | Five for the Future | WordPress.org

Core contribution may also provide early insight into what’s coming. This enables organizations to introduce the ‘latest and greatest’ to their clients or users. It may also help to pre-empt potential problems.

For businesses, developing a clear, strategic core contribution sponsorship program benefits both the organization and the individual. It also allows them to respond to the challenge of Five for the Future*.

In any such program, there need to be clear expectations, associated budgets and time allocation. These need to recognize that core contribution can be as much a marketing and training function as falling under the development budget. You can find a short white paper that explores the setting up of this kind of program further on WordPress.org.

Paul’s story

From my first discovery of WordPress in 2006, its community, flexibility and momentum has made it the platform of choice for my work.

Over the years I have been deeply involved with the WordPress community. I have made core commits to every version or WordPress since 3.9. I continue to support the wider WordPress community by speaking and volunteering at WordCamps, most recently at WordCamp EU 2022. I also co-founded a local WordPress Meetup, and regularly mentor others within the community.

XWP sponsorship

In 2021/22, most of my freelance work has been for XWP as part of their WordPress core contributor team. By their own admission in their LinkedIn post, XWP got carried away by the momentum of core contribution. As a result, they found themselves overcommitted. So, sadly, their sponsorship of my time has come to an end. I am so grateful to them for providing me with an amazing opportunity to follow my own passion to contribute to WordPress core in the company of truly skilled and passionate colleagues.

What this has meant for me has been the ability to contribute to much more substantial improvements to WordPress rather than having to focus my efforts into things that I could do in just a few hours. Working as part of a team is both stimulating and stretching. I believe it added value to what I was able to contribute and improved both my visioning and my skills.

Paul speaking at WCEU 2022
Paul speaking at WCEU 2022

XWP also sponsored me to speak at WordCamp EU 2022 and support the Google Performance Lab stand there. This is another aspect that organizations may wish to consider in developing a sponsorship program. It offers an additional means of increasing their visibility, creating marketing opportunities and attracting talent.

A continuing conversation

It goes without saying that I will continue to contribute to WordPress core as time and resources allow.

I am also keen to play a part in the conversation around developing sustainable models for core contributor sponsorship. Based on my experience with XWP, I believe that the benefits to the whole WordPress ecosystem of focused and consistently funded contributor programs are immense.

* Launched in 2014, Five for the Future encourages organizations to contribute five percent of their resources to WordPress development.

WCEU 2022 – WordCamp Europe, Porto

“I’m done with this; I don’t want to do this again. I’d rather just be a recluse!”

The Super Bock Arena, venue for WCEU 2022
The Super Bock Arena

It’s probably not too surprising that these were the first thoughts I had when initially I arrived at WCEU 2022 and wandered around Porto’s Super Bock Arena.

Since March 13, 2020, when we made it home from a vacation in Antigua just as Canada battened down the hatches, we have welcomed only three guests inside our home. Living on a lake in rural Ontario, Covid seclusion has been remarkably easy and comfortable. Our social life has mostly consisted of chatting to neighbours from across the road or the end of the dock. To go straight from this to an event attended by over two and a half thousand participants was bound to be a shock to the system and more than a little scary.

I find it very liberating to give myself permission to have no real agenda; not to tour the stands and chat and pick up swag; only to attend talks that really interest me; not to talk to anyone if I don’t feel like it!

‘. . . the community is where the heart is’

It is also unsurprising that what gently reeled my back in was what I have always valued and admired about WordPress; its strong sense of community, of connection and affirmation. Milan Ivanovic summed it up perfectly in his opening WCEU 2022 Track 1 presentation, Why we community?

“The code is poetry, but, the community is where the heart is.”

I found particularly moving and powerful his reflection on the way in which the WordPress commitment to inclusivity and diversity broke down the barriers he personally had put up against ‘otherness’ growing up in a small Serbian village.

The code is poetry, but, the community is where the heart is.

