Modify user metadata in WordPress upon link click

Other Questions Wordpress
1

I’m trying to create a feature for my website where clicking a link triggers a PHP file. The URL contains a request like this:

<a href="'. plugins_url() .'/gps_konkurranse/gps_konkurranse.php?found=true&user_ID='. $user_ID .'" target="_blank">

In the PHP file, I want to run a function that fetches the current user meta, increases it by one, and updates the same user meta. This is my current code:

<?php
if($_GET['found'] == 'true'){
    $value = get_user_meta($_GET['user_ID'], 'gps_value', true);
    $value++;
    update_user_meta($_GET['user_ID'], 'gps_value', $value);
}
?>

This code is placed in a standalone PHP file, but I need help to ensure that I’m doing this correctly.

2

The problem is you’re running WordPress functions outside WordPress itself. That standalone PHP file in your plugin directory can’t access WordPress core functions unless you explicitly load them first. Plus, this approach completely skips WordPress’s security protections. Instead of a standalone file, use wp_ajax hooks in your main plugin file or create a custom REST API endpoint. Both give you proper WordPress function access while keeping security intact. And don’t forget to validate and sanitize that user_ID parameter before hitting the database.

3

Your approach has a major problem - that standalone PHP file can’t access WordPress functions like get_user_meta() and update_user_meta(). You’d need to add require_once('../../../wp-config.php'); at the top, but the path depends on your plugin structure. Honestly though, I’d go with a completely different approach. Skip the standalone file and create an AJAX handler inside your plugin using wp_ajax_ hooks instead. It’s way more secure and follows WordPress standards. You should also validate that user ID parameter and add nonce verification - right now anyone who knows your URL structure can mess with user data.

4

that won’t wrk - u need to bootstrp wordpress first. plus it’s a massive security hole since anyone can hit that url n mess with user data. use wp_ajax actions or a shortcode handler instead. and always sanitize $_GET data, never trust what users send u.