This project is a WordPress plugin, which provides a way to distribute custom plugins via a GitHub repository (even a private one). This plugin provides a new custom post type registered in the plugins menu of the Admin Dashboard which you can use to store information about the GitHub repositories. It utilizes the GitHub API to check for tagged versions and provides that information to outside plugins checking for updates. Each hosted plugin can have banners/icons and send custom header and plugins_api information.
As this project is a WordPress plugin, you simply need a plugin ZIP file to upload in your Admin Dashboard. Being as GitHub appends the folder name with "-master" (for the branch), if you upload the ZIP file to your WordPress install directly from GitHub, it will install the plugin with the incorrect folder name, which will interfere with the plugin servers own updating process. To remedy this, you will need to:
- Download the latest release ZIP file from GitHub
- Install the plugin through the WordPress "Add Plugin" page.
Once you have the plugin installed, it is very simple to use. Log into your WordPress Admin dashboard and navigate to "Plugin > Hosted Plugins". All you have to do is provide a GitHub user and repo, and then a separate field for a "plugin slug". The plugin slug is based on the underlying operating principal of the release system that the plugin ID will always have the form "plugin-slug/plugin-slug.php". If you are unfamiliar with the identification of plugins by WordPress, the pretty much means that the folder name of the plugin (in "/wp-content/plugins") should be the same as the primary PHP file inside of it. This was decided early on in the project development to maintain uniformity. For all intents and purposes, the GitHub repository should ideally be the same as the slug. Read the WPPF Update Helper page for more info on the slug. Any new hosted plugin will display "Disconnected" until the correct GitHub information is provided and the post is saved, after which the page will say "Connected" and display information about the plugin repository.
I understand that security is a large concern in todays digital world. If you provide the update server a GitHub API token to see a private repository, it is in your best interest to keep that token most secure. The update server is built with the WPPF Update Helper, which registers an SSL encryption key field under "Settings > WPPF Settings". Your private token is always encrypted before being sent, so make sure to provide a strong SSL key. However, this does not terminate the list of possible issues. Your WordPress installation is likely made up of some 3rd-party plugins that facilitate the things that you need to do with your website. Your SSL key is stored in the wp_options table, as it is a setting, and malicous code could very easily gain access to it. Keeping your plugins updated and using trusted plugins are some of the best ways to keep other parties from accessing your data. Thirdly, all data being sent from your website should be viewed as publicly visible. Even if you do have an SSL key and everything updated, mandate an HTTPS connection to and from your site. This should be the first thing you do for any site that you need to log into. To reiterate:
- Use a strong SSL key in the WPPF Settings.
- Use only trusted plugins and keep them updated.
- For the programming gods' sakes, use SSL (HTTPS) for your site!
This project is part of the WPPF ecosystem:
WordPress Plugin Framework (WPPF) – Core plugin architecture framework
WPPF Test Plugin – Example project demonstrating a implementation of a plugin using WPPF.
WP Plugin Update Server – Self-hosted WordPress plugin update infrastructure with GUI management.
WPPF Update Helper – Simple integration layer for the WP Plugin Update Server.