A WordPress user and blogger, I have some technical knowledge. But who I am is rooted in facilitating change, connecting people – to each other and to information – and the creation of community. WordPress has not been my career focus. But I have volunteered at and attended WordCamps in the past. I also co-founded a local WordPress Meetup.

I don’t know what it is about ‘community’ people. There seems to be an extraordinary, instinctive, gravitational pull that draws us together. There was a heartwarming hug from Josepha, a longstanding community team friend; a lively dialogue with Community Engagement Specialist, Cate, at the WordPress Community Booth; and, out of the blue, a lunchtime conversation with Julia, a Community Steward, that ran so deep it could have gone on all day. I found re-connection, new heart-kin, and so many kindred spirits of all kinds throughout the passing exchanges of the two days. This was a timely reminder of the riches such interactions can bring.

The other sessions I attended, on partnerships and acquisitions, also reinforced the values I associate with the building of strong communities; resilience, curiosity, openness, mutuality, providing a positive and consistent client experience; and appreciation of employee and volunteer effort.

Support, affirmation, inclusivity, and connection

Some of the XWP Team
Some of the XWP Team

My husband and business partner, Paul Bearne, spends about half his time working for distributed agency XWP. They currently sponsor him to work on WordPress Core. I found it heartwarming that the sense of support, affirmation, inclusivity, and connection seemed so much greater with the XWP team (for both of us) than almost any work environment I can remember. Paul suggests this is because people need to have a special kind of energy to be self-motivated enough to work in a distributed setting. They may also have to make a much more conscious effort to build connection. And, of course, this is backed up by the WP ethos of community. Whatever the reason, it made for a positive and life-affirming re-emergence into the post-Covid world.

‘Finding your WordPress lifestyle – insider insights from a veteran coder’

Honestly, the prospect of attending Paul’s talk was much too nerve-wracking for me! I sweated with him over creating the slides and we will review the video recording together on WordPressTV if he is planning to deliver it again.

For someone who is much more accustomed to giving tech talks, this kind of ‘lifestyle’ topic was quite a challenge. Paul’s XWP colleagues were most generous in contributing their time to helping shape and refine his content and delivery. I’m glad to say there was a lot of positive feedback – people seem to have found it genuinely useful and interesting. As well as recording a podcast interview for WP Tavern, he was interviewed by HubSpot. His insights are now featured on their Blog, which reaches over 1.3 million readers a month. A good day’s work.

Everybody needs a Gina! (slide)

The talk brought me some degree of personal notoriety. Standing in line to pick up a coffee when I arrived that day, the person to whom I was chatting glanced at my badge and said, ‘oh, you’re Gina!’ A gracious acknowledgement of my back-up role, the slide ‘Everybody needs a Gina!’ emphasized the importance to remote workers and freelancers of effective support.

From recluse to WCEU 2022 party animal

Part of the appeal of WordCamps is the opportunity to interact in person with colleagues from all around the world. In many cases, these are people you may have known for years yet never met. It was a delight to see Paul recognized by so many, often greeted with a hug (a bit scary as an emergent recluse) and with obvious affection.

Paul embraced the party spirit to the full. For him there was an XWP Team Day with a scavenger hunt around Porto and Douro boat trip, a Codeable dinner at the Baroque Palacio di Freixo on the banks of the Douro, the WCEU 2022 Speakers’ Dinner at the cruise ship terminal, as well as the traditional WordCamp After Party held at the Super Bock Arena. I attended about half of these. This suited me fine as I still found that many unmasked people (for eating and drinking) in indoor spaces a little daunting.

Yes, remaining a recluse certainly has its attractions. But WCEU 2022 was a welcome reminder of the joy and energy that can be generated when like-minded individuals are able to spend time together. Perhaps Covid may have given us an opportunity to understand that, in the best of times, both have value. It doesn’t have to be either/or.

