Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


Alain Dwight
.a{fill-rule:evenodd;}techdegree seal-36
Alain Dwight
Front End Web Development Techdegree Graduate 21,669 Points

PHP/Wordpress: How can a URL delete a post?

I'm trying to wrap my head around how simply loading a URL can delete or modify comments or posts, which I presume are stored in the database. I've seen this ability referred to in several places:


class-wp-comments-list-table.php: $trash_url = esc_url( $url . "&action=trashcomment&$del_nonce" );

The Wordpress codex page on Nonces states: "For an example of how an nonce is used, an admin screen might generate a URL like this that trashes post number 123. You can see that the URL contains a nonce at the end: "

If anyone has a quick answer and can spare me waiting for my own conclusion, I'd appreciate it.

1 Answer

Hi, Alain Kassabian:

In layman terms, HTTP (HyperText Transfer Protocol) has various verbs defined browsers send & servers are supposed accommodate in a expected way to generally a variety of tasks.

Usually this is directly on a resource. By convention, server-side code is to leverage these predefined verbs—like GET, POST, DELETE, & PUT—for clients to interact with the resources. This style has been known to be writing servers-die code that supports Representational State Transfers (REST).

In everyday work, developers are encouraged to continually write their back-end code in a "RESTFUL" way". By following these conventions, people can more quickly be able to consume the resource (articles, comments, and so on).

Generally, an everyday user does nothing other than GET with an empty response body with such a request, while things like forms and so on explicitly change requests to use one of the other verbs and additional information in the response body to fulfill the request.

An example of the latter would be a form that requests to change a single account a (PUT to http://example.com/accounts/kevinl) with a new password of 123 ({password: 123} ). Server-side code, if written in a RESTFUL way will update the password to 123 based on this information after validating the user as appropriate authentication & validation to make such a change<sup>1</sup>

The code snippets below this sentence demonstrates:

Nonetheless, there's nothing stopping a developer or a group of developers to perform something such an DELETE action from a GET request as a result of how they've written their code.

This is often at the expensive of creating a less positive developer experience for developers/users of such a web application because it leads to unexpected behavior and research needed to get the results they were expecting.

This is the case here as server-side code—in this case written w/ PHP to be integrated with the Wordpress framework—was written in a way to read the query values appended to the URL (action & del_once) to do a particular thing.

Either way, a URL can delete a post—whether that follows conventions that HTTP deliberately created for particular things to happen for the response explicitly through HTTP verbs, or through a custom way of doing so a user has to learn through the documentation they (hopefully) provided is up to the server-side code corresponding to the URL of the request.

Does this thoroughly answers your question?

<sup>1</sup>:<small> (usually done through a cookie, an additional hash/dictionary of values to use HTTP's built-in way of handling authentication server-side can use, or JSON Web Tokens). </small>

Alain Dwight
.a{fill-rule:evenodd;}techdegree seal-36
Alain Dwight
Front End Web Development Techdegree Graduate 21,669 Points


I took a while to reply because I was digesting the information. You did answer the question very thoroughly and I'm glad you brought that course you linked to my attention, thanks. I still have some other questions about how the Wordpress action links for comments (ie. spam, approve, trash, etc.) function but they appear to be triggering some php script via AJAX... I am currently working through the Javascript and AJAX courses here until I solve my own problem or at least pose a coherent enough question for myself or someone else to come up with an explanation.