AppThemes Docs

Creating a WordPress Listener

Are you a plugin or theme developer? Have you ever wanted to integrate WordPress with automated services? Like, posting a new blog entry for every commit on Github? With a WordPress Listener, you can have any service talk to your WordPress blog whenever you want!

A WordPress Listener works by having WordPress listen for third-party services to hit a specifically formed link, and when it hits that link, executes specific code that interacts with the third-party service.

Creating a listener in WordPress is a pretty straightforward process. You first need to pick and early hook, like wp_loaded and hook into it with a set of code that looks at the incoming request before anyone else checks it, and decides if that request is meant for you.

Usually you’ll check if a method is meant for you by a custom query variable that is not easily mistaken for something else.

function app_listener(){
 
    if( !isset( $_GET['listener'] ) || $_GET['listener'] == 1 ){
        return;
    }
 
}

Now, if you access your site at say, http://example.com/?listener=1, the code below it will be ran.

If you get to this step and the request is not meant for you, you should return out of it as quickly as possible. Any code you run before this test will be ran on every page load in WordPress, so it better be quick and efficient.

After ensuring that the request was in fact made for you, you can do pretty much whatever you want. Your code afterwards will only run on a page load with those specific parameters. However, the code we have right now is pretty open. Anyone who knows that you are expecting a listener can pretend to be that listener to maybe do some malicious things. You might want to check a few other things as well.

List of things to check

Was the request made by an authorized party?
Sometimes when sitting around listening for stuff, you might get some noise. For instance, a hacker who is poking around looking to trigger secret things. If you code does anything sensitive, you’ll want to make sure that whoever is trying to activate the listener is the right person. For this, we can use a random value.

The idea behind using a random value passphrase is to ensure that only an authorized party can activate the listener. A random value passphrase is just a series of numbers and letters that are hard to guess. It is very similar to a password. By creating a password that only you and the third-party knows, you can be much more certain that the person activating the listener is actually the person you’re expecting.

For our random passphrase, we are going to take the MD5 hash of the site’s URL, and the time.

$passphrase = md5( get_bloginfo( 'wpurl' ) . time() );
echo $passphrase;

If you look at the output of this, you’ll see that it is a fairly random combination of letters and numbers. Now, we can use that series of random letters and numbers to make our listener stronger. Instead of just checking for the listener query variable, we will also check that the query variable is set to our passphrase.

function app_listener(){
 
    if( !isset( $_GET['listener'] ) ){
        return;
    }
 
    if( $_GET['listener'] != md5( get_bloginfo( 'wpurl' ) . time() ) ){
        return;
    }
 
    echo 'Listener is now activated';
 
}

As you can see, the listener will only respond now if the listener query variable is set to the correct value. You’ll noticed I separated out the two if statements. If I kept them as a single statement, like in the first example, it would cause a new hash to be generated on every page load. This is a drain on our page load that we simply don’t need. With the statements separated, the hash is only generated and checked if the listener variable is set.

But there is still a problem. Right now, the passphrase changes every single second. This is because we generate a new passphrase on every page load using the time as part of the passphrase. For all practical purposes, unless we can guess the time that PHP will think it is, and send the request at that exact time, we will never get the past the second check.

The easiest way to get by this is to store the first passphrase ever generated, and then simply use that passphrase. In WordPress, we can store the option for later use.

function app_listener(){
 
    if( !isset( $_GET['listener'] ) ){
        return;
    }
 
    $passphrase = get_option( 'listener_passphrase', true );
    if( ! $passphrase ){
        $passphrase = md5( get_bloginfo( 'wpurl' ) . time() );
        set_option( 'listener_passphrase', $passphrase );
    }
 
    if( $_GET['listener'] != $passphrase ){
        return;
    }
 
    echo 'Listener is now activated';
 
}

As you can see, we now check if a passphrase has been created. If so, we use it to check the listener variable. If not, we create a new one and then store it to use later.

There you have it. Any code after this series of checks will only occur when your authorized third-party accesses a specific page on your site. You’ll probably want to do some additional checks to make sure its really them, that they are giving you data that is correct, etc.

You’ll probably also want to make the value of ‘listener_passphrase’ available somewhere in the WordPress Admin Panel. Otherwise, you’ll never know the passphrase to give to the third-party.

Like this tutorial? Subscribe and get the latest tutorials delivered straight to your inbox or feed reader.

Your rating: none
Rating: 5 - 4 votes