If the WordPress culture of community has caught your attention, you may be interested in this 2019 blog post, The WordPress Community – Passion and Participation

Words have power – removing exclusionary language from code

Originally posted on the Matador Jobs blog, August 18, 2020

Words Have Power

Thanks to the incredible conversations the United States and World are having right now about race and inclusion, it has come to our attention, as software developers, that some of the phrases we use are based on historically racist or classist terms and that our continued use of these terms is insensitive, unwelcoming, and exclusionary.

While insignificant in the giant list of things that need to be changed to bring about true equality and inclusiveness, we at Matador Jobs nevertheless feel we can begin to impact change by stopping our perpetuation of these negative language constructs in our software.

Our changes to exclusionary terms

Based on useful and interesting discussions with other developers around exclusionary language, we found that the items below are the biggest targets for adjustment. In many cases, these changes that can be made are actually more descriptive! Here are the key adjustments we are making in our upcoming releases:

  • Changing whitelist/blacklist to “allow list”/”deny list” to explain lists of explicitly allowed or disallowed items
  • Replacing master and master/slave to main and primary/secondary to explain relationships where one is an authority or primary source to a backup or secondary source.
  • Removing the use of “grandfather”/”grandfathered” to describe backwards compatibility or rights or access given automatically to a legacy user of a feature.
  • Instead of “whitespace” use “empty space”, “blank space”, or a more descriptive term to describe areas that are purposely empty, blank, or clear for readability or design, ie: a “line break” could describe space purposely used to improve readability of code or text.

In the case removing of “whitelist,” we needed to engage our partners at Bullhorn, as one of our uses of the term is derived directly from their official API implementation documentation. After very positive discussions with Bullhorn Support, they are prepared to initially fully support our removal of the term from our documentation and code and are exploring how they too can strike it from their own documentation and code.

Most of these changes will be behind-the-scenes and specific to advanced integration a developer may do with Matador. But, since “whitelist” was a key part of the Bullhorn Connection Assistant, the following change will affect all users. The changes are:

  • “Whitelist” or “Whitelisted” (used as a verb) will become “Register” or “Registered”
  • “[API Redirect] Whitelist” (used as a noun) will become “Allowed API Redirect List”

Our next hotfix release, 3.6.2, of Matador Jobs, will include these changes, with further changes behind-the-scenes in following releases.

Resources

Resources we found helpful in considering these issues include:

https://thenewstack.io/words-matter-finally-tech-looks-at-removing-exclusionary-language/

https://www.duncannisbet.co.uk/removing-harmful-language-from-my-lexicon

Using a Child Theme

(and other things you need to know to start editing your theme)

A child theme allows you to change small aspects of your site’s appearance yet still preserve your theme’s look and functionality.

WordPress Theme Handbook

Child themes

  • allow you to modify a theme without blocking the ability to apply theme updates
  • give you a starting point to make development much faster rather than coding everything from scratch

Slide Presentation on Child Themes from Ottawa WordCamp 2019

WordCAmp Ottawa 2019

I recently led a session on Child Themes for Ottawa WordCamp 2019 entitled Child Themes and what else you need to know to start editing your theme. Hopefully this may be helpful, even without the commentary!

Resources

Here are some additional resources that you may find useful:

The WordPress Community – Passion and Participation

Wapuu - Community; Bring People Together

A major part of using WordPress involves relying on and interacting with the WordPress community at large, which has the reputation of being genuinely friendly and helpful. After all, as an open source platform it has been built and maintained by that community!

Although the members of our local WordPress Meetup are by definition a part of that community, few were aware of the range of opportunities available within it.

So, for our last session before the summer break, we chose this as our topic. I put together a slide presentation covering the kind of resources and experiences the WordPress Community can offer you and the ways in which you can contribute to WordPress.

