Skip to content

WordPress and YAML

Kev Quirk recently asked if he couldn’t just use YAML files in WordPress, and then used a simple blogroll as an example.

So, two things:

  1. In WordPress, don’t use YAML for blogroll data. WordPress has a built-in albeit well-hidden link manager that does exactly this sort of thing.
  2. WordPress developers tend to look at custom post types and theme templates (which, for CPTs, can be created rather easily from the new Site Editor) for things like these—working with custom data, I mean.

That said, I … had a quick look at Statamic, which uses YAML to store its config(s), and noticed it relies on the symfony/yaml Composer package, and built a very simple plugin around that package.

The plugin registers a single shortcode that takes two arguments: a YAML file, and a template file. I provide a single example—the actual example from Kev’s original post.

I’m using pure PHP, which anyway started life as a templating language, for the templates.

YAML and template files should be stored in a yaml subfolder inside WordPress’s uploads folder, which, unlike plugin folders, never really changes—plugin files famously get overwritten with each update.

It wouldn’t be too hard to create an upload form somewhere within WordPress’s admin interface, or allow themes to register a new location for these files, but … let’s leave that as an “exercise for the reader.”

Is this secure? Well, you could set up your web server to deny direct access to the YAML files. And do the same for the PHP files, or disable PHP inside the uploads folder (which you should probably do anyhow).

Also, I sanitize file paths to prevent directory traversal. (In a first draft, logged-in users with, e.g., the author role, would be able to specify, and thus run, just about any PHP file on the server.) If I still missed something, please let me know!

Is this necessarily the best way to approach this kind of problem? Us WordPress folk tend to favor the database to, you know, store data. But, who knows? Simple text files may be easier to keep up to date programmatically, and you don’t need an advanced GUI or anything to manually edit them, so, why not?