Use a PHP file as action for a form in a WordPress plugin, what’s the correct way?

To be honest, you should never use a PHP file as action attribute for a form in WordPress. WordPress already has API for this and you should use this instead. Why? Because it’s always better if your app/site has only one entry point (or as few as possible).

And it’s always a bad idea to direct any PHP requests directly to wp-content directory – such requests are very often blocked for security reasons.

So how to do this properly?

Use admin-post instead.

So in your form change this:

<form action="<SOME FILE>" ...

to this:

<form action="<?php echo esc_attr( admin_url( 'admin-post.php' ) ); ?>" ...
    <input type="hidden" name="action" value="myform" />

And later in your plugin, you have to register your actions callbacks:

add_action( 'admin_post_myform', 'prefix_admin_myform_callback' );
add_action( 'admin_post_nopriv_myform', 'prefix_admin_myform_callback' );


function prefix_admin_myform_callback() {
    status_header(200);
    die("Server received '{$_REQUEST['data']}' from your browser.");
    //request handlers should die() when they complete their task
}

Related Posts:

  1. Plugin Form Submission Best Practice
  2. $_POST form request with admin-post
  3. Handling results from data hooked into admin_post
  4. What is the real intention for admin-post.php?
  5. What is the recommended way to create plugin administration forms?
  6. Using AJAX in a plugin to submit form – REALLY confused
  7. Post from front-end with post types, categories and taxonomies
  8. Front-End Form Submission in Shortcode
  9. Check spam in custom form – akismet
  10. Front-End Interfaces Without Shortcodes
  11. Best Practices for Creating and Handling Forms with Plugins?
  12. Plugin options page – form with two different submit buttons
  13. How to sanitize user input?
  14. WooCommerce registration password field not displaying
  15. wordpress plugin php file processing form
  16. How to add custom fields to the all users page
  17. Error on inserting a form value to database
  18. Multiple options pages validation for a plugin
  19. Form doesnt save to database
  20. Create custom HTML/JS app inside page
  21. Plugin Development for registered users
  22. Is there documentation reference for forms in menu and setting pages?
  23. Input in plugin widget does not allow spaces
  24. Avoid updating post when sending POST or GET request to post.php
  25. admin_post equivalent for guest user?
  26. How can I add a simple custom field to my plugin?
  27. Run JavaScript validation script on form submit in plugin
  28. I am unable to save my data from a form
  29. The Correct Way to Use Nonce Field without Settings API
  30. How to add search form in main page body?
  31. How to make and save custom form in custom plugin page?
  32. Catching Form Submission in WordPress Admin Panel
  33. Form using admin-post.php gives 404 after submission
  34. Submit form to a different PHP file in the same plugin folder
  35. A function that will remove HTML and tags from a string?
  36. Plugin Form Submitting to admin-ajax.php instead of admin-post.php
  37. Form submission to another page returning 404 error [duplicate]
  38. Lead form that submits to 2 external APIs
  39. WordPress: redirecting to the form page after form submission to admin-post.php
  40. How to create a custom post-new.php page for plugin , no wp menu
  41. Information and Page from WordPress Plugin
  42. Why is that only the first row getting inserted into Mysql table when i import csv file on backend custom plugin?
  43. Using AJAX to submit and return data inside the WordPress Plugin Boiler Plate framework
  44. Use admin-post to submit form data to external database
  45. How to Maintain url on form submit
  46. How to retrieve custom profile fields associated with different users
  47. form does not generate $_POST request
  48. Acessing WP functions in form submission handler
  49. Form and database, plugin development
  50. Can I use a hook other than ‘init’ to handle form submissions?
  51. wp_mail links are dead
  52. Best way to handle a form post in plugin
  53. Tracing dashboard publish settings from input form in WordPress
  54. Post data in wp-admin to external database
  55. Multi-part form and wp_redirect()
  56. Page reload occurs before request finishes
  57. Submitting a plugin form to database in admin page
  58. Hook a search form anywhere on the site, using a custom plugin
  59. Plugin forms overwrite each other’s options
  60. Objective Best Practices for Plugin Development? [closed]
  61. wp_mail is undefined
  62. How to save block attributes when the output doesn’t change
  63. How to: Rest endpoint returning empty object
  64. Ensuring a plugin is loaded/run last?
  65. Plugin options table,is the data serialized
  66. Creating option to allow user to select the page my plugin content will display on
  67. What is the difference between these two methods of writing $ instead of jQuery in WordPress [closed]
  68. Can’t get JS code to work with shortcode
  69. Show Parent category and Subcategory
  70. Gutenberg Block showing invalid content on edit
  71. Register a sidebar in a WordPress plugin
  72. Check for template part, else filter content
  73. How to stop your plugin from executing on certain pages?
  74. Search the product by tag or category not working
  75. Is it possible to make sure that only my plugins output is shown to the enduser?
  76. WordPress function get_the_terms() returns ‘Invalid taxonomy’ error
  77. Trying to Implement .pdf File Upload in Admin for plugin
  78. Codex Version Focus on Production or Nightly?
  79. Fatal error: Uncaught Error: Call to undefined function convert_to_screen()
  80. Multiple array for post_content on plugin activation
  81. Using AND and bracket grouping in SQL not working
  82. Taxonomy archive page listing terms instead of posts
  83. Check if the current user is author of first comment
  84. How do I force a download in the admin area?
  85. add_action wp_ajax_ not loading in plugin file WP Network
  86. Configuring Xdebug with docker compose
  87. Get the current post/page URL with plain permalinks
  88. Using the same class across multiple functions
  89. ajax multiple Values
  90. Change Label of custom post type
  91. admin-ajax.php returns “No Script Kiddies!” sometimes
  92. Widget won’t be activated
  93. Plugin outputs content of posts unbidden!
  94. Client Profiles
  95. Update custom settings field in plugin
  96. URL rewrite parameter lost (add_rewrite_rule)
  97. PHPUnit Ajax Serialization of ‘Closure’ is not allowed
  98. Fetch Custom Woocomerce filed data and check the data avialble in Wp-user table as nicname or username using function.php
  99. How to get locale within WP REST Request?
  100. How to add extra EXIF data when images are uploaded?

Leave a Comment