  • Meetups
  • WordCamps
  • Community Forums
  • The Community Deputy Program
  • Contrib to Core
  • Component Maintainers
  • Contributing/ reviewing plugins and themes
  • Freelance/ remote working opportunities
Overview slide from presentation on the WordPress Community

For quick reference, I also put together the following useful resource links:

WordPress Statistics

Most Marvelous 100+ WordPress Stats & Facts (2019)

WordPress Stats: Your Ultimate List of WordPress Statistics (Data, Studies, Facts – Even the Little-Known)

Meetups

Meetup Program Basics

Kingston WordPress Group Code of Conduct

Kingston WordPress Group Good Faith Rules

WordPress 2018 Meetup Survey Results

WordCamps

WordCamp Central

You may also want to read my account of attending WCUS 2016, WCUS – passion, democratization, accessibility, community

Contributor Days – an example (US WordCamp 2018)

WordCamp Schedule

Don’t forget to keep an eye on your WordPress Dashboard for news about local events!

WordPress Resource Sites

WPBeginner – mostly how-to guides for simple tasks

Torque – more editorial content, from development to light pop culture

WPTavern – editorial content, mostly about the project and open sources

WPMU DEV Blog – some free content, some by subscription

WPShout – mostly developer-focused content, with in-depth tutorials

Online WordPress Forums


27 WordPress Support Forums That Have All The Answers – useful article, including a comprehensive list of WordPress Facebook Groups

WordPress Support Forums

WordPress Slack

WordPress Codex

WordPress Stack Exchange – you may also want to see the Stack Exchange Tour for step by step instructions.

Contributing to WordPress

The Community Deputy Program

Make WordPress – If you want to get involved in WordPress, this is the place to be, with blogs for each contributor group, general news, and upcoming events.

Contib to Core – see also this helpful Developers Guide to Contributing to WordPress Core from Delicious Brains

WordPress Core Components

Submitting Themes

Theme Review

Plugins

Leaving a WordPress Plugin review

Freelance and Remote Working Opportunities

Useful articles from codeinwp:

20+ Sites to Find Remote WordPress Jobs + 5 Great Companies Hiring Right Now

Remote Work for WordPress Professionals: How to Work From Home (And Stay Sane)

Virtual Agencies

Outsourcing Marketplace

Job Boards

Reflecting on the first year of Matador Jobs

Originally posted on the Matador Jobs blog

As Bullhorn’s Engage 2019 kicks off in Boston this week, it seems like a good time to reflect on our exciting first year for Matador Jobs, especially how it has grown and the improvements we have made.

Last year’s Bullhorn Engage conference was a huge milestone; it marked our official public launch after a year of development and close work with a group of early adopters. It was a fantastic opportunity to interact directly with some of the Bullhorn team, as well as Bullhorn clients. Best of all, even though we had spent many months hammering out the code together, it was the first time that my partner Jeremy and I met in person!

Paul and Jeremy, Matador Jobs, at Engage Boston 2018
Paul and Jeremy of Matador Jobs at Engage Boston, 2018

A year on, we are proud to be listed on the Bullhorn Marketplace as the only Marketplace Partner offering a WordPress/Bullhorn solution.

Matador Jobs have been the best Marketplace Partner I have dealt with and I am blown away by how responsive they are.  They not only email me back but are willing to give guidance and really care about how my jobs and the rest of my site functions within Bullhorn.

Sean De Vore
President
De Vore Recruiting
devorerecruiting.com

During this time, we have released three major updates (with another due any day!), as well as several minor updates and hotfixes. We’ve also extended Matador with an additional four add-ons, available at no extra cost to all our All Access clients.

