wordpress customization and security

Joe Casabona

• Web Developer. Writer. Nerd*. – *Computer, Device, Star Wars

• Yankee Fan

• Responsive Design with WordPress– Out Dec 2013– www.rwdwp.com– Discount Code for 35% off: RWDWP

site: Casabona.org | twitter: @jcasabona | email: joe@casabona.org slides/resources: casabona.org/blogcon-13

Phil Erbhttp://philerb.comTwitter: @philerb

Systems Admin & ProgrammerUniversity of Scranton

Co-Founder & Director of TechnologySolve the Net

Lover of WordPress

WordPress Theme Customization

Themes: A Primer

• A WordPress Theme:– Provides control over the look and presentation of

the material on your website.

• The Codex!– Your best friend during development– codex.wordpress.org

Important Files

Tip: Don’t Modify the Core!

style.css

• Includes Theme Definition /*Theme Name: Millennium FlightsTheme URI: http://www.milenniumflights.comDescription: A custom theme for Millennium Flights, Inc.Version: 1.0Author: Joe CasabonaAuthor URI: http://www.casabona.orgTags: blue, white, two-column, flexible-width*/

• Keep Common Classes in mine (rwdwp.com/12)

• RWD Tip: Put all CSS in One File

functions.php

• Place misc PHP functions, code, and variables• Considered a “plugin” file for your theme• Remember “Separation of Concerns”– Themes should only effect display, not content or

functionality • Uses: Actions, Filters, side-wide functions• RWD Tip: Use this file for server-side

detection

index.php

• The backbone of WordPress themes

• Everything that doesn’t have its own template file will use index.php

• Used to display a list of posts or content.

• DO NOT remove The Loop from this page

header.php and footer.php

• Template Files to use throughout the theme

• get_header() and get_footer()

• wp_head() and wp_footer()

The WordPress Hierarchy

wphierarchy.com

Template Files

• Sophisticated Display Controls• Only required files: style.css and index.php• Custom templates down to the single post

level• Example: Custom Post Type named“classes”

single-classes.php single.php index.php

Page Templates

• Naming Convention– page-no-sidebar.php

<?php/*Template Name: No Sidebar*/

?>

The Loop

Defined

• The Loop is used by WordPress to display each of your posts. Using the Loop, WordPress processes each of the posts to be displayed on the current page and formats them according to how they match specified criteria within the Loop tags. Any HTML or PHP code placed in the Loop will be repeated on each post

Essentially…

• The Loop has functions to: – Make sure that you have posts to display– Display those posts.

<?php if (have_posts()) : ?><?php while (have_posts()) : the_post(); ?>

//print post information using template tags<?php endwhile; ?>

<?php else : ?>print “No posts found.”;

<?php endif; ?>

Template Tags

• Functions in WordPress designed to print information about the Current Post

• Some tags include:– the_title(), the_time(), the_content(),

the_excerpt(), the_category(), the_tags(), the_permalink()

If time permits…

Let’s Look at a Live Theme!

Securing Your WordPress Site

Source: Torque.io - WordPress Core is Secure – Stop Telling People Otherwise

Yes … but …

The code may be secure, but there are always things to improve

Backup ALL the Things

My hosting provider does that,why should I?

How do I backup WordPress?

Services– ValutPress

Plugins– BackupBuddy– BackWPUp

The good old fashioned way mysqldump -udbuser mydb > db.sql zip -r backup.zip /webfolder/ db.sql

Backup Best Practices

Create a backup schedule that makes sense for your site.

Get an off-site copy

Test your backups

Secure the Server

To the extent that you can

Use strong passwords

FTP, SSH, and control panels will get hackers access to your sites

Use SFTP instead of FTP,if possible

Understand file permissions

“777” makes everything work …for other people too.

Install an SSL certificate

Securing Core

Secure the login process

Wait, my password is sent over the Internet in plain text???

Don’t use “admin”

Stronger Authentication

Use strong passwordsForce Strong Passwords

Limit the number of bad loginsLogin Lockdown

Use multi-factor authenticationGoogle AuthetnicatorDuo Two-Factor Authentication

Always use SSL encryptionfor login forms and personal info

No SSL? Passwords are Plain Text!

Only give users theaccess they need

This includes YOU

Don’t always run as admin

Don’t let your databasebe predictable

Change the database table prefix

Plugins, Themes, and Updates

Only use trusted sources

DON’T Google “free WordPress themes”

Only one of these is trustworthy

Source: WPMU.org - Why You Should Never Search For Free WordPress Themes

Keep core, plugins, andthemes up to date

Security Services, Plugins & Tools

Security Tools

Sucuri Site scanner, monitoring, and security plugin

Better WP Security

Wordfence

Updates and Management

ManageWP

InfiniteWP

WP Remote

Use a good hosting provider!

Keep Yourself Secure Too!

If your computer is hacked,your site could be next!

Install OS and application updates

Run antivirus software

Use encrypted protocols (HTTPS, SFTP)

Use strong passwords for everything

Keep your ear to theWordPress community

The products and the issues are ever evolving.

Where to get the news

WPSecure.net

Sucuri’s blog

WP Updates Notifier plugin

Check out more on the NEPAWPResources page

Questions? Comments? Statements of Disgust?

References & Links

• VaultPresshttp://vaultpress.com/

• BackupBuddyhttp://ithemes.com/purchase/backupbuddy/

• BackWPUphttp://wordpress.org/plugins/backwpup/

• Codex: Administration over SSLhttp://codex.wordpress.org/Administration_Over_SSL

References & Links

• How to Change the WordPress Databasehttp://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/

• Login Lockdownhttp://wordpress.org/plugins/login-lockdown/

• Force Strong Passwordshttp://wordpress.org/plugins/force-strong-passwords/

• Google Authetnicatorhttp://wordpress.org/plugins/google-authenticator/

• Duo Two-Factor Authenticationhttp://wordpress.org/plugins/duo-wordpress/

References & Links

• WPMU.org: Why You Should Never Search For Free WordPress Themeshttp://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

• Sucurihttp://www.sucuri.net/http://wordpress.org/plugins/sucuri-scanner/

• Better WP Securityhttp://wordpress.org/plugins/better-wp-security/

• Wordfencehttp://wordpress.org/plugins/wordfence/

References & Links

• WPSecure.nethttp://wpsecure.net/

• WP Updates Notifierhttp://wordpress.org/plugins/wp-updates-notifier/

• Sucuri bloghttp://blog.sucuri.net/category/wordpress