Feature Highlights

  • Full support for the Google Indexing API, providing a big search traffic boost as a result of almost instant Google job indexing (included in Matador All Access and Pro)
  • Improvements to templates, with greater ease and more extensibility of customization
  • The addition of an optional meta block to the job listing details to get you going without the need for coding
  • Contextual navigation buttons for all job listings
  • Deep links into Bullhorn so that one-click from WordPress takes you to the same data in Bullhorn
  • Lots of ‘under the hood’ improvements to provide increased stability and customization opportunities
  • The brand-new Advanced Applications add-on (All Access only) which allows you to add any Bullhorn candidate field as a question in your application form with just a couple of clicks

 Our jobs are ranking more strongly with less work because of the Matador Pro plugin.

Beth Varela
Marketing & Operations
SkyWater Search Partners
Skywatersearch.com

Maintenance and Documentation

We’ve also worked continuously throughout the year on maintenance and bug fixes – please keep on telling us when your run into a problem; your feedback helps us to make Matador even better!

Likewise, slowly but surely, our documentation is becoming more comprehensive as we respond to help requests – we are continuing to work on this.

Paul and Jeremy have both been incredibly helpful, responsive, quick and have implemented new features based on our needs as a client.

If you are looking for a way to utilize your instance of Bullhorn with WordPress, Matador is incredible value with individualized support and ongoing updates.

Matthew Leavitt
Marketing & IT Manager
MOUNTAIN LTD
www.MOUNTAINLTD.com

Google Indexing API for WP Job Manager Plugin

Sometimes one thing leads to another. As a footnote to our work on the Google Indexing API for Matador, it wasn’t much of a leap to realize that this functionality could be useful for other job-boards. We already have a Matador add-on to provide WP Job Manager integration so we decided to wrap the relevant fragment of the code we developed for Matador into an additional dedicated plugin for users of WP Job Manager.

Matador Jobs clients

As word gets out, our client base has been growing steadily – we are so encouraged by and grateful for the positive feedback we have received from our clients.

Thank you for your support!

Exactly what I needed to make our site how I wanted it . . . and all in-house! If you are working in WordPress, this is a no-brainer.

Scott R 
The Ian Martin Group
https://ianmartin.com

For more detailed information Matador updates, please read the release notes on the Matador Jobs Blog.

Google Indexing API for WP Job Manager Plugin

When one thing leads to another . . .

As a developer it’s not unusual that, as you work on a major project, you stumble over a smaller but really useful product. This has been the story of our new Google Indexing API for WP Job Manager Plugin.

After many hours of head-scratching, debugging and deciphering of Google’s documentation, I finally got the Google Indexing API working for Matador Jobs
(the WordPress Job Board Plugin for Bullhorn ATS) early this year. It was a key feature in our biggest Matador update to date (Matador Jobs Major release 3.4.0).

This apparently relatively small feature addition has proved extremely useful in improving our clients page ranking and in getting their jobs listed in near real-time on Google Jobs Search.

It wasn’t much of a leap to realize that this functionality could be useful for other job-boards. As we already have a Matador add-on to provide WP Job Manager integration, we decided to wrap the relevant fragment of the code we developed for Matador into a dedicated Plugin for users WP Job Manager. Launched at the beginning of April 2019, the Google Indexing API for WP Job Manager Plugin is my second Premium Plugin.

How the Google Indexing API for WP Job Manager Plugin works

Google created its Indexing API so that Google Jobs can be informed immediately when a job is posted or removed from a job board.

The API allows you to PUSH notifications that you have published a new job or deleted a filled job so that Google adds/removes your jobs straight away.

By making use of this, when you post a job it is included in the Google Job Search results almost instantly, giving you an important advantage.

Similarly, filled jobs are removed promptly and are no longer indexed in Google. So job-seekers should never end up on a 404 page.

When you implement the Google Indexing API for WP Job Manager Plugin, you don’t have to wait for Google to get around to crawling your site and add your jobs to their job search index. It happens automatically then and there.

Google Indexing API for WP Job Manager - Buy now!
BUY NOW!

Google for Jobs overview on Bullhorn’s Customer Blog

Have you heard about Google for Jobs? Bullhorn have just published an article by my fellow Matador developer Jeremy Scott on how Google for Jobs optimization can increase search traffic to your jobs website. Based on the experience of building Google for Jobs optimization into the Matador software, the article explains what Google for Jobs is, how it works and offers a high-level overview of how to optimize your company’s website.
Screenshot - article on Bullhorn Customer Blog
Read the full article on Bullhorn’s Customer Blog
We’ve put a lot of time into ensuring that Matador Jobs integrates really effectively with Google for Jobs search and we know it can make a huge difference.  We have one customer who reported a 75% increase in organic search traffic to her site in one month. Please reach out to us for more information on how Matador Jobs can help you leverage the Bullhorn REST API and Google for Jobs on your site.   (Cross-posted from our Matador Jobs website)

How can I know I am writing secure WordPress code?

Security

Even as experienced coder, it can be daunting to try to write secure WordPress code.

There is one golden rule: trust no-one!

But if you habitually make use of a few good tools, you should be able significantly to reduce potential vulnerabilities. As a bonus, secure code tends to be both performant and readable.

Where to begin – good tools

Use the tools that exist – don’t just write your code in a basic text editor!

I would recommend as a starting point using an IDE – Visual Studio Code, PHP Storm (IntelliJ), or, if you want a more editor based option, Sublime Text. Amongst other features, all of these offer code completion and syntax highlighting. This easily eliminates some of the ‘basics’, allowing you to focus on the actual code.

Next, you need a static code analysis tool. For WordPress coders this means installing  PHP_CodeSniffer (https://github.com/squizlabs/PHP_CodeSniffer ). If you integrate this with your IDE, you will get real-time feedback as to whether you are meeting the coding standards that you have selected.  For example, CodeSniffer will complain if you do not sanitize the input, escape the output or use a nonce when receiving data.

Note: A team of volunteers has created a set of WordPress Coding Standards rules (sniffs) to enforce WordPress coding conventions.  You can download these, together with integration instructions, from GitHub (https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards )

Applying the golden rule

What does it mean to ‘trust no-one’?

Your code needs to check that any input passed to it from a user, another coder or function is what you expect and that any time you return content your code confirms that it is the right type of content.

Example of checking input data

In the code fragment below, I first check that a form submitted was created by the website by using a nonce and then use absint() to make sure the form value is a number, followed by using the sanitize_text_field() to clean the name value input.

// Check we have a form field called wp_nonce
// Check the value of wp_nonce is what WP created
if ( isset( $_POST['wp_nonce'] ) && wp_verify_nonce( $_POST['wp_nonce'], 'save_form' ) ) {

 // make sure that a and ID is an int    
 $post_id = absint( $_POST['id'] );

  // - Checks for invalid UTF-8,
 // Converts single `<` characters to entities
 // Strips all tags
 // Removes line breaks, tabs, and extra whitespace
 // Strips octets
 $name = sanitize_text_field( $_POST['name'] );

 // Save form
 }

Examples of escaping output data

It is important to escape any translated content as you don’t know what is in the translation. In the following code fragment, the last thing I do before echoing the html is to pass it through esc_html() to make sure it is valid and allowed html.

 echo esc_html( sprintf( '<p>%s</p>', __( ' Some content to by translated', 'text_domain' ) ) );

You should never trust the output of a function, even if you wrote it, as someone else might change it later. In this example, I use esc_url() and esc_attr() to clean the returned output of the functions.

echo sprintf( '<a href="%s" title="%s">click here</a>', esc_url( get_a_url_from_somewhere() ), esc_attr( get_a_title_from_somewhere() ) );

Writing secure WordPress code – the last word

Security is always going to be a challenge – change is a constant and vulnerabilities exist everywhere. But it is our responsibility as coders to do the best we can. At the very least, consistently using the tools available, applying coding standards and following basic good practice guidelines, is just good sense. It should eliminate a significant proportion of risks and leave you some headspace to tackle the edge-case scenarios.